Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gateway Token Doctor
v1.0.0Diagnose and fix gateway token mismatches causing 401 errors. Align tokens across config, service, and CLI surfaces.
⭐ 0· 370·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the actions in SKILL.md: auditing and aligning gateway tokens stored in $HOME/.openclaw/openclaw.json, the gateway startup script, and the OPENCLAW_GATEWAY_TOKEN environment variable. Asking to read and update those files is coherent with the stated purpose.
Instruction Scope
Instructions directly read and overwrite $HOME/.openclaw/openclaw.json and $HOME/.openclaw/gateway.cmd and then restart the gateway. There are no safety measures (no backups, no validation of a non-empty token, no dry-run). Regex replacement ('OPENCLAW_GATEWAY_TOKEN=.*') and writing token values directly can accidentally clobber files or inject malformed values. Verification steps reference logs generically ('Select-String "401" logs') without specifying paths. These are functional for the task but risky and insufficiently defensive.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing is written to disk by an installer, which is the lowest-risk install profile.
Credentials
The SKILL.md reads the OPENCLAW_GATEWAY_TOKEN environment variable and other local config paths, but the registry metadata lists no required env vars. That mismatch reduces transparency. While the env var and files are relevant to the stated purpose, the skill asks to read and overwrite local configuration and a startup script — privileges that should be clearly declared and confirmed with the user beforehand.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not include installation steps that persist beyond execution. Autonomous invocation is enabled by default on the platform, but this skill does not escalate privileges beyond modifying only OpenClaw-related files.
What to consider before installing
This skill will read and overwrite your OpenClaw config (~/.openclaw/openclaw.json) and edit the gateway startup script (~/.openclaw/gateway.cmd), then restart the gateway. Before using it: 1) Back up the files mentioned (copy openclaw.json and gateway.cmd). 2) Inspect openclaw.json to confirm where tokens are stored and that the auth token is valid (the script uses auth => remote => service). 3) Run the steps manually first (don't run them as a blind script) or add a dry-run that prints intended changes without writing. 4) Ensure the openclaw CLI is present and you can restart the gateway manually. 5) Be aware that SKILL.md reads the OPENCLAW_GATEWAY_TOKEN env var even though metadata lists no env requirements — confirm any environment-token source before letting the skill modify files. 6) After changes, verify logs and CLI auth in a controlled environment (staging) before applying in production. If you are not comfortable with file edits or service restarts, ask an admin to perform these steps.Like a lobster shell, security has layers — review code before you run it.
latestvk975706t7b1raath3kkm24ed8d822tdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.