Codex Profile Failover
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Codex profile failover purpose, but it handles OAuth/session state and its manual trigger can apply changes more broadly than the selected session suggests.
Install only if you want a trusted helper to manage existing Codex OAuth profiles. Before using --apply or the watchdog, inspect the generated config, confirm sessionTargets contains only intended sessions, run dry-run first, and protect the OpenClaw state, logs, and backups.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the config contains multiple sessionTargets, a user trying to trigger one session could rotate profiles for all configured sessions while only seeing the selected session in the output.
The script describes --session-key as the session to evaluate, but it invokes the watchdog using the config as-is and only filters the displayed results after applying changes.
parser.add_argument("--session-key", default=DEFAULT_SESSION_KEY, help=f"Session key to evaluate...")
...
if not args.dry_run:
command.append("--apply")
...
payload["sessions"] = [item for item in (payload.get("sessions") or []) if item.get("sessionKey") == args.session_key]Treat manual trigger as applying to every session in the config unless verified otherwise. The script should pass a real session filter, create a temporary single-session config, or show all changed sessions; dry-run should be used before applying.
The skill can use local Codex OAuth credentials and account identifiers to check usage and choose another profile, which can affect account/session behavior and quota usage.
The runtime reads existing openai-codex auth profiles, extracts their access tokens, and uses them as Bearer tokens for the ChatGPT usage endpoint.
if not str(profile_id).startswith("openai-codex:") ...
"access": profile.get("access") or profile.get("token")
...
"Authorization": f"Bearer {token}"Use only if you trust the skill with existing Codex profiles. Run dry-run first, keep the state directory protected, and avoid sharing command output or logs that may include profile/account metadata.
Once started, the watchdog can keep rotating the session's Codex profile until the process is stopped.
The documented workflow starts a background watchdog with --apply, allowing it to continue making profile switch decisions after the initial command returns.
nohup python3 scripts/codex_profile_watchdog.py --config /path/to/workspace/config/codex-profile-watchdog.json --apply >> /path/to/workspace/state/codex-profile-watchdog.log 2>&1 &
Start the watchdog only when continuous automatic failover is desired, monitor its log, and keep a clear stop/restart procedure. Prefer --once or dry-run checks during setup.
Local logs and backup files can reveal session keys, profile IDs, and profile-switch history, and backups may retain older session state.
The helper persists local event records and backups describing session/profile changes.
event = {
"sessionKey": args.session_key,
"oldProfileId": old_profile_id,
"newProfileId": args.profile_id,
"source": source,
"backup": str(backup_path),
}
append_event(event_log_path, event)Store logs/backups in a protected workspace state directory, rotate or delete old files when no longer needed, and do not publish or share them.
Users have less provenance information for a skill that touches sensitive local authentication and session files.
The registry metadata does not provide an external source or homepage for provenance, while the skill handles OAuth/session state.
Source: unknown Homepage: none
Review the included source before use and prefer installing only from a publisher/source you trust.