Back to skill
Skillv1.0.1
ClawScan security
Codex Sub Agents 1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:32 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (integrating a local Codex CLI as a coding subagent) is plausible, but the instructions ask the agent to read/copy local auth tokens, enable broad filesystem and network access, and connect to arbitrary MCP endpoints — behaviors that exceed what a simple wrapper should do and warrant caution.
- Guidance
- This skill mostly describes how to integrate a local Codex CLI, which is reasonable — but it also tells the system to read and copy local authentication files, run Codex with flags that grant full filesystem and network access, and connect to arbitrary MCP servers/URLs. Before installing or using: 1) Verify you actually have an official codex binary from a trusted source (npm package identity, checksums). 2) Do not enable --full-auto / danger-full-access / --yolo unless you fully trust the repository and workspace; prefer read-only or explicit approval modes. 3) Disable or review any automatic auth sync: inspect ~/.codex/auth.json and ~/.clawdbot auth-profiles.json and back them up before allowing automatic copy. 4) Avoid adding unknown MCP servers or external URLs (they can receive code or data). 5) If you need to proceed, limit Codex to a confined workspace and require manual approvals for writes and network access. If you want a safer recommendation, provide the precise tooling and constraints you require and ask for a version that uses read-only workflows and explicit token provisioning.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to enable use of a local OpenAI Codex CLI for coding tasks — the commands and patterns described match that purpose. However the documentation also instructs automatic syncing of auth from ~/.codex/auth.json into Clawdbot auth profiles and describes granting 'full access' (network + filesystem) and adding external MCP servers, which are broader privileges than a minimal CLI wrapper strictly needs.
- Instruction Scope
- concernSKILL.md explicitly directs reading and copying credential files (~/.codex/auth.json → ~/.clawdbot/.../auth-profiles.json), running codex with --full-auto / danger-full-access / --yolo flags, and adding arbitrary MCP servers/URLs. These are concrete instructions that allow token movement, unrestricted file writes and network access, and connecting to external endpoints — all of which expand the agent's scope beyond simple code editing.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or shipped code files, so nothing is downloaded or written by the skill itself. That lowers the mechanical install risk.
- Credentials
- concernThe skill declares no required env vars, but its instructions reference OPENAI_API_KEY and require access to ~/.codex/auth.json and Clawdbot auth profiles. Implicitly reading and syncing sensitive tokens is requested without those credentials being declared or constrained, which is disproportionate and surprising to users who expect only CLI invocation guidance.
- Persistence & Privilege
- concernAlthough always:false and there's no installer, the guidance instructs modifying Clawdbot auth profiles (writing tokens into ~/.clawdbot/agents/.../auth-profiles.json) and running long-lived MCP servers — actions that change other agent configuration and enable persistent cross-agent privileges. That degree of configuration/credential modification should be explicit and limited.