๐ซง Codex Pet โ Pro Pack on RunComfy
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: codex-pet Version: 0.1.0 The skill automates the creation and installation of 'Codex Pet' assets using shell commands (ImageMagick and RunComfy CLI) and local filesystem writes to `~/.codex/pets/`. While the behavior is aligned with the stated purpose, it is classified as suspicious due to the lack of input sanitization for variables like `PET_NAME` and `SOURCE_URL` in the shell scripts within `SKILL.md`, which creates risks for shell injection and path traversal. Additionally, the skill's premise relies on a fictional or future-dated context ('OpenAI Codex Pets May 2026') to justify these high-risk operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A chosen source image may be uploaded to RunComfy/OpenAI for generation, and local commands will process the returned image.
The skill intentionally invokes a local CLI that sends the user's reference image to an external image-generation endpoint. This is central to the stated purpose and is disclosed.
Calls OpenAI GPT Image 2 edit ONCE via the local RunComfy CLI as `runcomfy run openai/gpt-image-2/edit`
Use only with images you are comfortable sending to the external service, and review any command before running it if the agent proposes changes outside the pet-generation workflow.
The agent can use your configured RunComfy credentials to request image generation, which may consume account quota or credits.
The skill requires a RunComfy token and local RunComfy configuration so it can access the user's RunComfy account. This is expected for the advertised integration.
clawdis:\n requires:\n bins:\n - runcomfy\n - magick\n env:\n - RUNCOMFY_TOKEN\n config:\n - ~/.config/runcomfy
Use a token intended for this service, keep it out of prompts and logs, and revoke or rotate it if you no longer use the skill.
Installing a global CLI adds external code to your system beyond the skill text itself.
The skill directs the user to install an external global npm CLI package that is not included in the scanned artifact. This is normal for a RunComfy-based instruction-only skill, but it is outside this scan's direct review.
1. **RunComfy CLI** โ `npm i -g @runcomfy/cli`
Install the CLI from the official RunComfy documentation or trusted package registry, and keep it updated.
The generated pet remains available in Codex until the folder is removed or changed.
The skill writes generated files into a persistent Codex configuration location so future Codex sessions can use the pet. This is disclosed and purpose-aligned.
drop it into `${CODEX_HOME:-$HOME/.codex}/pets/<name>/`, Codex picks it up as a custom Codex PetCheck the generated `pet.json` and `spritesheet.webp` before relying on them, and delete the pet folder if you do not want Codex to keep using it.