Codex Account Switcher

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its account-switching purpose, but it silently saves active Codex credentials on every run, so it needs user review before installation.

Install only if you are comfortable with a local tool reading and writing Codex access and refresh tokens. Review the script first, keep ~/.codex and ~/.openclaw auth files private, prefer sync --dry-run and --agent for OpenClaw updates, and be aware that even listing accounts may create or refresh saved credential snapshots.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Probe codex to get a fresh session (for rate limit info) session_id = None try: result = subprocess.run( [ "codex", "exec",
Confidence: 78% confidence
Finding: result = subprocess.run( [ "codex", "exec", "--skip-git-repo-check", "reply OK", ], cwd=str(

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script silently persists or refreshes account snapshots on every invocation via `sync_current_login_to_snapshot()`, even for commands like `list`. That expands credential retention beyond explicit user actions and can leave additional copies of auth material on disk without user awareness, which is especially dangerous in a skill already handling sensitive tokens.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script annotates saved snapshots with `decoded_tokens`, persisting parsed JWT header and payload contents alongside the original tokens. This unnecessarily broadens the amount of sensitive identity and account metadata stored on disk, increasing exposure if snapshot files are read, copied, or synced elsewhere.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The activity log creates a timestamped mapping of account names to user IDs over time, producing an additional behavioral audit trail unrelated to the minimum needed for account switching. In a multi-account credential-management tool, such longitudinal tracking increases privacy risk and can expose usage patterns if the local machine or dotfiles are accessed by another process or user.

Description-Behavior Mismatch

Low

Confidence: 75% confidence
Finding: The compare feature decodes and prints token claims across accounts, exposing potentially sensitive identity and token metadata to terminal output or JSON consumers. While not as severe as direct token exfiltration, it expands the skill's access pattern beyond simple switching and raises the chance of leaking sensitive claims into logs, transcripts, or downstream tooling.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation advertises automatic account switching that overwrites the active `~/.codex/auth.json` session, but it does not clearly warn that this changes the currently authenticated identity and may disrupt or redirect subsequent agent actions under a different account. In this skill's context, the feature directly manipulates sensitive authentication state, so insufficient warning increases the risk of unintended account use, quota misuse, or confusing cross-account operations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Credential-bearing files are written automatically on every invocation without a user-facing warning, creating hidden state changes and expanding the number of persisted token copies. For a skill whose core purpose already involves sensitive auth files, silent writes materially increase the chance of unintended credential retention and surprise exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Quota probing copies each saved account into `~/.codex/auth.json` as part of evaluation, silently changing the active credential context during a read-like operation. Even though `cmd_auto` later selects a best account, the hidden intermediate switching can confuse users, affect concurrent tools reading the same auth file, and trigger unintended actions under the wrong account if another process runs at the same time.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The OpenClaw sync path propagates access and refresh tokens into other agents' `auth.json` and `auth-profiles.json` files, expanding credential scope beyond Codex into multiple local agent stores. In this skill context, that is especially dangerous because it multiplies the number of token copies and broadens which local components can act as the user without strong disclosure or scoping safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal