Codex Image Server
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: codex-image-server Version: 0.1.0 The skill bundle contains a significant path traversal vulnerability in the `templates/codex-image-server.js` file, specifically within the `/v1/images/:id/file` route. The `id` parameter is extracted from the URL and used in a `path.join` operation without sanitization, potentially allowing an attacker to read arbitrary files from the host system. Additionally, the server template executes local system commands via `child_process.spawn` to interact with the `codex` CLI and manages sensitive credentials like `OPENAI_API_KEY`. While these high-privilege capabilities are aligned with the skill's stated purpose of wrapping a local image generation tool, the lack of input validation on file paths constitutes a meaningful security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A web page or local app may be able to trigger image generation through the local server, potentially using the user's Codex/OpenAI access or quota.
The server template allows cross-origin browser access. Combined with the documented default of optional authentication, this broadens who can call the local image-generation API.
'Access-Control-Allow-Origin': '*'
Enable authentication by default, restrict CORS origins to trusted local clients, and require explicit user approval before exposing generation endpoints.
The server may use the user's OpenAI account and billing unexpectedly, and prompts or reference images may be processed through that provider path.
The template reads a local OpenAI API key and automatically switches to an OpenAI backend when a key is present, despite the registry metadata declaring no credentials.
function getOpenAiApiKey() {
return process.env.CODEX_IMAGE_SERVER_OPENAI_API_KEY || process.env.OPENAI_API_KEY || ''
}
...
return getOpenAiApiKey() ? 'openai' : 'codex-exec'Declare the credential requirement, avoid auto-selecting the provider backend from ambient OPENAI_API_KEY, and require an explicit backend choice before using account credentials.
Running the server can start and terminate local Codex worker processes.
The design intentionally starts local `codex exec` worker processes and manages their process groups. This is expected for a wrapper service but is still local code/process execution.
On macOS and Linux, start `codex exec` with `detached: true` and kill the negative process id so child processes do not remain alive.
Run it only from a trusted project directory and verify cancellation/cleanup so no worker processes are left running.
Generated images may remain on disk and be available through the local server while it is running.
The skill intentionally creates a local service with persistent output files. This is coherent with the image-server purpose, but users should notice the ongoing service and stored outputs.
Store generated files in a stable output directory and return both metadata and file URLs.
Choose a private output directory, periodically clean generated files, and stop the server when it is no longer needed.