Codex Owner Move Debug
WarnAudited by ClawScan on May 8, 2026.
Overview
This published temporary debug skill tells an agent to publish, migrate ownership of, and delete a skill even though it says users should not install it.
Treat this as an internal test artifact, not a normal user skill. Do not install or invoke it unless you are deliberately validating owner migration in a controlled environment and have confirmed the exact test skill, accounts, approvals, and cleanup or rollback plan.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent follows this skill with real registry access, it could publish, transfer, or delete a skill record and alter public or organizational metadata.
The documented workflow is a sequence of high-impact registry mutations, but the artifact does not limit execution to a safe disposable target or require explicit human confirmation.
The skill is created, moved between publishers, inspected, and deleted. ... Publish under the personal owner, then publish a second version under the OpenClaw owner with the migration flag.
Do not install it for normal use; keep this workflow in a controlled test environment with explicit human approval, a disposable test skill, and clear rollback steps.
An agent with elevated publisher permissions could use those privileges to change ownership or version history in ways the user did not intend.
Executing this step would require delegated publisher or owner-migration privileges for an organization, but the skill does not define the credential boundary or scope for that authority.
publish a second version under the OpenClaw owner with the migration flag
Only run owner-migration validation from an authorized internal account, and require a clearly scoped owner, skill slug, and approval before any mutation.