Codex Account Switcher
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is clear about managing local Codex login tokens and OpenClaw auth files, but those are sensitive credentials and should only be used intentionally.
Install only if you are comfortable letting this skill read and write Codex authentication files. Keep ~/.codex and ~/.openclaw auth files private, use dry-run before syncing, and limit syncs with --agent when possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill is allowing it to manage local Codex credentials, including saved account tokens.
The skill explicitly states that it reads and writes authentication files, which gives it access to Codex account sessions and tokens.
Sensitive: reads and writes local authentication files.
Use it only on a trusted machine, review which accounts are saved, and keep the ~/.codex files protected with restrictive permissions.
Running auto mode can switch the active Codex account and make lightweight Codex requests using saved credentials.
Auto mode changes the active local Codex auth file and invokes the Codex CLI to check quota. This is purpose-aligned, but it is still a real account action.
For each saved account, `auto` temporarily switches `~/.codex/auth.json` and runs a lightweight `codex exec --skip-git-repo-check "reply OK"` probe.
Run auto mode only when you want the active Codex account changed, and check the selected account afterward if account identity matters.
If synced broadly, multiple OpenClaw agents may gain or switch to saved Codex account credentials.
The skill can propagate saved Codex tokens into OpenClaw agent auth stores. The documentation says this is explicit and can be narrowed with --agent, but a sync operation can affect multiple agent profiles.
The `sync` command, or `--sync` on selected commands, syncs saved account tokens to OpenClaw agents' `auth-profiles.json`
Prefer `sync --dry-run` first and use `--agent <name>` when you only intend to update one agent.