Codex Auth
v1.0.6DEPRECATED shim skill for /codex_auth. Use codex-profiler instead; codex-auth is no longer the maintained path.
⭐ 0· 307·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (codex-auth shim) aligns with the included script and SKILL.md: it starts/finishes an OpenAI Codex OAuth flow, exchanges tokens with auth.openai.com, and writes auth profiles. The subprocess calls to 'openclaw gateway stop/start' and updates to ~/.openclaw/openclaw.json and auth-profiles.json are coherent with applying a new auth profile.
Instruction Scope
SKILL.md instructs running the included script to start/finish flows and to queue safe apply. The script reads/writes files under the user's home (~/.openclaw/...) and /tmp, stores pending state, exchanges tokens over the OpenAI OAuth token endpoint, decodes JWTs, and constructs revert commands. These actions are within the stated scope but are privileged (modify agent config and auth files, and restart the gateway). SKILL.md's safety guidance about not echoing callback URLs is respected in intent, but you should verify the script's actual output if you care about secrets not being logged or echoed.
Install Mechanism
No install spec — instruction-only with a bundled script. Nothing is downloaded or installed automatically by the skill, which reduces external install risk. The code will run locally when you execute the script.
Credentials
The skill does not request environment variables or external credentials beyond performing an OAuth flow with hardcoded CLIENT_ID and standard OpenAI auth endpoints. It writes tokens into local auth-profiles.json as expected for an auth helper. No unrelated secrets or service credentials are requested.
Persistence & Privilege
The skill does not force permanent inclusion (always:false). However, the script performs persistent, privileged actions: it writes to ~/.openclaw/openclaw.json and ~/.openclaw/.../auth-profiles.json, creates backups, and executes local commands to stop/start the gateway. Because the skill can be invoked autonomously by the model (default), consider whether you want an agent to be able to run these operations without manual approval.
Assessment
This skill appears to do what it says: run a Codex OAuth flow, store the resulting tokens in your OpenClaw auth profiles, and (optionally) stop/start the local gateway to apply changes. Before running it:
- Prefer the maintained alternative: the SKILL.md itself says use 'codex-profiler' instead; prefer that if available.
- Inspect the included scripts/codex_auth.py yourself (it is bundled) to confirm there are no unexpected network endpoints or logging of tokens. The file is present so you can audit it prior to execution.
- Be aware the script will write tokens to ~/.openclaw/.../auth-profiles.json and may modify ~/.openclaw/openclaw.json; it also runs 'openclaw gateway stop/start'. Make backups or test in an environment where restarting the gateway is safe.
- Because the agent can invoke skills autonomously by default, consider disabling autonomous invocation for this skill (or require manual invocation) if you do not want the agent to modify config or restart services without explicit consent.
- Only use the flow with the documented OpenAI auth endpoints (auth.openai.com). If you see the script or SKILL.md referencing other hosts, do not proceed.
- If you have low trust in the skill owner or source provenance, do not run it on production machines.Like a lobster shell, security has layers — review code before you run it.
latestvk970qmk67ftgp7eq2ptvzvy43n82pbhb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.