ClawHub

Codex

Security checks across malware telemetry and agentic risk

Overview

This official OpenClaw Codex plugin has powerful local-code and credential capabilities, but they fit its stated Codex harness and migration purpose and no artifact evidence shows deception or exfiltration.

Install only if you want OpenClaw to run Codex with local code-execution authority and reuse or migrate Codex credentials. Before use, review appServer.mode, approvalPolicy, sandbox, codexPlugins.allow_destructive_actions, and migration secret-import options; prefer guardian/workspace-scoped settings when you do not need full local autonomy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
This code exposes a dangerous native-execution path by resuming local Codex CLI sessions through a spawned subprocess (`codex exec resume`) and feeding attacker-controlled prompt input to its stdin. Although the command name and session ID are constrained, this still grants a bound conversation the ability to trigger local CLI execution in a user-chosen working directory, which can lead to filesystem access, code execution side effects, or misuse of the Codex CLI's existing privileges.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code enumerates local Codex session history from `CODEX_HOME`, reads session files, and returns metadata including session IDs, working directories, timestamps, and truncated prior user messages. That exposes potentially sensitive local conversation data and filesystem context to callers, which can leak private prompts, project paths, and activity history even without direct code execution.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The migration provider description says native plugins and hooks remain explicit, but the implementation also auto-installs curated plugins and enables them with destructive actions allowed. That mismatch can mislead operators into approving a migration they believe is review-only, increasing the chance that risky plugin capabilities are activated without informed consent.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The block message explicitly advises users to 'run an intentionally unsandboxed session' when native execution is unavailable under sandboxing. Even though this is only user-facing text, it can socially steer operators or downstream agents to weaken security controls in order to accomplish a task, undermining the purpose of the sandbox guard. In this context, guidance that recommends disabling sandboxing is security-relevant because it normalizes bypassing isolation rather than directing users to safer supported workflows.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code explicitly reads credentials from process environment variables and from a local ~/.codex/auth.json-style file as fallback login material, then uses them to authenticate a managed app server. Even if this is intended for convenience, it expands the credential trust boundary and enables silent use of secrets that may belong to the host environment rather than the current agent or user-approved profile.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runtime option resolution defaults to an unsafe configuration when no explicit policy is provided: policy mode falls back to 'yolo', approvalPolicy to 'never', and sandbox to 'danger-full-access'. That creates a path for fully autonomous execution with broad filesystem access and no human approval, which is safety-critical even though the code does not itself show a UI warning mechanism.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code records messaging telemetry including message text, recipient/target identifiers, media URLs, and source reply payloads into a telemetry object whenever messaging tools are used. Even if intended for observability, it creates a privacy and data-minimization risk because sensitive user content and destinations may be retained, logged, or propagated without clear consent boundaries or redaction at this collection point.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads OAuth tokens, refresh tokens, ID tokens, account identifiers, model metadata, and API keys from Codex state and prepares them for import. Even if intended for migration, handling secrets without strong user-facing disclosure and explicit consent is dangerous because it can silently expand credential exposure and trust boundaries across tools.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code writes imported auth profiles and mutates runtime configuration to activate them, which can persist sensitive credentials and immediately change authentication behavior. Without a prominent warning and confirmation at the write point, a user may unknowingly store reusable secrets in a new environment or switch the agent to use imported credentials automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The migration config builder enables allow_destructive_actions by default for migrated Codex plugins. This is dangerous because plugin capabilities may include state-changing operations against external services or local environments, and automatically enabling destructive behavior expands the blast radius of any plugin misuse, prompt injection, or operator misunderstanding.

Missing User Warnings

High
Confidence
98% confidence
Finding
The plugin activation policy is constructed with allowDestructiveActions: true unconditionally, meaning migrated plugins are authorized for destructive operations without contextual approval. In a plugin/migration context, this is especially risky because plugins may bridge to external apps and accounts, so accidental activation can have real-world side effects beyond the local system.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Questions marked isSecret only add a warning string: 'This channel may show your reply to other participants.' The handler still accepts normal queued channel messages as answers and converts them into responses without any stronger confirmation, alternate private path, or refusal, so users can easily disclose secrets in a shared channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module reads a local credential file containing an API key without any visible disclosure, prompt, or policy gate in this file. Silent access to credential-bearing files increases the risk of unintended secret use and makes it harder for users and reviewers to understand when host secrets are being consumed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code resolves API keys, tokens, and refreshed OAuth credentials from auth-profile stores and uses them to build login parameters for the app server, but there is no visible disclosure or consent boundary here. This creates a risk that stored secrets are used automatically in contexts broader than the user expects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest sets codexPlugins.allow_destructive_actions to true by default, which weakens safety posture for native plugin operations that may perform writes or other destructive actions. In a plugin/harness configuration context, insecure defaults are dangerous because users may enable the feature without realizing destructive capabilities are pre-approved, increasing the chance of unintended file, system, or external-service modifications.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal