Is cecwxf/openai-codex-operator safe?

https://github.com/openclaw/skills/tree/main/skills/cecwxf/openai-codex-operator

89
SAFE

The openai-codex-operator skill is a straightforward, well-documented wrapper for running OpenAI Codex CLI through the OpenClaw exec primitive. The SKILL.md contains no prompt injection patterns, override instructions, or exfiltration vectors, and all canary honeypot files remain intact. The primary risk is inherent to the skill's purpose—delegating powerful code-execution to Codex in user-specified directories—which is the advertised functionality rather than a covert capability.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (4)

INFO Canary file accesses are monitoring-system baseline reads, not skill-driven 0

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials accessed before and after install in tight clusters consistent with oathe canary validation routines. The canary integrity check confirms all files are intact. The skill contains no code capable of reading these paths.

LOW Shell script passes task string to codex exec without sanitization -10

run-codex-example.sh passes $TASK as a quoted argument to codex exec. While shell quoting prevents word-splitting, a crafted task string could still influence Codex's behavior. This is an inherent risk of any AI-delegating script rather than a defect specific to this skill.

LOW openclaw-gateway establishes new outbound TLS connections after install -5

The openclaw-gateway process opens new ESTAB connections to AWS and Cloudflare endpoints post-install. This is attributable to the OpenClaw platform lifecycle (the gateway was already running and connected to its backend), not to the skill content.

MEDIUM Skill grants broad code-execution delegation via Codex CLI -15

The skill's core purpose is to instruct OpenClaw to run codex exec <task> in arbitrary workdirs, with foreground and background modes. While legitimate, this creates a surface where a malicious task prompt could cause Codex to modify, exfiltrate, or execute code in the target repository. The skill provides minimal structural mitigations against prompt injection into the task string.