OpenClaw Config Ops
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill is coherently focused on safer OpenClaw config edits, with approval, backup, validation, and logging steps, though users should notice it can modify gateway behavior and persist config values in backups/logs.
This skill appears safe for its stated purpose, but install/use it with awareness that it can change OpenClaw gateway behavior after approval. Carefully review each proposed config change, prefer config.patch over direct file edits, and make sure backups/logs do not expose secrets.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the skill can change how the OpenClaw gateway, agents, models, and tools behave.
The skill can direct changes to gateway behavior and tool/MCP configuration, which is high-impact, but this is aligned with its stated config-operations purpose and is paired with schema lookup, documentation verification, a proposal, confirmation, backup, and validation.
Adding/removing models, plugins, channels, agents, MCP servers, tools config
Only approve proposed changes after checking the exact target key, old value, new value, and impact described by the skill.
Local shell commands may read, copy, validate, or edit the OpenClaw configuration when a config change is approved.
The skill documents shell command use for backups, help, validation, and a Python JSON edit fallback. These commands are disclosed and purpose-aligned, but they still operate on local configuration files.
exec("cp ~/.openclaw/openclaw.json ~/.openclaw/backups/openclaw-$(date +%Y%m%d%H%M%S).json")Review any shell/Python fallback command before allowing it, especially if it edits files directly instead of using config.patch.
Sensitive configuration values could remain in local backup or log files if the edited key contains secrets.
The skill persists old and new config values in a local change log, and it also creates full config backups. This is useful for audit/recovery, but values could be sensitive if the edited config key contains credentials or private endpoints.
Record change to logs/config-changes.log ... old_value: <previous value or "N/A"> ... new_value: <new value>
Avoid logging secrets in full; redact API keys/tokens before recording old_value or new_value, and protect the ~/.openclaw backup and log directories.