Codex Multi Subscription Auth Fallbacks
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and clearly focused on Codex/OpenClaw auth failover, but it handles local OAuth tokens and offers an optional persistent auto-switching cron job that users should review carefully.
Before installing, review the shell script, install the Codex CLI only from a trusted source, and understand that this will store OAuth refresh tokens in OpenClaw auth files and backup copies. Enable the cron job only if you intentionally want background automatic model switching.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the OpenClaw auth profile file or its backups may be able to reuse or refresh those sessions.
The script imports Codex OAuth access and refresh tokens into OpenClaw's auth-profiles.json. This is the advertised purpose, but it gives OpenClaw ongoing delegated access to the user's Codex/OpenAI account.
access: tokens.access_token || "", refresh: tokens.refresh_token || ""; ... fs.writeFileSync(openclawAuthPath, JSON.stringify(data, null, 2));
Run the script only from a trusted checkout, review file permissions on auth-profiles.json and backup files, remove stale backups when no longer needed, and test first with a non-production account as the skill suggests.
If enabled, your active model may change automatically in the background based on cooldown state.
The optional cron job is a persistent recurring agent task that runs every 10 minutes and may change the main session's model. The artifact clearly marks it optional and describes its behavior.
"everyMs": 600000 ... Run `openclaw models status` via exec ... Set main session model override accordingly
Only add the cron job if you want unattended model switching, review the full cron payload before enabling it, and disable or remove the job if the behavior is unexpected.
Installing or running the wrong CLI package could affect local auth files or account sessions.
The skill depends on an external globally installed npm package that is not bundled or pinned in the artifact. This is expected for a Codex integration, but it is still a supply-chain dependency.
`codex` CLI installed (`npm i -g @openai/codex`) — this also ensures `node` is available
Install the Codex CLI from the official package source, consider pinning a known-good version, and verify the command resolves to the expected binary before running the profile import script.