Skillv1.0.3

ClawScan security

Codex Auth Cleaner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 6:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code mostly matches its stated purpose (cleaning Codex auth files via a CPA management API), but the package metadata omits required credentials and some runtime behaviors are underspecified — this mismatch and the destructive nature of delete operations warrant caution.
Guidance: This skill is coherent in purpose — it contacts a Codex Provider Agent (CPA) management API and can disable or delete auth files — but there are important mismatches and risks you should consider before installing: - Missing metadata: The package metadata does not declare the required CPA_URL and CPA_KEY, yet the script needs them (via env vars or config.json). Expect to provide an admin key; ensure the registry omission isn't hiding additional secret requirements. - Destructive operations: The tool can permanently delete auth files on the CPA. Test with the status/check commands first and run against a staging instance. Back up or export current auth-file state before running delete/clean in production. - Principle of least privilege: Use a scoped admin key where possible. If the CPA supports a role that can only disable (not delete), prefer that for routine monitoring and only use a full-admin key when you intentionally run deletion. - Config file security: config.json will contain the admin key. Ensure the file is stored with restrictive permissions and verify where it will be saved (the skill directory under ~/.nanobot/workspace in examples). - Notifications unclear: The config includes Telegram/Discord settings but does not show where a bot token or webhook is supplied. Inspect the remainder of the script to confirm how notifications are sent and whether any additional secrets are required. - Review & auditing: Because the script performs network calls and deletions, review the full script (including the truncated portion) to confirm there are no unexpected external endpoints, no hidden logging/exfiltration, and that the delete logic matches your expectations (e.g., only deletes items confirmed by the double verification). If you want to proceed safely: (1) run the script in 'status' and 'check' modes against a test CPA instance, (2) inspect the complete source to confirm notification code and external endpoints, (3) restrict the CPA key used, and (4) ensure secure storage/rotation of the admin key. If you can provide the remainder of the script (truncated portion), I can re-evaluate and reduce uncertainty.

Review Dimensions

Purpose & Capability: concernThe skill is described as a CPA codex auth-file cleaner and the included script implements exactly that (fetching auth files, disabling 401s, double-verifying, deleting). However the registry metadata declares no required environment variables or primary credential, while the SKILL.md and the script require CPA_URL and CPA_KEY (or a saved config) — this is an incoherence between what the skill says it needs and what it actually needs to operate.
Instruction Scope: okThe SKILL.md instructions and shipped script focus on enumerating, checking, disabling, and deleting auth files and on periodic monitoring. The script only references CPA management endpoints and local config; it does not attempt to read unrelated system files. The instructions do suggest running periodic jobs and sending the stdout report via a 'message' tool; that behavior is expected but depends on the operator to implement safe delivery.
Install Mechanism: okNo install spec is provided and the skill is instruction-only with a single Python script using only the stdlib. There is no network-based installer or third-party package pull in the manifest.
Credentials: concernThe script legitimately needs an admin-level CPA key and CPA URL to modify and delete auth files, but these required credentials are not declared in the registry metadata (requires.env/primary credential). The config.json and setup wizard also reference notification settings (telegram/discord chat id) but do not declare or explain how messaging credentials (e.g., bot token) are provided, making notification behavior unclear.
Persistence & Privilege: okalways:false and the skill does not request system-wide privileges. It writes a local config.json in the skill directory (normal). It does perform destructive actions against the CPA (disable/delete); this is an expected capability for a cleanup tool but requires admin rights on the CPA.