.Autopilot
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed Codex autopilot, but it gives a persistent background process broad ability to drive coding agents, approve prompts, and accept chat-driven tasks across projects.
Install only if you want a long-running autopilot to control Codex across configured projects. Before enabling it, audit the installer and LaunchAgent, pin the source version, disable auto-approval/full-auto until tested, restrict project directories and chat channels, protect bot tokens, and monitor or stop the watchdog when not in use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The autopilot could cause Codex to keep working, accept prompts, or modify project files without a fresh human decision each time.
The watchdog can send actions into Codex sessions and handle permission prompts automatically, but the visible documentation does not define a narrow approval policy or command allowlist.
Dispatches appropriate action (nudge, permission grant, task from queue) ... `permission-guard.sh` | Auto-approve or flag permission prompts
Disable auto-approval and full-auto modes until reviewed, define explicit allowed actions, require confirmation for destructive or privileged operations, and test on a non-critical project first.
After installation, automation may keep running on a schedule and continue nudging or controlling Codex sessions unless the user actively disables it.
The skill intentionally installs a persistent background watchdog, which can continue operating outside a single interactive task.
Use `install.sh` to register the launchd plist ... This creates a LaunchAgent that runs the watchdog on a configurable interval.
Only enable the LaunchAgent after manual testing, document and verify stop/uninstall steps, monitor logs, and keep the service disabled when not actively needed.
A mistaken or unauthorized chat/task entry could be turned into coding-agent work in a real project.
External chat messages and another agent can feed tasks into a queue that Codex later executes; the artifact does not specify strong sender authentication, review gates, or data boundaries.
用户 (Telegram) → "ReplyHer 有个白屏 bug" ... Claude (OpenClaw) → 写入 task-queue → 等待 Codex idle ... Watchdog 检测 idle → 从队列取出任务 → tmux send-keys 发给 Codex
Restrict allowed chat IDs and channels, require human review before queued tasks are sent to Codex, log task origin, and avoid executing raw chat text directly.
Users may install changing remote code into a persistent automation path without a pinned release or clear provenance in the registry metadata.
The setup uses an unpinned remote repository and then runs an installer that registers background automation; the registry also provides no install spec to pin or verify the install behavior.
git clone https://github.com/imwyvern/AIWorkFlowSkill.git ~/.autopilot ... ./install.sh
Install only from a reviewed commit or signed release, audit install.sh and launchd files before running them, and publish a clear install spec with required binaries and config paths.
Bot tokens, webhooks, and the Codex account could expose notifications, allow task submission, or consume account resources if misconfigured or leaked.
Telegram and Discord/Codex account access are expected for this integration, but they are sensitive delegated authorities and are not declared as credentials in the registry metadata.
telegram: bot_token: "YOUR_BOT_TOKEN" chat_id: "YOUR_CHAT_ID"
Use least-privileged bot/webhook credentials, keep config.yaml out of version control, restrict channels/chat IDs, and review Codex account permissions and spending limits.
Future agent runs may rely on local planning files that contain outdated directions, sensitive notes, or instructions inserted by someone else.
The package encourages persistent project memory that later sessions read and trust; this is useful for continuity but can preserve stale, sensitive, or poisoned instructions.
重要信息必须写入磁盘 ... `task_plan.md`, `findings.md`, `progress.md` ... 新会话开始: 先读三文件
Review persistent planning and queue files before resuming, avoid storing secrets in them, and keep per-project state files isolated and access-controlled.