[Bug]: v2026.4.26 ships `coding-agent` skill + `codex` provider with `openai/gpt-5.5` as silent default — breaks stacks without OpenAI configured

[LaFleurAdvertising]

Bug

Upgrading to OpenClaw 2026.4.26 (verified node[…]: 2026.4.26) on a stack that never had OpenAI configured introduces:

1. A codex provider in the agent's models.json catalog with gpt-5.5, gpt-5.4-mini, gpt-5.2
2. A new bundled skill coding-agent (eligible by default because claude, codex, opencode, pi are on PATH) that delegates to Codex unless explicitly disabled
3. A model-fallback/decision runtime that attempts openai/gpt-5.5 as a candidate

Result on a stack with no OPENAI_API_KEY:

[diagnostic] lane task error: error="No API key found for provider \"openai\". Auth store: …/auth-profiles.json (agentDir: …). Configure auth for this agent (openclaw agents add <id>) or copy auth-profiles.json from the main agentDir."
[model-fallback/decision] requested=openai/gpt-5.5 candidate=openai/gpt-5.5 reason=auth next=none
Embedded agent failed before reply: No API key found for provider "openai".

Every chat lane fails before reply with no obvious upgrade-time prompt that an OpenAI key is now required.

Stack details (no OpenAI ever configured)

• models.json providers in use: deepseek, anthropic, ollama (all keys configured)
• Agents.defaults.model.primary: deepseek/deepseek-v4-flash
• Agents.defaults.model.fallbacks: deepseek/deepseek-v4-pro, ollama/qwen3.6:27b-heretic
• No auth-profiles.json for OpenAI; user has stated repeatedly they do not use ChatGPT/Codex.

Expected

• Bundled coding-agent / codex provider should NOT be enabled by default on agents that have never configured an OpenAI auth profile.
• If a user has a primary + fallbacks chain that routes to non-OpenAI providers, the runtime should not synthesize an openai/gpt-5.5 candidate.
• Upgrade flow should warn ("This release adds a Codex coding-agent skill — needs OpenAI auth to use") and require explicit enable.

Workaround (what fixed it)

# 1. Strip codex provider from agent models.json
python3 -c "import json; p='~/.openclaw/agents/main/agent/models.json'; ..." # remove 'codex' provider key

# 2. Remove openai/* from huggingface catalog
# (3 entries: openai/gpt-oss-120b, openai/gpt-oss-20b, openai/gpt-oss-safeguard-20b)

# 3. Disable coding-agent skill (per docs at /tools/skills-config)
#    Set skills.entries.coding-agent.enabled = false in BOTH ~/.openclaw/openclaw.json
#    AND $OPENCLAW_STATE_DIR/openclaw.json

# 4. Restart gateway
openclaw gateway restart

After this, openclaw skills check shows Disabled: 1 and the auth-failure spam stops.

Reproducibility

100% on any v2026.4.26 install where the user does not have an OpenAI key.

Related

• Control UI device token mismatch loop after scope upgrade causes rate-limit lockout #71609 (device_token_mismatch rate-limit loop) — adjacent, also occurred in same session but separate root cause
• [Bug]: openai-codex/gpt-5.5 hangs silently on 2026.4.25 — no tokens streamed, no error logged, legacy OAuth path #72966 ([Bug] openai-codex/gpt-5.5 hangs silently on 2026.4.25) — that issue is about Codex usage failing when invoked; this issue is about Codex being enabled silently as default even when the user has no OpenAI

Suggestion

Either (a) gate the coding-agent skill behind explicit OpenAI auth presence, (b) make Codex one peer of many in the routing decision rather than the default, or (c) require an opt-in flag during upgrade.

[Sanjays2402]

Quick triage from a code read on main (no patch yet — flagging where the moving parts live so a maintainer can pick the right knob):

1. coding-agent skill eligibility — skills/coding-agent/SKILL.md declares:

requires: { anyBins: ["claude", "codex", "opencode", "pi"] }

Eligibility is evaluated in src/shared/requirements.ts (resolveMissingAnyBins) — it's bin‑only, there's no auth check. So as soon as any of those CLIs is on PATH the skill is eligible, even on a stack with no OpenAI/Anthropic auth. The skill itself then tends to prefer Codex.

Options:

• Extend RequirementsMetadata with an anyEnv (or auth) field and gate the skill behind OPENAI_API_KEY | ANTHROPIC_API_KEY | ….
• Or, narrower fix: split the skill into per‑backend variants each with their own concrete bins + env requirements.

2. Codex provider added to models.json — src/plugins/provider-model-defaults.ts exports OPENAI_DEFAULT_MODEL = "openai/gpt-5.5" and applyOpenAIConfig / applyOpenAIProviderConfig. Worth checking what calls these on upgrade — they unconditionally insert gpt-5.5 into agents.defaults.models and overwrite agents.defaults.model.primary. If that's running for users without OpenAI auth, that's the silent‑default vector.

3. [model-fallback/decision] requested=openai/gpt-5.5 — comes from src/agents/model-fallback-observation.ts. The candidate list is built in src/agents/model-fallback.ts (addExplicitCandidate / addAllowlistedCandidate). Need to trace why openai/gpt-5.5 ends up in the candidate list when the user's primary + fallbacks are all DeepSeek/Ollama — likely a hardcoded default candidate or an allowlist seed somewhere upstream of fallback resolution.

Workaround validated — disabling coding-agent skill + stripping the codex provider from models.json does stop the auth‑failure spam, matching the reporter's notes.

Happy to send a PR once a maintainer signals which of the three layers they'd prefer the gate at.

[steipete]

Fixed on main in 169dba2042.

What changed:

• The bundled coding-agent skill now requires explicit config opt-in via skills.entries.coding-agent.enabled in addition to one available backend binary. A codex binary on PATH no longer makes the skill eligible by itself: skills/coding-agent/SKILL.md.
• The skills docs now call out that coding-agent is opt-in and should only be enabled after the operator has an authenticated backend CLI: docs/tools/skills.md.
• Added a regression that loads the real bundled coding-agent metadata and proves it stays ineligible with remote codex available until skills.entries.coding-agent.enabled: true is set: src/agents/skills.buildworkspaceskillstatus.test.ts.
• Added the changelog entry with reporter/triage credit: CHANGELOG.md.

Validation:

pnpm exec oxfmt --check --threads=1 src/agents/skills.buildworkspaceskillstatus.test.ts
pnpm test src/agents/skills.buildworkspaceskillstatus.test.ts
blacksmith testbox run --id tbx_01kq9jx8zyyh3xswps7h3h4n5w "pnpm check:changed"

pnpm check:changed selected coreTests, docs and passed after rebasing onto current origin/main.