Openclaw Config
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent and purpose-aligned for editing OpenClaw configuration, but users should review any persistent config changes and avoid storing long-lived tokens in config files.
This appears safe to install for its stated purpose. Before using it, be aware that it can guide persistent changes to OpenClaw Gateway behavior, auth, channels, tools, skills, and plugins. Prefer small edits, keep backups, validate after changes, and avoid placing long-lived API keys or tokens directly in openclaw.json.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad config edit could break Gateway startup or weaken security settings.
The skill intentionally enables local/RPC config mutation, including an operation that can replace the whole config. This is purpose-aligned and disclosed, but users should verify each change.
Prefer small edits: `openclaw config get|set|unset` ... use RPC `config.patch` ... or `config.apply` (replaces the entire config; use carefully).
Approve exact config changes, prefer small scoped edits, back up important config files, and validate with openclaw doctor before relying on the new configuration.
If a user stores tokens directly in openclaw.json or commits the file, those credentials could be exposed.
The skill discusses configuration areas that may contain service tokens or API keys and gives safer handling guidance. No hardcoded credential, logging, or exfiltration behavior is shown.
Secrets: prefer environment variables/credential files. Avoid committing long-lived tokens/API keys into `openclaw.json`.
Use environment variables or credential files where possible, keep config permissions restrictive, and avoid committing config files containing secrets.
Running the helper invokes local OpenClaw validation and may reveal local config path and file metadata in the terminal output.
The included helper script runs the local OpenClaw CLI validation command if present. This is disclosed and aligned with validation, and the script does not show writes, downloads, or network exfiltration.
if command -v openclaw >/dev/null 2>&1; then echo "Running: openclaw doctor" openclaw doctor
Run the helper only when you intend to validate the local OpenClaw config, and review the displayed path before sharing terminal output.