cpa-codex-auth-sweep-cliproxy_skill

This skill securely retrieves Codex auth files via CLI Proxy API and performs high-concurrency probe scans to identify expired credentials.
  • Python

2.6k

GitHub Stars

3

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill cpa-codex-auth-sweep-cliproxy

  • _meta.json490 B
  • README.md3.2 KB
  • SKILL.md3.9 KB

Overview

This skill fetches Codex authentication files from a CLI Proxy Management API and performs high-concurrency health probes to detect expired or invalid Codex credentials. It classifies credentials (OK / 401 / quota-exhausted / error) and can remove 401 entries only after explicit user confirmation. Security controls and required inputs are enforced before any scanning or deletion runs.

How this skill works

The skill calls the management auth-files endpoint to list stored Codex auth entries, then issues management-api-call probes using each entry’s token (Authorization: Bearer $TOKEN$) against a configurable Codex probe URL. Results are classified by HTTP response and management-side metadata; 401 responses and weekly-quota-zero are reported. Deletion of 401 entries is performed through the management delete endpoint only when the user explicitly requests cleanup.

When to use it

  • Audit and inventory Codex credentials stored in a CLI proxy before troubleshooting
  • Identify and remove stale/401 Codex credentials after user consent
  • Detect weekly-quota exhausted credentials to address rate-limit issues
  • Run routine hygiene scans in environments that manage many agent tokens
  • Validate a migration or rotation of management keys by comparing probe results

Best practices

  • Always provide base_url and management_key before running the scanner; the tool will refuse to start without them
  • Keep default probe host whitelist (https://chatgpt.com) unless you explicitly allow unsafe hosts with --allow-unsafe-probe-host
  • Do not use --insecure by default; only allow --insecure + --allow-insecure-tls for trusted internal troubleshooting
  • Run scans in read-only mode first; use --delete-401 only when you intend to remove invalid entries and pass --yes to confirm
  • Limit concurrency (SCAN_WORKERS) on fragile networks or management servers to reduce load

Example use cases

  • Scan a CLI Proxy inventory to produce a summary (total / ok / 401 / exceeded / error) for an operations report
  • Find and optionally delete credentials that return HTTP 401 after credential rotation
  • Detect accounts that have weekly quota exhausted so you can contact owners or adjust limits
  • Verify the effectiveness of a credential rotation by re-scanning and ensuring old tokens report 401 or are removed
  • Perform targeted scans during onboarding or offboarding to ensure no orphaned Codex tokens remain

FAQ

You must provide base_url (CLI Proxy management address) and management_key; the scanner will not run without both.

Can probes send real tokens to arbitrary hosts?

Yes — probes forward the real token to the probe host. By default only https://chatgpt.com is allowed; using other hosts requires explicit user consent and --allow-unsafe-probe-host.

Will the tool delete credentials automatically?

No. Deletion of 401 entries only occurs when you pass --delete-401 and explicitly confirm (e.g., --yes). Scans default to read-only.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational