Skip to main content

Codex Plugin for Claude Code — Adoption & Skills Strategy

Background

On March 30, 2026, OpenAI released codex-plugin-cc — an official plugin that embeds OpenAI's Codex coding assistant directly inside Claude Code. This is the first official cross-vendor AI coding tool integration. It's open-source (Apache 2.0) and works with any ChatGPT subscription (including free tier) or OpenAI API key.

Claude Code also now has a full plugin system supporting skills, agents, hooks, MCP servers, and LSP servers — with a marketplace for distribution.

This document evaluates both the Codex plugin specifically and the broader Claude Code plugin ecosystem for SecurityV0's multi-agent development workflow.

Part 1: The Codex Plugin

What It Does

The plugin adds six slash commands inside Claude Code:

CommandPurposeMode
/codex:reviewStandard code review of uncommitted changes or branch diffRead-only
/codex:adversarial-reviewSteerable challenge review — questions design decisions, tradeoffs, failure modesRead-only
/codex:rescueDelegates a task to Codex as a subagent (bug investigation, fixes, second passes)Read-write
/codex:statusCheck progress on background Codex jobsInfo
/codex:resultGet final output from a completed Codex jobInfo
/codex:cancelCancel an active background Codex jobControl

There's also an optional review gate (/codex:setup --enable-review-gate) that runs a Codex review on every Claude response before it finalizes — blocking completion if issues are found. OpenAI warns this can create long-running loops and drain usage.

How It Works Technically

  • Wraps the local codex CLI binary (not a separate runtime)
  • Uses your existing Codex authentication and config (~/.codex/config.toml)
  • Delegates through the Codex app server
  • Supports background execution — reviews happen in parallel
  • Can resume Codex sessions with codex resume <session-id>

Installation

# Inside Claude Code:
/plugin marketplace add openai/codex-plugin-cc
/plugin install codex@openai-codex
/reload-plugins
/codex:setup

# If Codex isn't installed:
npm install -g @openai/codex
!codex login

Relevance to SecurityV0

High value for code review. We already have a self-review step in SOUL.md where worker bots spawn a sub-agent to review changes before creating PRs. The Codex plugin gives us a second, independent model's perspective without any custom infrastructure.

Use cases for us:

  1. Cross-model code review — Run /codex:adversarial-review before submitting PRs. Gets a fundamentally different model (GPT-5.4) challenging assumptions Claude made.
  2. Security-focused adversarial review/codex:adversarial-review look for auth bypass, injection vectors, and race conditions — directly relevant to a security product.
  3. Rescue/delegation — When Claude is stuck on a problem, /codex:rescue hands it to a different model for a fresh perspective.
  4. Pre-merge gate — Blue could use /codex:review --base main during PR review for a second opinion.

Limitations for us:

  • Our bots run via OpenClaw (Telegram → agent), not interactive Claude Code CLI sessions. The plugin's slash commands are designed for interactive use.
  • We'd need to either: (a) create an OpenClaw skill that wraps the Codex CLI directly, or (b) use this only for human-driven development sessions.
  • Requires a ChatGPT subscription or OpenAI API key per machine.
  • Usage counts against Codex limits.

Part 2: Claude Code Plugin System

Architecture

Claude Code plugins are self-contained directories with this structure:

my-plugin/
├── .claude-plugin/
│   └── plugin.json          # Manifest: name, description, version
├── skills/                   # SKILL.md files (model-invoked)
│   └── my-skill/
│       └── SKILL.md
├── agents/                   # Subagent definitions
│   └── my-agent.md
├── hooks/
│   └── hooks.json            # Event handlers (PostToolUse, Stop, etc.)
├── .mcp.json                 # MCP server configs
├── .lsp.json                 # LSP server configs
├── bin/                      # Executables added to PATH
└── settings.json             # Default settings when plugin is enabled

Key Capabilities

Skills — Markdown-driven instructions that Claude invokes automatically based on context. Supports $ARGUMENTS placeholder. Namespaced per plugin (/plugin-name:skill-name).

Agents — Specialized subagents with custom system prompts, model selection, tool restrictions, and turn limits. Can run in isolation (worktree).

Hooks — Event handlers that fire on 20+ lifecycle events: PostToolUse, Stop, PreToolUse, SessionStart, FileChanged, PreCompact, etc. Four hook types: command (shell), http (webhook), prompt (LLM eval), agent (agentic verifier).

MCP Servers — Bundle MCP tool servers that auto-start when the plugin is active.

LSP Servers — Language server integration for real-time diagnostics.

Distribution — Via marketplace (/plugin marketplace add <org>/<repo>) or --plugin-dir for local testing.

Part 3: Recommended Skills & Plugins for SecurityV0

Plugin 1: sv0-research — Research Workflow Plugin

Purpose: Standardize and improve the research process across all bots.

Components:

sv0-research/
├── .claude-plugin/plugin.json
├── skills/
│   ├── deep-research/
│   │   └── SKILL.md          # Structured research with source collection
│   ├── research-review/
│   │   └── SKILL.md          # Review a research doc for completeness
│   └── research-template/
│       └── SKILL.md          # Generate frontmatter-compliant research doc
├── agents/
│   ├── adversarial-reviewer.md   # Challenge research conclusions
│   └── fact-checker.md           # Verify claims against sources
└── hooks/
    └── hooks.json                # Auto-validate frontmatter on research PRs

Skills detail:

  • /sv0-research:deep-research <topic> — Conducts structured web research, collects sources, synthesizes findings into our standard research doc format with proper frontmatter, lifecycle status, and Next Action section.
  • /sv0-research:research-review — Reviews a research doc for completeness: checks frontmatter, validates sources, flags unsupported claims, checks for missing perspectives.
  • /sv0-research:research-template <topic> — Generates a skeleton research doc with correct frontmatter and section structure.

Agents:

  • adversarial-reviewer — Takes a research doc and systematically challenges its conclusions. Different model (e.g., gpt-5.4 via Codex or a different Claude model) for genuine diversity of thought.
  • fact-checker — Verifies specific claims by re-searching sources, checking if citations actually support the stated conclusions.

Hooks:

  • PreToolUse on Write/Edit for docs/architecture/research/ → validate frontmatter schema
  • Stop → if the conversation produced a research doc, remind to update PLAN-TRACKER.md

Plugin 2: sv0-security-review — Security Code Review Plugin

Purpose: Automated security review for all PRs in sv0-platform.

Components:

sv0-security-review/
├── .claude-plugin/plugin.json
├── skills/
│   ├── security-audit/
│   │   └── SKILL.md          # OWASP-focused code review
│   └── threat-model/
│       └── SKILL.md          # Generate threat model for a feature
├── agents/
│   └── security-auditor.md   # Specialized security review agent
└── hooks/
    └── hooks.json            # Auto-review on pre-commit

Why this matters: We're a security product. Our own code review should be best-in-class. The Codex adversarial review is good for general code quality; this plugin adds domain-specific security knowledge.

Plugin 3: sv0-codex-bridge — Codex Integration for OpenClaw Bots

Superseded by ACP runtime. Part 6 describes how ACP-spawned Claude Code sessions have native access to the Codex plugin, eliminating the need for a separate bridge. This plugin proposal is retained for historical context only.

Original purpose: Wrap Codex CLI calls so our OpenClaw-powered bots can use Codex for reviews without needing interactive Claude Code sessions.

Skills:

  • /sv0-codex-bridge:review — Runs codex CLI in non-interactive mode, captures output, formats it as a review comment.
  • /sv0-codex-bridge:adversarial — Same but with adversarial review prompting.

Implementation approach:

# The skill would shell out to:
codex --non-interactive --task "Review the diff..." --model gpt-5.4

This bridges the gap between the interactive plugin world and our headless bot workflow.

Plugin 4: sv0-docs — Documentation Standards Plugin

Purpose: Enforce our documentation standards across all repos.

Hooks:

  • PostToolUse on Write/Edit for *.md → validate frontmatter, check for broken links
  • Stop → if docs were modified, remind to update related index files

Skills:

  • /sv0-docs:adr <topic> — Generate an Architecture Decision Record in our format
  • /sv0-docs:runbook <topic> — Generate a runbook in our format

Part 4: Implementation Plan

Phase 1: Quick Wins (This Week)

  1. Install Codex plugin on Ivan's local Claude Code for manual code review sessions
  2. Test adversarial review on the JWT PR (#271) as a proof of concept
  3. Create sv0-research plugin skeleton — start with just the research template skill

Phase 2: Bot Integration (Next Sprint)

  1. Test ACP runtime — validate that ACP-spawned sessions load plugins and can invoke Codex natively (replaces the original sv0-codex-bridge proposal — see Part 6)
  2. Update SOUL.md self-review step — add Codex adversarial review as step 2b (after the existing GPT sub-agent review)
  3. Add Codex to Blue's PR review workflow — Blue runs /codex:review --base main as part of every PR review

Phase 3: Full Plugin Ecosystem (2-4 Weeks)

  1. Build sv0-security-review plugin — security-specific code review
  2. Build sv0-docs plugin — documentation standards enforcement
  3. Set up plugin marketplace — host our plugins in a sv0-plugins repo for team distribution
  4. Add LSP plugins — TypeScript LSP for sv0-platform, Python LSP for sv0-connectors

Phase 4: Research Process Improvement

  1. Complete sv0-research plugin — all skills, agents, and hooks
  2. Create research review gate — every research PR gets an adversarial review before merge
  3. Build fact-checker agent — automated source verification
  4. Integrate with PLAN-TRACKER — auto-update tracker when research status changes

Part 5: Impact on Research Process

Current Process

  1. Task assigned (manual or via bot)
  2. Bot/human does web research
  3. Writes a markdown doc in docs/architecture/research/
  4. Creates PR
  5. Blue reviews (mostly structure/formatting)
  6. Merged
  7. Document sits until someone reads it

Improved Process with Plugins

  1. Task assigned
  2. /sv0-research:deep-research <topic> — structured research with source tracking
  3. fact-checker agent verifies claims against sources
  4. adversarial-reviewer agent challenges conclusions (different model for genuine diversity)
  5. /codex:adversarial-review provides a third perspective on any code/architecture proposals
  6. Hooks auto-validate frontmatter and remind about PLAN-TRACKER
  7. PR created with all reviews already done
  8. Blue reviews (now has 2-3 pre-reviews to reference)
  9. Merged with higher confidence
  10. Hooks track status changes → PLAN-TRACKER stays current

Key Improvements

AspectBeforeAfter
Source verificationTrust the agentFact-checker agent re-verifies
Perspective diversitySingle modelMulti-model (Claude + Codex adversarial)
Frontmatter complianceManual reviewAutomated hook validation
Research trackingManual PLAN-TRACKER updatesHook-driven automation
Security review depthGeneral code reviewDomain-specific security audit
Research template consistencyCopy-paste from examples/sv0-research:research-template generates it

Cost & Requirements

ItemCostNotes
ChatGPT subscription (for Codex)$20/mo (Plus) or $200/mo (Pro)Pro recommended for heavy use; Plus for evaluation
OpenAI API key (alternative)Pay-per-useMore predictable for bot usage
Claude Code plugins$0Built-in feature
Plugin developmentEngineering time2-3 days per plugin
MaintenanceLowPlugins are just markdown + config

Risks

RiskImpactMitigation
Codex usage limits hit during heavy reviewReviews blockedMonitor usage, use API key with budget for bots
Review gate creates infinite loopsAgent stuck, usage drainedNever enable review gate in automated workflows
Plugin ecosystem changes rapidlyBreaking changesPin plugin versions, test before updating
Multi-model review disagreementsConfusion about which feedback to followClaude (primary) decides; Codex feedback is advisory
OpenAI sees our code via CodexIP exposureBLOCKER: Must review OpenAI Codex data usage terms before adoption. Verify: (1) whether code sent to Codex can be used for training, (2) data retention policies, (3) compliance with customer expectations for a security product vendor.
ACP requires non-sandboxed bot executionAll plugins/hooks/Codex run with full host access — violates least privilegeInvestigate container-level isolation or ACP permission scoping before Phase 2

Part 6: OpenClaw + Claude Code Architecture (ACP Runtime)

The Auth Problem

OpenClaw currently connects to Anthropic's API directly (the "subagent" runtime). If this auth path breaks or is deprecated, bots lose their ability to run.

The Solution: ACP Runtime

OpenClaw supports a second runtime mode: runtime: "acp" — which spawns a native Claude Code CLI session instead of calling the Anthropic API directly.

┌─────────────┐    ACP     ┌──────────────┐    Claude Auth    ┌──────────────┐
│  OpenClaw   │ ─────────> │  Claude Code  │ ───────────────> │  Anthropic   │
│  (orchestr) │            │  CLI (local)  │                  │  API         │
└─────────────┘            └──────────────┘                  └──────────────┘
      │                           │
      │ Telegram, cron,           │ Plugins, hooks,
      │ cross-agent msg,          │ Codex, LSP,
      │ session mgmt              │ MCP servers

Key difference: ACP uses Claude Code's own authentication (claude login — tied to the user's Anthropic account), not OpenClaw's API key. If OpenClaw's Anthropic API auth breaks but Claude Code CLI auth still works, bots continue running.

What Each Layer Handles

ResponsibilityOpenClawClaude Code (ACP)
Telegram integration
Cron jobs & scheduling
Cross-agent messaging
Session management
AI model execution
Plugin system
Codex integration
Hooks (pre/post tool)
LSP (code intelligence)
MCP serversPartial

Impact on Plugin Strategy

With ACP runtime, the plugins proposed in this document work natively — no bridges needed:

  • sv0-codex-bridgeno longer needed. Codex plugin works directly in Claude Code sessions spawned via ACP.
  • sv0-research — works as a Claude Code plugin, available to all bot sessions
  • sv0-security-review — hooks and agents run natively
  • sv0-docs — hooks fire on file writes within the session

Migration Path

StepActionEffort
1Test ACP spawning on Mac Mini (sessions_spawn with runtime: "acp")30 min
2Verify Claude Code auth works independently (claude login)5 min
3Test plugin loading in ACP sessions (do plugins persist?)1 hour
4Port critical OpenClaw skills to Claude Code plugins2-3 days
5Switch bot runtime from "subagent" to "acp"1 day
6Validate Telegram ↔ ACP bot flow end-to-end1 day

Open Questions

  1. Do Claude Code plugins load in ACP-spawned sessions? Need to test — plugins might only load in interactive CLI sessions.
  2. Session persistence: ACP sessions can be mode: "run" (one-shot) or mode: "session" (persistent). Do plugins survive across turns in persistent sessions?
  3. Cost model: ACP uses the user's Claude subscription/credits, not a separate API key. Need to understand rate limits for multi-bot usage.
  4. Sandbox constraints: ACP spawning is blocked from sandboxed sessions (tested — got forbidden). Bots need to run non-sandboxed or the ACP spawn needs host access.

Next Action

Status: research-complete Decision needed from: Ivan (founder) Options:

  1. Adopt Phase 1 + ACP Migration — Install Codex plugin, test ACP runtime on Mac Mini, validate plugins work in ACP sessions. Immediate value + future-proofing. (~2-3 days)
  2. Adopt Full Plan — Phase 1 + build the full plugin ecosystem (sv0-research, sv0-security-review, sv0-docs) + migrate all bots to ACP runtime. (~2-4 weeks)
  3. Defer — Evaluate again after Q2 when the plugin ecosystem is more mature.
  4. Reject — Stay with current workflow, skip Codex integration.

Recommended: Option 1 — Test ACP runtime viability immediately (this is urgent if OpenClaw auth is at risk), install Codex for manual use, then build plugins incrementally.

GitHub Issue: Not yet created

-- Echo (sv0-echo)