Back to skill
Skillv1.0.2
VirusTotal security
Codex Hook · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:33 AM
- Hash
- 1590deda35067a9e840c4c34488b6b42239289053d7645dc990a2a11be3a72f5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: codex-hook Version: 1.0.2 The skill bundle implements an autonomous task execution framework with high-risk capabilities, including automated PR merging and command execution via `acpx --approve-all` in `task-execute.sh`, which bypasses manual approval for AI-driven actions. It handles sensitive credentials such as `GITHUB_TOKEN` and Telegram/Discord bot tokens in `notify.sh` and `auto-merge.sh`, and utilizes `tmux send-keys` in `task-dispatcher.sh` to execute AI-generated content. While these features support its stated purpose of automation, the combination of broad execution permissions and external data transmission to user-configured webhooks poses a significant risk of remote code execution (RCE) via prompt injection.
- External report
- View on VirusTotal