ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codex Usage

v1.0.19

Manual Telegram slash-style command for Codex profile status and usage checks. Use when the user sends /codex_usage, /codex_usage default, /codex_usage all,...

0· 445·2 current·2 all-time
by@deadlysilent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as a simple Telegram-style command wrapper but its runtime instructions require running a Python script at skills/codex-profiler/scripts/codex_usage.py and following ../codex-profiler/SKILL.md. The package contains no code files and declares no required binaries, so the declared requirements do not match what the instructions actually ask the agent to do.
!
Instruction Scope
SKILL.md tells the agent to execute an external script and follow another skill's SKILL.md. That directs the agent to read and run files that are outside this skill's bundle; it is vague about what that script does (likely contacting APIs, reading configs, or using credentials). The instructions therefore extend beyond this skill's own scope and grant the agent broad discretion to access local files and run code.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general, but the runtime command explicitly invokes python3 on a relative script path. Without that script included or an install step to fetch it, the instruction either will fail or will run whatever file exists at that path — a potentially dangerous implicit dependency.
!
Credentials
The skill declares no required environment variables or credentials, yet its purpose (checking Codex/OpenAI profile usage) strongly suggests the invoked script would need API keys or other secrets. The SKILL.md does not document required env vars, creating a mismatch and risk of unexpected credential use or attempts to read secrets from the environment.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. There is no evidence it attempts to modify other skills' configuration or to persist credentials itself.
What to consider before installing
This skill is a thin wrapper that tells the agent to run a Python script located in another skill directory, but the wrapper package contains no code or install steps and declares no required binaries or API keys. Before installing or enabling it, ask the publisher for the referenced codex-profiler code and verify what that script does. Ensure python3 is the intended runtime, confirm any required environment variables (API keys) and inspect the script for network access or filesystem reads. If you cannot review the external script, avoid enabling the skill because it could execute arbitrary local code or access secrets unexpectedly.

Like a lobster shell, security has layers — review code before you run it.

latestvk976g3j0h0c82c7tp2mytmcbbh82vs30

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments