OpenAI Codex Operator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openai-codex-operator Version: 1.0.1 The skill bundle is classified as suspicious due to a clear shell injection vulnerability pattern. The `scripts/run-codex-example.sh` file directly uses unsanitized user input (`$TASK`) in a shell command (`codex exec "$TASK"`), which is a critical remote code execution risk. Furthermore, the `SKILL.md` instructions for the OpenClaw agent describe constructing commands like `exec.command: "codex exec \"<task>\""`. If the agent naively inserts user-provided task descriptions into this template without proper escaping, it would also lead to shell injection. While there is no evidence of malicious intent (e.g., data exfiltration, backdoors), these are significant vulnerabilities that allow for arbitrary command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong repository path or task is supplied, Codex could operate on the wrong project files.
The skill directs OpenClaw to use the exec tool to launch Codex. This is central to the skill's purpose and scoped by workdir, but it is still a powerful local tool invocation.
Always run Codex through OpenClaw `exec` with `pty:true`.
Invoke it only for the intended repository, set an exact workdir, and review Codex logs and diffs before relying on changes.
Codex may run project commands such as tests or scripts and may change files in the selected repository.
The referenced behavior includes local code execution and file mutation. This is expected for a coding-agent operator, but it affects the user's local environment.
Codex CLI runs locally in terminal and can read/change/run code in selected directory.
Use version control or backups, run it in the intended project, and review changes before committing or deploying.
A Codex task may continue running after the initial command until it finishes or is stopped.
The skill supports long-running background Codex sessions. This is disclosed and includes tracking, so it is not hidden persistence, but users should notice it.
For long tasks, use `background:true` and track via `process`.
Keep the returned session ID, poll logs, and stop the process if it is no longer needed.
Codex activity may use the user's OpenAI account or API key, including any account permissions, usage limits, or billing implications.
The skill relies on OpenAI/Codex account authentication. That is expected for this integration, and the artifacts do not show credential logging or hardcoded secrets.
First run requires sign-in (ChatGPT account or API key).
Use the intended OpenAI account or API key, avoid exposing secrets in prompts or logs, and rotate credentials if they are accidentally disclosed.
The installed Codex CLI version and its updates are controlled outside this skill package.
The documentation points users to a global npm install for Codex, without a pinned version in this skill package. This is a normal setup path for the CLI but leaves package provenance/version management to the user.
Install command: `npm i -g @openai/codex`
Install Codex from the official source, verify `codex --version`, and consider pinning or managing the package version in controlled environments.