Codex Account Switcher
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: codex-account-switcher Version: 1.4.3 The Codex Account Switcher is a utility designed to manage multiple OpenAI Codex authentication tokens locally. It performs legitimate operations such as reading and writing tokens to '~/.codex/auth.json' and syncing them to OpenClaw agent directories. The script uses the standard 'codex' CLI for authentication and quota probing, handles JWT decoding locally for identity verification, and includes safety checks to prevent overwriting tokens with different identities. No evidence of data exfiltration, obfuscation, or malicious intent was found; the sensitive file access is consistent with the tool's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill is allowing it to manage local Codex credentials, including saved account tokens.
The skill explicitly states that it reads and writes authentication files, which gives it access to Codex account sessions and tokens.
Sensitive: reads and writes local authentication files.
Use it only on a trusted machine, review which accounts are saved, and keep the ~/.codex files protected with restrictive permissions.
Running auto mode can switch the active Codex account and make lightweight Codex requests using saved credentials.
Auto mode changes the active local Codex auth file and invokes the Codex CLI to check quota. This is purpose-aligned, but it is still a real account action.
For each saved account, `auto` temporarily switches `~/.codex/auth.json` and runs a lightweight `codex exec --skip-git-repo-check "reply OK"` probe.
Run auto mode only when you want the active Codex account changed, and check the selected account afterward if account identity matters.
If synced broadly, multiple OpenClaw agents may gain or switch to saved Codex account credentials.
The skill can propagate saved Codex tokens into OpenClaw agent auth stores. The documentation says this is explicit and can be narrowed with --agent, but a sync operation can affect multiple agent profiles.
The `sync` command, or `--sync` on selected commands, syncs saved account tokens to OpenClaw agents' `auth-profiles.json`
Prefer `sync --dry-run` first and use `--agent <name>` when you only intend to update one agent.