Codex Owner Move E2E
ReviewAudited by ClawScan on May 8, 2026.
Overview
This is a maintainer-only test skill that tells an agent to publish, transfer ownership of, inspect, and delete a ClawHub skill, so ordinary users should review it carefully before installing.
Do not install this as a normal user-facing skill. It appears to be an internal maintainer E2E test for ClawHub owner migration. If you must use it, run it only against a throwaway skill under the intended maintainer account, confirm every publish, ownership-transfer, and delete operation manually, and avoid granting it access to real production skills.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked in the wrong context, the agent could mutate or delete a ClawHub skill record rather than merely provide guidance.
The documented procedure directs an agent through publishing, ownership migration, and deletion operations against the ClawHub registry. These are high-impact actions and the artifact does not provide explicit approval checkpoints or strong target containment.
1. Publish version 0.0.1 under the authenticated personal publisher. 2. Publish version 0.0.2 with the OpenClaw owner selected and the migration opt-in enabled. 3. Inspect the skill and verify that the latest version is 0.0.2. 4. Delete the temporary skill after validation completes.
Install or invoke this only in a controlled maintainer test environment, and require explicit human confirmation before any publish, ownership-transfer, or delete action.
A user or agent with publisher or organization privileges could apply those privileges to a migration workflow that was intended only for maintainers.
The workflow depends on authenticated personal publisher authority and organization-owner selection, but the registry metadata declares no credential or configuration requirements to bound how that authority should be used.
under the authenticated personal publisher ... with the OpenClaw owner selected
Restrict this skill to maintainers, document the exact account and organization permissions required, and avoid running it from accounts that control real production skills unless that is intentional.
A bad migration or cleanup step could leave persistent registry state in an unexpected condition.
The skill explicitly touches persistent registry state that can affect history, aliases, and audit records. This is expected for an owner-migration test, but mistakes could propagate beyond a single transient action.
Existing version history, stats, aliases, and audit history should remain attached to the skill.
Use a dedicated throwaway skill slug and verify the target record before each registry mutation.