Codex Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is purpose-aligned with operating Codex, but it gives OpenClaw/Codex broad autonomous coding authority, long-lived background operation, and automatic forwarding of potentially sensitive output.
Install only if you intentionally want OpenClaw to manage Codex as a semi-autonomous coding operator. Before enabling it, verify the source repo and hook scripts, use a private notification channel, avoid full-auto mode for sensitive repositories, keep session persistence bounded, and stop tmux/monitor processes after each task.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Codex/OpenClaw may run commands and change project files in the selected work directory without the user approving each command.
The skill explicitly supports full-auto Codex execution and tells the agent to handle approvals and modifications without involving the user during the middle of the task.
Codex 自动审批:`--full-auto`,Codex 自行决定执行 ... 两种模式下,**中间过程(审批、迭代、修改)都由我自主处理,涛哥只关心最终结果**。
Use this only in trusted projects, prefer manual/default approval for sensitive work, confirm the workdir and prompt carefully, and monitor or attach to the tmux session for high-risk changes.
A mistaken or malicious Codex/project output could steer OpenClaw's follow-up decisions, especially when the workflow already allows autonomous approvals and iterations.
Codex's assistant summary is inserted directly into a new OpenClaw agent message. If that output contains adversarial or misleading instructions, it can influence the next agent turn unless treated as untrusted.
agent_msg = (
f"[Codex Hook] 任务完成,请检查输出并汇报。\n"
...
f"summary: {summary}"
)
agent_ok = wake_agent(agent_msg)Wrap Codex output as untrusted data, instruct OpenClaw not to follow embedded instructions from summaries or terminal output, and require human review before risky approvals.
Private code, file paths, command output, or accidental secrets may be sent to Telegram or another configured channel and also used to wake another agent.
The hook acknowledges that the Codex summary may contain code, paths, or secrets, then automatically includes it in a message sent through the configured OpenClaw channel.
# ⚠️ 注意:summary 可能包含代码片段、路径、密钥等敏感信息
msg = (
f"🔔 Codex 任务回复\n"
f"📁 {cwd}\n"
f"💬 {summary}"
)Use only private, trusted message channels; avoid running it on secrets-heavy tasks; consider redaction or summary-only notifications; and review /tmp logs if sensitive data may have been exposed.
Long-lived agent context and background Codex/tmux sessions can retain sensitive task details, stale assumptions, or poisoned instructions far beyond a single task.
The installation guide strongly recommends changing OpenClaw session reset behavior to effectively keep agent context alive for 100 years.
⚠️ **必须做** ... "idleMinutes": 52560000 ... 这相当于设置 100 年后才重置
Use a finite reset interval, manually reset with /new after sensitive tasks, stop tmux sessions with the provided cleanup script, and audit running monitors regularly.
Anyone who can invoke the skill may cause actions through the user's configured Codex/OpenClaw environment and send messages to the configured channel.
The skill depends on the user's existing Codex/OpenClaw account context and messaging channel target. This is expected for the integration, but the registry metadata declares no primary credential or required environment variables.
- [Codex CLI] 已安装 ... - Telegram 已配置为 OpenClaw 消息通道 ... export CODEX_AGENT_CHAT_ID="你的Chat_ID"
Keep Codex/OpenClaw accounts private, set CODEX_AGENT_CHAT_ID and channel carefully, and do not expose this skill to untrusted users or shared agents.
Installing from the wrong repository or a modified copy could grant executable hook code access to Codex/OpenClaw workflows.
The documented setup relies on cloning an external repository and making local hook scripts executable. This is normal for this kind of integration, but users should verify the source and scripts before enabling them.
git clone https://github.com/dztabel-happy/codex-agent.git ... chmod +x on_complete.py pane_monitor.sh start_codex.sh stop_codex.sh
Verify the repository URL, inspect the hook scripts, pin a trusted commit when possible, and avoid blindly auto-installing from chat instructions.