ClawHub

Codex Auth

v1.0.6

DEPRECATED shim skill for /codex_auth. Use codex-profiler instead; codex-auth is no longer the maintained path.

0· 353· 7 versions· 0 current· 0 all-time· Updated 7h ago· MIT-0
by@deadlysilent

Security Scans

VirusTotalBenignClawScanBenignStatic analysisBenign

Install

openclaw skills install codex-auth

⚠️ Deprecated: codex-auth is no longer maintained as a standalone skill. Use codex-profiler for all ongoing /codex_auth and /codex_usage operations.

Run scripts/codex_auth.py to generate a login URL and apply callback URL tokens to auth-profiles.json.

Safe defaults

  • Treat callback URLs/tokens as sensitive and never echo full values.
  • Use queued apply flow for controlled restart behavior.
  • See RISK.md for allowed/denied operation boundaries.

Commands

  • /codex_auth → selector (discovered profiles)
  • /codex_auth <profile>
  • /codex_auth finish <profile> <callback_url>

Interaction adapter

  • If inline buttons are supported: show selector buttons.
  • If inline buttons are not supported: send text fallback (default | <profile>).
  • Callback message handling must never echo full callback URLs (treat as sensitive).
  • Use callback_data namespace prefix codex_auth_* to avoid collisions.

How to run

Start flow:

python3 skills/codex-auth/scripts/codex_auth.py start --profile default

Finish flow (after browser redirect URL is pasted):

python3 skills/codex-auth/scripts/codex_auth.py finish --profile default --callback-url "http://localhost:1455/auth/callback?code=...&state=..."

Queue safe apply (stops/restarts gateway in background):

python3 skills/codex-auth/scripts/codex_auth.py finish --profile default --callback-url "http://localhost:1455/auth/callback?code=...&state=..." --queue-apply
python3 skills/codex-auth/scripts/codex_auth.py status

Safety posture

  • No remote shell execution (curl|bash, wget|sh) is allowed by this skill.
  • No sudo/SSH/system package mutation is performed by this skill.
  • OAuth callback URLs are sensitive: never echo full callback URLs or tokens in chat output.
  • Writes are limited to auth profile state files with lock-based coordination.

Notes

  • Uses the same OpenAI Codex OAuth constants/method as OpenClaw onboarding (auth.openai.com + localhost callback).
  • OAuth success here does not guarantee chatgpt.com/backend-api/wham/usage acceptance; usage endpoint may reject token/session format with 401 and should be handled by usage/profiler skills.
  • Endpoint trust boundary: OpenAI auth hosts + localhost callback flow only; do not send callbacks/tokens to third-party hosts.
  • Writes ~/.openclaw/agents/main/agent/auth-profiles.json with file locking to reduce race risk while gateway is running.
  • Profile IDs map as:
    • default -> openai-codex:default (or first discovered codex profile if default missing)
    • any other selector -> openai-codex:<selector>
  • Pending auth state is stored in /tmp/openclaw/codex-auth-pending.json.

Version tags

latestvk970qmk67ftgp7eq2ptvzvy43n82pbhb