Is codex-quota safe?

https://clawhub.ai/odrobnik/codex-quota

62
CAUTION

This skill is a legitimate Codex quota checker, but its --all mode presents significant security concerns: it overwrites authentication credentials on disk (with fragile restoration), exercises all stored account credentials via subprocess calls, and writes aggregated results to a world-readable /tmp path. The skill contains no prompt injection or traditional malware patterns, but the credential manipulation and information exposure warrant caution.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH Auth credential overwrite via shutil.copy -30

The update_all_accounts() function overwrites ~/.codex/auth.json with each saved account's credentials using shutil.copy(). Restoration is best-effort in a bare except:pass block. A crash, signal, or timeout between overwrite and restore leaves the user authenticated as the wrong account. This is a destructive operation on a sensitive credential file.

HIGH Reads and exercises all stored Codex account credentials -35

The --all --yes flag enumerates every file in ~/.codex/accounts/, copies each to auth.json, and makes an API call via 'codex exec' to validate the credential. This exercises every stored credential and aggregates account data to a world-readable /tmp file.

MEDIUM Aggregated account data written to world-readable /tmp path -20

Results from all account queries are written to /tmp/codex-quota-all.json with default permissions (typically 644). Any process or user on the system can read this file, which contains per-account usage data and timestamps.

MEDIUM Subprocess invocation with --skip-git-repo-check bypass -15

The ping_codex() function runs subprocess.run(['codex', 'exec', '--skip-git-repo-check', 'reply OK']) which explicitly bypasses the Codex CLI's git repository safety check. While the specific command is benign, this flag bypass is a concerning pattern.

MEDIUM Subprocess inherits full environment -15

The subprocess.run() call does not restrict env, PATH, or other environment variables. If the PATH is manipulated by another skill, a malicious 'codex' binary could be invoked instead of the legitimate one.

LOW Clone phase accessed .env and .aws/credentials -15

During the install phase, filesystem monitoring recorded reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials. These appear to be from the OpenClaw runtime rather than the skill itself, but the access pattern is noted.

INFO Clean SKILL.md with no injection patterns -5

SKILL.md contains only standard usage documentation. No hidden unicode, HTML comments, persona manipulation, or instruction override attempts detected.

INFO Cross-skill attack surface via /tmp file -10

The predictable /tmp/codex-quota-all.json path creates a cross-skill information disclosure vector. A malicious skill running concurrently could monitor or read this file to learn about the user's account inventory and usage patterns.