Codex All-in-One for ArkClaw
WarnAudited by ClawScan on May 16, 2026.
Overview
The skill’s purpose is coherent, but it needs review because it stores API keys in shell startup files and runs Codex through shell commands that can be unsafe with untrusted prompt text.
Install only if you expect this skill to install npm/pip packages, save model-provider API keys locally, modify ~/.codex and ~/.bashrc, and run a background local relay. Use restricted or disposable API keys if possible, avoid pasting untrusted text into Codex prompts until shell-safe prompt passing is fixed, and review how to remove the ~/.bashrc auto-recovery block and stored keys.
Publisher note
本 skill 需要以下网络/系统能力: 1. pip install --user codex-relay — 安装本地协议中转服务(Python 包) 2. npm install -g @openai/codex-cli — 安装 Codex CLI(若未安装) 3. 出站连接火山方舟 / Moonshot / DeepSeek 等模型服务的官方 API 地址 4. 在 127.0.0.1 的 4446-4449 端口启动本地 relay 进程(纯本机,无对外监听) 5. 写入 ~/.bashrc 和 ~/.codex/ 目录(Key 持久化与 profile 管理) 所有 Key 仅保存在用户家目录,不上传任何外部服务。
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A copied or malicious prompt could cause unintended local shell commands to run, or Codex could operate over a broader home-directory scope than the user expected.
The skill tells the agent to interpolate the full user request into a shell command. Prompt text containing quotes, backticks, or $() could be interpreted by the shell before Codex receives it, and the command also runs from the home directory with a trust check skipped.
cd ~ && codex exec --skip-git-repo-check "用户的完整需求原文"
Pass prompts to Codex without shell interpolation, such as via a safely escaped argument array, stdin, or a temporary file, and run Codex in an explicit project directory with clear user confirmation for broad file changes.
A specially crafted key value or tampered ~/.bashrc entry could run local commands in the user’s environment.
The relay helper evaluates a line read from ~/.bashrc as shell code. Because setup scripts write user-provided keys into export lines, a malformed key or modified startup file could execute commands when the relay starts.
key_line="$(grep "^export ${key_name}=" "$HOME/.bashrc" 2>/dev/null | tail -1 || true)"
[ -n "$key_line" ] && eval "$key_line"Avoid eval for loading credentials; parse the variable value safely, validate or escape key material, and store secrets in a credential store or a chmod 600 data file rather than executable shell code.
Other local commands, scripts, or anyone with access to the user’s home files could read provider keys and potentially use billable model accounts.
The skill persists provider API keys in ~/.bashrc. This is related to the stated Codex-provider setup purpose, but it stores sensitive account credentials as plaintext shell startup content while the registry metadata declares no env vars or primary credential.
echo "export $ENV_KEY_NAME=\"$KEY\"" >> "$HOME/.bashrc"
Declare the required credentials, prefer OpenClaw’s credential mechanism or a restricted-permission secrets file, and provide clear instructions for rotating/removing keys.
A local relay may continue to be started in future shell sessions until the ~/.bashrc block is removed.
The setup writes an auto-recovery block to ~/.bashrc that can start codex-relay as a background process. This is disclosed and scoped to the Codex relay purpose, but it is persistent behavior users should notice.
nohup codex-relay --port $__codex_port --upstream "$__codex_upstream" \
> "$HOME/.codex-relay-${__codex_profile}.log" 2>&1 &Tell users exactly how to disable the auto-recovery block, stop relay processes, and remove ~/.codex relay/profile files.
Future package changes or registry compromise could affect what code is installed.
The skill installs the latest Codex CLI from npm; another helper similarly installs codex-relay from pip. These installs are central to the skill purpose, but they are unpinned and depend on external package registries.
npm install -g @openai/codex@latest
Pin known-good package versions or hashes where possible, document package provenance, and let users approve package installation or upgrades.