ClawHub

Codex Auth

Security checks across malware telemetry and agentic risk

Overview

This deprecated Codex auth helper is mostly disclosed and purpose-aligned, but it deserves Review because its queued apply mode writes OAuth tokens to predictable /tmp files and restarts the local gateway in the background.

Prefer the maintained codex-profiler path. Install or run this only if you specifically need the deprecated codex-auth flow, avoid shared machines, paste callback URLs only into the intended finish command, and avoid --queue-apply unless you accept both a temporary gateway restart and the token exposure risk from /tmp storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises substantial capabilities including file reads/writes, network access, and shell invocation, but does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: operators and automated controls may under-scope the risk and allow execution without appropriate review, especially since the skill handles sensitive OAuth callback data and profile files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is described as a deprecated shim, which downplays its real behavior even though it still performs sensitive OAuth flows, token exchange, local credential storage, config mutation, and service restart orchestration. This mismatch is dangerous because reviewers or users may treat it as inert or low-risk while it continues to exercise privileged operations over authentication state and local system behavior.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill is described as a deprecated auth shim, but the implementation stops/starts the gateway and edits persistent auth/config files. That mismatch can mislead users or higher-level orchestration into granting the skill more trust than warranted, increasing the chance of disruptive or unauthorized state changes.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
This deprecated shim contains service-control capability that can stop and restart the OpenClaw gateway, which is materially more powerful than a simple auth helper. In skill context, hidden service-control behavior is more dangerous because it can interrupt running workloads and alter system state under the guise of authentication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The queue_apply path schedules background file writes and a gateway restart after the user supplies a callback URL, but the initiating flow does not prominently warn up front that disruptive actions will happen asynchronously. This is dangerous because users may believe they are only completing login while the script later performs privileged changes and service interruption out of band.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal