Skillv1.1.4

ClawScan security

OpenAI Codex CLI Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 11:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (launches Codex CLI and delivers results via the local OpenClaw gateway), but it requires high-sensitivity local gateway access and asks the user to change gateway settings that grant waking/injecting into agent sessions; there are a few mismatches (undeclared binaries) and operational choices (dangerously-bypass flag, automatic session-wake) that raise concern and deserve review before installing.
Guidance: Before installing or enabling this skill, consider the following: 1) Review the code yourself (run-task.sh, run-task.py, openclaw_notify.py, session_registry.py). The scripts read your local OpenClaw gateway token (~/.openclaw/openclaw.json) and use it to call the gateway on localhost; make sure you trust the code that will use that token. 2) The skill requests you change OpenClaw gateway settings to allow sessions_send and broaden session visibility — that explicitly grants the skill (and anything using the gateway token) the ability to inject messages and wake agent sessions. Only make those changes if you understand and accept that capability. 3) The skill runs Codex with --dangerously-bypass-approvals-and-sandbox; do not run untrusted prompts or operate this skill on multi-user/public machines. Prefer a disposable VM/container or a single-user trusted machine. 4) Note the metadata omission: scripts call an `openclaw` CLI and use `git`, but these binaries are not listed in required bins — ensure those dependencies exist and audit what the CLI will do. 5) If you proceed, test in a safe environment: run the scripts with benign tasks, verify all network calls are to localhost (GW_URL), inspect the created registry and PID files, and do not enable the gateway config changes on shared systems unless you control access. 6) If you are uncomfortable with session injection/wake capabilities, decline to install or remove/disable the sessions_send call paths in the code and avoid changing gateway settings.

Review Dimensions

Purpose & Capability: noteThe stated purpose — run Codex CLI detached and deliver results to Telegram/WhatsApp via the local OpenClaw gateway — matches the code and instructions. Requesting access to gateway auth and session-related config is consistent with needing to call the local gateway (sessions_list, sessions_send, message). Minor mismatch: the runtime scripts call other system tools (notably an `openclaw` CLI invocation and `git`) but the skill metadata only declares `codex` and `python3` as required binaries.
Instruction Scope: concernRuntime instructions and scripts read a local secret (~/.openclaw/openclaw.json -> gateway.auth.token), call the local HTTP gateway, write a session registry and PID files under ~/.openclaw and /tmp, and execute Codex with `--dangerously-bypass-approvals-and-sandbox` (grants the Codex subprocess broad filesystem/shell powers). The skill also instructs users to modify openclaw.json to allow `sessions_send` and change `tools.sessions.visibility`, which increases the agent wake/injection surface. Scripts call an `openclaw` CLI (in the notification helper) which is not listed in required binaries. These behaviors are coherent with the skill's function but expand scope to agent session injection and autonomous message delivery — high-impact actions that must be consciously approved by the user.
Install Mechanism: okThere is no remote download/install spec; the package is shipped as files and expects local placement into the OpenClaw workspace. No external URLs, installers, or archive extraction are invoked by the skill metadata. This reduces supply-chain risk compared with fetching arbitrary remote binaries.
Credentials: concernNo environment variables are required, but the skill explicitly reads a highly sensitive local secret (gateway.auth.token) to authenticate to the local gateway and asks the user to change gateway configuration to permit `sessions_send` and widen session visibility. Those changes materially increase the ability to inject messages and wake agents and are proportionate to the claim only if the user intentionally wants session injection. The skill also assumes Codex CLI authentication (external to this skill) and calls other local tools (openclaw, git) not declared in the metadata.
Persistence & Privilege: concernThe skill persists state under ~/.openclaw (codex_sessions.json) and writes PID and /tmp output files; file permissions are claimed to be restrictive for the registry. More importantly, the user is asked to change gateway config to permit `sessions_send` and to alter `tools.sessions.visibility` — these are configuration changes that affect the local OpenClaw gateway's behavior, increasing the skill's effective privilege (ability to wake and inject into sessions). The skill is not forced-installed (always: false), but enabling the requested gateway changes grants it elevated capability.