ClawHub

OpenClaw OpenAI Multi Account

Security checks across malware telemetry and agentic risk

Overview

The skill largely does the account-management job it describes, but its quota check can send OAuth tokens to a configurable web address that is not clearly disclosed or restricted.

Install only if you intentionally want this skill to manage OpenAI/Codex OAuth accounts across OpenClaw agents. Before using quota probing or automation, check that OPENCLAW_CODEX_USAGE_URL is unset or points only to the intended official endpoint, back up ~/.openclaw, and understand that the skill stores and propagates OAuth tokens locally while auto-switching accounts or models.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Tainted flow: 'req' from os.environ.get (line 694, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(CODEX_USAGE_URL, headers=headers, method='GET')
    try:
        with urllib.request.urlopen(req, timeout=timeout_sec) as resp:
            raw = resp.read().decode('utf-8', errors='ignore')
            data = json.loads(raw) if raw.strip() else {}
    except urllib.error.HTTPError as e:
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout_sec) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes and encourages broad sensitive capabilities—reading and writing OpenClaw auth files, storing OAuth snapshots, invoking shell commands, probing Codex/OpenAI state, and handling live credentials—yet no explicit permission declaration is present. That mismatch is dangerous because users and policy systems cannot accurately understand or constrain the skill's access, and the skill context involves high-value secrets (OAuth tokens) plus persistent filesystem modification across multiple agent auth stores.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The auto-rotation guard reads session metadata across all agent workspaces, which exceeds the narrow scope of account/quota switching and exposes broader local activity information. In a multi-agent or multi-user environment, this can leak conversation activity patterns and create unnecessary cross-workspace coupling.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill description says quota inspection is via local Codex CLI cache, but the implementation performs live authenticated requests to the ChatGPT backend. This scope expansion matters because it transmits access tokens and account identifiers over the network and changes the trust/privacy model users would reasonably expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code transmits OAuth Bearer tokens and account identifiers in an outbound HTTP request without any user-facing disclosure in this file. Even if the default endpoint is legitimate, silent transmission of authentication material increases privacy and credential-handling risk, especially when combined with the environment-variable endpoint override.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal