Pluginv2026.5.1

ClawScan security

Codex SDK Runtime · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMay 1, 2026, 6:13 PM

Verdict: Benign
Confidence: medium
Model: gpt-5.5
Summary: This appears to be a real OpenClaw Codex runtime plugin, but it is powerful and should be configured carefully because it can expose OpenClaw Gateway data to Codex through a backchannel.
Guidance: This plugin appears internally consistent with its description, but it is a high-capability runtime integration rather than a small helper. Before installing, review the backchannel settings, especially allowedMethods/readMethods, requireWriteToken, gatewayUrl, inheritEnv, apiKeyEnv, sandboxMode, approvalPolicy, networkAccessEnabled, and additionalDirectories. If you do not want Codex to be able to read OpenClaw chat history, config, sessions, or other Gateway data, restrict the backchannel allowlists before use.

Review Dimensions

Purpose & Capability: okThe capabilities match the stated purpose: it registers a Codex SDK ACP backend, Codex agents, CLI/chat commands, Gateway RPC methods, Control UI surfaces, persistent sessions, proposals, and an MCP backchannel. Those are coherent for a native Codex runtime integration.
Instruction Scope: noteThe SKILL.md/README instructions stay mostly within the stated purpose. They tell the operator to install and configure the plugin, run Codex login, validate config, run doctor checks, and optionally run a local Gateway for testing. The backchannel is explicitly documented, including that Codex can read OpenClaw status and call allowlisted Gateway methods. However, the default backchannel read allowlist in code includes broader Gateway reads such as chat.history, config.get, sessions.get, and skills.status, so users should understand that Codex may receive more OpenClaw context than just basic runtime status.
Install Mechanism: okThere is no separate download/extract installer or arbitrary URL-based install mechanism. The package uses normal npm dependencies such as @openai/codex-sdk, @modelcontextprotocol/sdk, and ws, which are consistent with the plugin's purpose. The registry metadata says there is no install spec, but this is not purely instruction-only because the package includes substantial plugin code.
Credentials: noteNo required environment variables are declared, and the optional credential model is mostly coherent: Codex auth is expected to come from local Codex login or an operator-configured apiKeyEnv. The backchannel code also reads OpenClaw Gateway token/password environment variables and an optional write-token environment variable. Those are related to the Gateway backchannel, but they are not declared in the registry metadata, so operators should be aware the plugin can use existing OpenClaw Gateway credentials if present.
Persistence & Privilege: okalways is false, so the plugin is not force-included in every run. It registers a runtime service and can configure OpenClaw to use codex-sdk as the ACP backend, which is expected for a runtime plugin. The code shown modifies its own plugin/runtime configuration surfaces rather than other unrelated skills.