Codex Account Switcher

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw Codex account/quota management skill that handles OAuth credentials, so it is sensitive but not deceptive or malicious.

Install only if you want OpenClaw to manage Codex OAuth profiles on this machine. Run dry-run commands first, keep OpenClaw and Codex auth files private, review file permissions and backups, use --no-set-first if you do not want imported credentials promoted, and enable notifications only with a trusted NapCat sendUrl/access token configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Tainted flow: 'req' from os.environ.get (line 177, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: headers["ChatGPT-Account-Id"] = str(cred["accountId"]) req = urllib.request.Request(WHAM_URL, headers=headers) try: with urllib.request.urlopen(req, timeout=8) as res: data = json.load(res) except Exception as e: return {"profileId": profile_id, "ok": False, "error": type(e).__name__}
Confidence: 88% confidence
Finding: with urllib.request.urlopen(req, timeout=8) as res:

Tainted flow: 'req' from os.environ.get (line 177, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: headers["Authorization"] = "Bearer " + token req = urllib.request.Request(send_url, data=body, headers=headers, method="POST") try: with urllib.request.urlopen(req, timeout=8) as res: res.read(200) except Exception as exc: log(f"notify failed: {type(exc).__name__}: {exc}")
Confidence: 93% confidence
Finding: with urllib.request.urlopen(req, timeout=8) as res:

Tainted flow: 'QUOTA_SCRIPT' from os.environ.get (line 22, credential/environment) → subprocess.check_output (code execution)

Medium

Category: Data Flow
Content: state = load_json(STATE_PATH, {"version": 1}) set_order_in_state(state, profile_id, profile_ids) try: out = subprocess.check_output([str(QUOTA_SCRIPT), "--json"], text=True, timeout=12) result = json.loads(out) if not result.get("ok"): return {"ok": False, "error": result.get("error", "quota_failed")}
Confidence: 96% confidence
Finding: out = subprocess.check_output([str(QUOTA_SCRIPT), "--json"], text=True, timeout=12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and documents capabilities that read environment variables, access credential files, modify auth state, invoke shell commands, and make network requests, but the manifest declares no permissions. That mismatch weakens review and sandboxing because operators cannot accurately assess the trust boundary before installation, especially for a skill that handles OAuth material and rewrites authentication state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose sounds like quota querying and account selection, but the behavior also includes importing external OAuth credentials from ~/.codex/auth.json, directly reading and writing OpenClaw auth files, storing refresh/access tokens, and optionally notifying a third-party group. Those extra behaviors materially expand the security impact from simple account management to credential handling and potential data disclosure, increasing the chance of unsafe deployment by unsuspecting users.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The script reads OAuth access and refresh tokens from ~/.codex/auth.json and persists them into OpenClaw profile storage, creating a second credential store and broadening secret exposure. That is security-relevant behavior beyond simple quota querying/account switching because compromise of OpenClaw files would now yield reusable Codex tokens, including refresh material.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The module docstring understates side effects by implying it only syncs token fields into a profile, while the code also updates auth ordering/state to make the imported profile preferred by default. Hidden or insufficiently disclosed authentication state changes are risky because they can silently redirect future model usage to a different account and make credential changes harder for operators to notice.

Credential Access

High

Category: Privilege Escalation
Content: ## Behavior - Reads OpenClaw auth profile metadata from the selected agent directory. - Queries quota directly from ChatGPT WHAM usage using each profile's OAuth access token. - Never prints access tokens, refresh tokens, API keys, or credential file contents. - Account switching only rewrites `auth-state.json` provider order for `openai-codex`. - `codex-cli-sync.py` is advanced/explicit: it imports the current Codex CLI `~/.codex/auth.json` login into OpenClaw and writes backups first.
Confidence: 84% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: - Reads OpenClaw auth profile metadata from the selected agent directory. - Queries quota directly from ChatGPT WHAM usage using each profile's OAuth access token. - Never prints access tokens, refresh tokens, API keys, or credential file contents. - Account switching only rewrites `auth-state.json` provider order for `openai-codex`. - `codex-cli-sync.py` is advanced/explicit: it imports the current Codex CLI `~/.codex/auth.json` login into OpenClaw and writes backups first. - Auto-switch defaults to switching only when the active account's 5h remaining quota is below `20%`.
Confidence: 88% confidence
Finding: access tokens

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal