ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codex Agentic Gateway

v1.0.0

Use when the user wants to query the Codex Supergraph and the server returns a 402 challenge. Pays per query via the MPP 402 challenge flow. Only supports qu...

0· 113·0 current·0 all-time
byNeal O'Grady@nealo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nealo/codex-gateway.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Codex Agentic Gateway" (nealo/codex-gateway) from ClawHub.
Skill page: https://clawhub.ai/nealo/codex-gateway
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install codex-gateway

ClawHub CLI

Package manager switcher

npx clawhub@latest install codex-gateway
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is described as an MPP (402) gateway for GraphQL queries and the instructions consistently focus on that flow. However, SKILL metadata lists no required binaries while the instructions rely on the Tempo CLI for Tempo-chain challenges — a missing declared dependency (incoherence).
Instruction Scope
Instructions stay within the stated purpose (construct query, handle 402, use Tempo to sign/pay). They tell the agent to run tempo wallet/login/whoami/request which are appropriate for the flow. Two caveats: (1) they instruct reading an external reference at ../codex-supergraph/references/query-templates.md (outside the packaged files) — if that file is not present the guidance may be incomplete; (2) the skill implicitly expects the user to fund a wallet and perform on-chain payments (expected for MPP but operationally significant).
!
Install Mechanism
The docs recommend installing Tempo with curl -fsSL https://tempo.xyz/install | bash. Piping a remote script to bash is high-risk because it executes code fetched from a remote host; the domain is not a standard audited package host (e.g., GitHub releases, official distro repos). This is the largest security concern.
Credentials
The skill declares no environment variables or credentials and the instructions do not request unrelated secrets. Wallet access and funding are required by design for MPP, and the skill explicitly warns not to print private keys.
Persistence & Privilege
The skill does not request persistent presence (always:false) and contains no instructions to modify other skills or system-wide agent settings. It doesn't require elevated privileges in the SKILL.md.
What to consider before installing
This skill appears to do what it says (handle Codex 402 payment challenges), but take these precautions before installing or using it: - Do not blindly run curl ... | bash. Inspect the installer script at https://tempo.xyz/install first or prefer installing Tempo from a trusted package source or OS package manager. - The SKILL metadata did not list the Tempo CLI as a required binary even though the docs depend on it — ensure you have a trusted Tempo binary before relying on the skill. - Understand that using the skill will require funding a wallet (real USDC on Tempo) and performing payments on behalf of queries. Confirm cost and limits with the service. - Verify the external reference files (especially ../codex-supergraph/references/query-templates.md) exist and match the GraphQL schema before constructing queries — the skill explicitly warns not to guess field names. - If you are not comfortable auditing the tempo installer or giving a CLI permission to sign transactions, do not install or run it. Consider requesting an implementation that uses a vetted package or an alternative payment flow. If you want, provide the actual installer script URL contents (or the full tempo installer) and I can help inspect it for obvious issues; that would raise confidence in the assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974797gs3c4wbh13xm0capd098361ar
113downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Neal O'Grady@nealo
latest
Download

Codex Machine Payment Protocol (MPP)

Use this skill when the Codex Supergraph returns a 402 Payment Required response. The MPP challenge flow lets you pay per query without needing an API key.

HTTP endpointhttps://graph.codex.io/graphql
Credential headerAuthorization: Payment <base64url-credential>

How it works

  1. Send a GraphQL query (no credential).
  2. Server returns 402 Payment Required with WWW-Authenticate: Payment ... challenges.
  3. Client solves one challenge and retries with Authorization: Payment <credential>.
  4. Server returns GraphQL data + Payment-Receipt header.

Constraints

  • Query only. Mutations and subscriptions return 403 in MPP mode.
  • If a valid API key or bearer token is also present, API auth takes precedence.

Rules

  • Never print raw credentials.
  • Only use MPP for query operations.
  • Before constructing any query, read references/query-templates.md below for the correct GraphQL schema. Do not guess query or field names.

References

FilePurpose
../codex-supergraph/references/query-templates.mdGraphQL query schema and examples — read before constructing queries
../codex-supergraph/references/gotchas.mdCommon query failure points
references/gotchas.mdMPP-specific failure points
rules/wallets.mdWallet setup: tempo wallet/request (Tempo)
references/mpp-flow.mdAuth matrix, challenge details, error codes

Comments

Loading comments...