Skillv1.0.0

ClawScan security

reinstall-openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 3:24 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required binaries, and operations align with its stated purpose of backing up, uninstalling, and reinstalling OpenClaw; nothing requested appears unrelated or covert, though the procedures themselves are powerful and require care.
Guidance: This skill is coherent for reinstalling OpenClaw, but the steps are high-impact: they remove and restore local config and credentials and invoke sudo/npm global installs. Before running anything: (1) verify that the backup directory was created and contains the expected files (openclaw.json, credentials/, memory DB, skills/), (2) store backups in a secure location and consider encrypting them, (3) inspect backup contents for sensitive tokens and rotate any API/gateway tokens after reinstall if you suspect exposure, (4) avoid blindly running rm -rf or sudo commands — run steps interactively and confirm paths, and (5) ensure you install the official openclaw package from the registry (verify package name/version/checksums if available). Note: the skill metadata lists wsl as a required binary; that is only relevant for Windows users — macOS/Linux users will not have wsl and can still follow the instructions. If anything in the instructions looks surprising, stop and review before executing.

Purpose & Capability: okThe skill claims to backup/restore OpenClaw and its instructions operate on ~/.openclaw, run npx openclaw commands, and handle npm global install/uninstall — these are appropriate and expected for a reinstall utility.
Instruction Scope: noteInstructions explicitly read, copy, remove, and restore configuration and credential files (e.g., ~/.openclaw, credentials/, memory DB). This is necessary for the stated purpose but is high-impact: the user should verify backups and understand that sensitive tokens and keys will be copied and restored.
Install Mechanism: okThis is an instruction-only skill with no install spec or external downloads. All commands use local tooling (npm/npx) which is appropriate; there are no arbitrary remote archives or unusual installers referenced.
Credentials: okThe skill requests no environment variables or external credentials. It operates on local files only, which is proportional to its function. (It does recommend restoring sensitive local credentials from backups — appropriate, but the user should protect those backups.)
Persistence & Privilege: okThe skill does not request persistent/always-on presence and allows normal invocation. It does not modify other skills or global agent settings.