Codex Usage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This wrapper skill is small and transparent, but it delegates to an unreviewed sibling skill/script and appears to check all Codex profiles even for narrower requests.
Use caution before installing. This appears to be a wrapper around another skill, so review and trust the referenced codex-profiler skill and its codex_usage.py script first. Also confirm that you are comfortable with the command checking all configured Codex profiles, not only the one you may have requested.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow instructions from an unreviewed or locally different codex-profiler skill, which could change what data is read or what commands are run.
The skill delegates its real instructions to a sibling skill that is not included in the provided manifest, so the reviewed artifact does not contain the behavior users would actually rely on.
Deprecated wrapper: maintained implementation lives in `skills/codex-profiler/`. For `/codex_usage*` requests, follow `../codex-profiler/SKILL.md`
Install and review the referenced codex-profiler skill before use, or update this wrapper to declare and pin that dependency explicitly.
The executed script was not part of this review, so users cannot tell from these artifacts what local files, profiles, or network services it may access.
Although registry metadata says there is no install spec and no code files are present, the skill tells the agent to execute a Python script outside this package.
python3 skills/codex-profiler/scripts/codex_usage.py --profile all --format text
Review the referenced Python script and its dependencies before running the command; the skill should declare python3 and include or explicitly depend on the script it runs.
A request for one profile could cause the agent to inspect or display status for every configured Codex profile, exposing more account/profile information than the user intended.
The documented command always requests all profiles, even though the skill description includes narrower default or specific-profile invocations.
Use when the user sends /codex_usage, /codex_usage default, /codex_usage all, or /codex_usage <profile> ... python3 skills/codex-profiler/scripts/codex_usage.py --profile all --format text
Pass through the user-requested profile instead of defaulting to all profiles, and clearly document any local profile or authentication data the command reads.