Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Codex Skill
v1.0.0Use when user asks to leverage codex, gpt-5, or gpt-5.1 to implement something (usually implement a plan or feature designed by Claude). Provides non-interac...
⭐ 1· 458·1 current·1 all-time
byPengfei Ni@feiskyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: it is a Codex CLI operator that automates coding tasks (worktree setup, PR flow, editing files). Requiring tmux/git/npm-style installs in the instructions aligns with that purpose. However the skill's stated goal of 'hands-off task execution without approval prompts' and recommended flags that grant 'danger-full-access' exceed what a neutral helper usually needs and deserve scrutiny.
Instruction Scope
The instructions direct the agent to run codex with flags that auto-approve file edits (--full-auto / -s workspace-write), skip prompts and sandboxing (--dangerously-bypass-approvals-and-sandbox), and enable full network/system access (-s danger-full-access). They also recommend running package managers (pnpm/npm/pip), creating worktrees, writing logs in /tmp, and using --skip-git-repo-check. This broad read/write/network scope and explicit guidance to bypass safety controls means the agent could modify repository content, install arbitrary dependencies, and access network resources without additional confirmations.
Install Mechanism
There is no install spec — the skill is instruction-only. That lowers install-time risk (nothing automatically downloaded or written by the registry). The SKILL.md suggests how to install the Codex CLI (npm or brew) but the skill itself doesn't perform installs.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for a CLI wrapper. It does reference a runtime cap variable (PI_BASH_MAX_OUTPUT_CHARS) and expects access to the workspace and /tmp; these are plausible. Still, the instructions encourage enabling network/system access and running package installs which could pull remote code — the absence of credential requests does not eliminate the risk of exfiltration or remote dependency execution.
Persistence & Privilege
The skill does not request 'always:true' (good), but it explicitly encourages non-interactive, auto-approved execution modes and long-lived background sessions (poll-and-extend up to 12 hours). Combined with autonomous invocation being permitted by platform defaults, this creates a higher blast radius: the agent could be given the ability to run long-running tasks that modify files and use the network without per-action confirmation.
What to consider before installing
This skill is coherent for automating development tasks, but it instructs the agent to run Codex in modes that auto-approve edits and bypass sandboxes/prompts. Before installing or using it: (1) verify the Codex CLI binary and its provenance (npm/brew package author and integrity); (2) only run this skill in isolated/disposable environments or containers (no access to secret-filled repos or production systems); (3) avoid the --dangerously-bypass-approvals-and-sandbox and 'danger-full-access' flags unless you fully trust the agent and have network/filesystem isolation; (4) prefer read-only or interactive modes for untrusted code; (5) audit any commits/PRs the agent creates and restrict network access during runs; (6) request source/homepage/maintainer info from the publisher — lack of a homepage and unknown source increases risk. If you cannot accept those mitigations, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97dc7d6jy2z1w79f3qrtw6aw5821sa3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.