Codex Auth

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Codex OAuth purpose, but it handles OpenAI auth tokens and stores pending OAuth state in /tmp while modifying/restarting OpenClaw auth components, so it should be reviewed carefully before use.

Use this only if you specifically need the deprecated Codex auth shim. Prefer the maintained codex-profiler replacement, do not paste or share full callback URLs except into the intended finish command, and verify file permissions around /tmp/openclaw and ~/.openclaw before running it on a shared machine.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Installing or running this skill can change which OpenAI Codex account/profile the local OpenClaw agent uses.

Why it was flagged

The script stores OpenAI Codex OAuth access and refresh tokens in the local auth profile. This is expected for an auth skill, but it is sensitive account access material.

Skill content

"access": credentials["access"],
"refresh": credentials["refresh"],
"expires": credentials["expires"],

Recommendation

Run it only for intended profiles, avoid sharing callback URLs, and prefer the maintained replacement if available.

Medium

#ASI06: Memory and Context Poisoning

What this means

On shared or less-trusted systems, pending OAuth flow material may be more exposed than users expect.

Why it was flagged

Pending OAuth verifier/state is written to a shared temporary path. The provided save path uses normal file creation and does not show restrictive permissions or cleanup/expiry controls.

Skill content

PENDING_PATH = "/tmp/openclaw/codex-auth-pending.json"
...
pending[profile_id] = {
    "verifier": verifier,
    "state": state,

Recommendation

Store pending OAuth state in a user-private directory with restrictive permissions, remove it after completion, and avoid running this on shared machines unless permissions are verified.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Using queued apply may temporarily interrupt the local gateway and modify active auth/config state.

Why it was flagged

The optional apply path can stop and start the OpenClaw gateway. This is disclosed and purpose-aligned, but it affects local service state.

Skill content

stop = run_cmd(["openclaw", "gateway", "stop"])
...
start = run_cmd(["openclaw", "gateway", "start"])

Recommendation

Use queued apply only when ready for a gateway restart, and keep the generated backups/revert command available.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less external provenance to rely on when deciding whether to trust this auth-handling skill.

Why it was flagged

The registry metadata does not provide a source repository or homepage, which reduces provenance clarity for a skill that handles auth credentials.

Skill content

Source: unknown
Homepage: none

Recommendation

Prefer the maintained codex-profiler path mentioned by the skill, or independently inspect the included script before using it.