codex-supergraph
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Codex analytics guide, with disclosed API-key use and optional external setup/payment flows that users should control.
This skill appears safe to install as an instruction-only Codex API guide. Before using it, make sure you are comfortable sending a Codex API key to graph.codex.io, confirm any payment-gateway step manually, and only enable the optional MCP/SDK setup if you trust the Codex documentation and package sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent may send your Codex API key to Codex and could manage short-lived API tokens for that account.
The skill is expected to use Codex credentials, and it also documents operations that can create, list, or delete Codex API tokens.
Pass `$CODEX_API_KEY` in the `Authorization` header if available... Short-lived keys | `createApiTokens`, `apiTokens`, `apiToken`, `deleteApiToken`
Use a scoped or short-lived Codex key where possible, avoid printing keys, and only allow token creation or deletion when you explicitly ask for it.
A Codex payment or account step could be initiated through another skill if the API requires payment.
The skill may hand off a payment-required response to another skill, which is disclosed but involves an external flow with potential billing or account implications.
If the server returns `402 Payment Required`, use the codex-gateway skill to handle the payment flow.
Require explicit user confirmation before any payment, billing, or account-linking step handled by a gateway skill.
If you choose to follow the setup, your coding assistant or project may connect to Codex documentation services or install the Codex SDK package.
The reference file includes optional setup for a remote MCP server and an unpinned SDK package. These are user-directed and purpose-aligned, not automatic install actions.
MCP URL: `https://docs.codex.io/mcp` ... `pnpm add @codex-data/sdk`
Only add the MCP server or SDK after verifying the Codex source, and pin package versions for production projects.