Agent Config Manager

Security checks across malware telemetry and agentic risk

Overview

This skill performs local OpenClaw configuration listing, validation, and model updates as described, with no evidence of hidden network access, persistence, or destructive behavior.

Install this only if you want an agent to inspect and update your OpenClaw configuration. Before running model changes, remember that the script backs up the full config to /tmp and may include sensitive config contents there; also verify which documented workflows are actually present because several referenced helper scripts are not bundled.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Low

Confidence: 76% confidence
Finding: The file header describes the script as only updating agent model assignment. In practice, the script also performs additional operational side effects: it copies the full config to a backup file and emits instructions to restart the gateway so changes take effect. This is a mild intent/documentation mismatch because the comment understates the script's actual behavior.

VirusTotal

No VirusTotal findings

View on VirusTotal