Jasper ConfigGuard
ReviewAudited by ClawScan on May 10, 2026.
Overview
Jasper ConfigGuard appears to do the advertised local OpenClaw config backup, patch, restart, and rollback workflow, but it gives agents meaningful power over your gateway configuration.
Install only if you intend to let this tool edit and restart your OpenClaw gateway. Verify the npm package first, run dry-run for proposed patches, review model/plugin/config changes before applying them, and protect the backup directory if your config contains secrets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong patch, it could change how your OpenClaw gateway and agents behave, even though backups and rollback are provided.
The skill is intended to let an agent modify OpenClaw configuration, including model and plugin settings. This is purpose-aligned but high-impact.
Use from your agent to safely modify OpenClaw config:
Use --dry-run first, review patches before applying them, and avoid letting the agent apply config changes without explicit user approval.
Running patch or restore may signal every process that matches the openclaw-gateway pattern.
The code runs a shell command to signal the gateway during restart. The command is static and fits the advertised purpose, but it relies on Unix process matching.
execSync('kill -USR1 $(pgrep -f openclaw-gateway)', { stdio: 'pipe', timeout: 5000 });Use it only on systems where that process name is unambiguous, and prefer running with normal user privileges rather than elevated privileges.
Secrets or private settings in openclaw.json may be duplicated in local backup files or shown in diffs.
The tool stores persistent copies of the full OpenClaw config as backups. Config files can contain sensitive auth or provider settings.
Stored in `~/.openclaw/config-backups/` ... Last 20 kept (auto-pruned)
Protect the backup directory, avoid sharing diff output, and check whether your OpenClaw config contains secrets before using backup/diff workflows.
Users may install code from a package source that is not fully represented by the registry metadata.
The registry metadata does not provide provenance or an install contract, while the skill documentation asks users to install a global npm package.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Verify the npm package, repository, and version before global installation, and pin the version where possible.