v1.0.0

Codex Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:11 AM.

Analysis

This is a coherent Codex automation skill, but it deliberately enables hands-off code changes, no-sandbox modes, long-running background agents, and PR-merge workflows that deserve review before use.

GuidanceInstall only if you intentionally want OpenClaw to delegate coding work to Codex. Prefer isolated worktrees and containers, avoid danger-full-access or sandbox-bypass modes by default, and require explicit user approval before pushing, opening, or merging PRs.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Provides non-interactive automation mode for hands-off task execution without approval prompts.

The skill’s core mode suppresses approval prompts while delegating coding work, so the agent can initiate changes without per-action human confirmation.

User impactCodex may edit project files or perform development workflow actions without the user reviewing each change first.

RecommendationUse this only for repositories where automated edits are acceptable, and require explicit user approval before commits, pushes, PR actions, or merges.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

SKILL.md

`-s danger-full-access` | Full access including network and system ... `--dangerously-bypass-approvals-and-sandbox` | Skip all prompts + no sandbox

The documented Codex modes allow broad system and network access while bypassing sandboxing and prompts, which is materially riskier than normal scoped coding assistance.

User impactA Codex run could execute commands or make changes outside the intended project boundary if these modes are used in a normal local environment.

RecommendationPrefer read-only or workspace-write modes, use disposable containers or VMs for risky tasks, and avoid no-sandbox/full-access flags unless the user explicitly requests them.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Operate Codex CLI as a **managed coding agent** — from worktree setup through PR merge.

The workflow is framed as continuing through PR merge, meaning an automated implementation path could propagate changes into a shared repository.

User impactBad generated changes could move from an isolated worktree into a branch or merged PR if review gates are not enforced.

RecommendationKeep worktree isolation, require tests and human code review, and make merge operations explicit user-confirmed steps.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

Do NOT use `timeout=` for codex tasks. Instead, use background execution with periodic polling... if no new output for 12 hours, ask user before killing

The skill intentionally creates long-running background Codex sessions; this is disclosed and purpose-aligned, but users should notice the persistence.

User impactA Codex job may continue running for hours in the background, consuming resources and potentially continuing to act on the workspace.

RecommendationTrack session IDs or tmux sessions, set a maximum runtime for your environment, and stop background jobs when the task is complete.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

# Install: npm i -g @openai/codex  or  brew install codex
tmux -V          # tmux required for full workflow

The skill depends on external CLI tooling installed outside the skill package; this is expected for the purpose but not pinned or enforced by an install spec.

User impactThe safety of the workflow depends partly on the Codex CLI and tmux installation present on the user’s machine.

RecommendationInstall Codex CLI from official sources, keep it updated, verify versions, and avoid running globally installed tooling from untrusted package sources.