Skillv0.2.6

ClawScan security

Codex Imagen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 1:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (generate images using local Codex/OpenClaw OAuth), but it accesses and can modify highly sensitive local OAuth stores and exposes options (base/refresh URLs) that could be abused — review before installing.
Guidance: This helper legitimately needs access to local Codex/OpenClaw OAuth profiles to call the Responses image_generation endpoint and to refresh tokens. Before installing: 1) Review the scripts (they are included) yourself or a trusted reviewer to confirm they only call the expected endpoints; 2) Only run it with a dedicated OAuth profile (not your primary account) if possible; 3) Be cautious because the CLI will read and write auth files (it can refresh tokens) — back up important auth files first; 4) Avoid passing or allowing untrusted agents to set --base-url or --refresh-url (these default to chatgpt.com and auth.openai.com but can be overridden), as that could redirect tokens to arbitrary endpoints; 5) Prefer running the tool in an isolated environment or container if you don't fully trust the skill owner; 6) Verify the skill's provenance (repository/homepage/owner) — registry metadata shows no homepage/source URL, so confirm the upstream source before trusting. If you want, I can point out the exact code paths that read/write auth files and where the refresh and network calls occur.
Findings: [pre-scan-injection-signals] expected: No pre-scan injection signals were detected. The code legitimately makes HTTP calls and reads/writes local auth files for its stated purpose.

Review Dimensions

Purpose & Capability: okThe name/description (image generation via Codex/ChatGPT Responses using local OAuth) matches the code and SKILL.md: the CLI reads local OAuth profiles and calls the Codex Responses image_generation endpoint. Requiring node and having helper scripts is proportionate.
Instruction Scope: noteThe runtime instructions and CLI intentionally enumerate many local auth file locations (OpenClaw/Codex paths), read those files, perform OAuth refreshes, and save generated images to disk. All of these actions are within scope for a tool that uses local OAuth to call the Responses backend, but the instructions/CLI also allow reading/writing multiple agent-wide auth stores (e.g., ~/.openclaw/agents/.../auth-profiles.json), which is broad and sensitive.
Install Mechanism: okThere is no network install; the package is instruction + included Node scripts. No arbitrary remote downloads or extract operations are present in the manifest. This is lower-risk from an install perspective.
Credentials: concernAlthough no required env vars are declared, the CLI reads many env vars/path candidates and will read and write local OAuth credentials across many locations and can perform token refreshes. It also accepts overridable --base-url and --refresh-url flags (and env overrides), which could be used to send tokens to arbitrary endpoints if an attacker can control arguments or environment. Access/modification of user OAuth tokens is high privilege and should be justified and limited.
Persistence & Privilege: notealways:false (good). The tool will modify auth stores (refresh tokens written back) and uses cross-process locking when touching OpenClaw auth files. Writing/updating OAuth credentials is normal for a refresh-capable helper, but it is a significant privilege; ensure you trust the skill and its author before allowing it to run with access to shared auth stores.