Skillv1.0.0

ClawScan security

OpenClaw Config Safety v2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 18, 2026, 6:37 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and code are coherent for safe config management, but the package omits or under-declares external requirements (openclaw, pass, jq/node), and the runtime instructions will read environment variables and call system binaries (including resolving credentials from env/pass), so you should review and confirm those dependencies and trust the source before using.
Guidance: This package appears to implement a sensible config validation and import/export workflow, but there are important things to check before installing or running it: - Verify dependencies yourself: the code and scripts assume the openclaw CLI is available (or set via OPENCLAW_BIN), the `pass` tool is available for import credential resolution, and the shell validator uses `jq`. The registry metadata does not declare these — confirm they exist and are the versions you expect. - Inspect resolve-refs.js (not shown in full here) to confirm how it invokes `pass` and whether it logs or transmits resolved secrets. The design claims it will not print secret values, but review to be sure. - Back up your existing ~/.openclaw/openclaw.json before using the wizard or the validator (the docs already advise this). Even though the tool creates backups, manual backups are prudent. - Treat exported tokens as containing credential reference names only (mrconf:v1 tokens do not include actual keys). Ensure destination machines have matching env vars or pass entries. - If you do not fully trust the source owner (unknown homepage, owner id only), consider running the scripts in a restricted environment (container or VM) and audit the code paths that call external binaries before giving it access to your real OpenClaw installation and secrets. If you want, I can (a) list exact files/lines that invoke external binaries (openclaw, pass, jq, child_process.exec), (b) extract the resolve-refs implementation for a focused review, or (c) suggest a minimal checklist to run the tool safely in a sandbox first.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (validate, normalize, export/import openclaw.json) matches the included code (normalize.js, export.js, import.js, audit.js, doctor-check.js, restore/backup helpers). However the registry metadata declares 'Required binaries: none' and 'Required env vars: none' while the code and SKILL.md clearly depend on system binaries (openclaw CLI, pass, jq for the shell validator) and Node for running the JS. This is a mismatch (under-declared dependencies) rather than a functional mismatch with stated purpose.
Instruction Scope: concernSKILL.md and scripts instruct the agent to read/write ~/.openclaw/openclaw.json, create backups, run validation, run `openclaw doctor --fix`, and restart the gateway. Those actions are appropriate for a config-safety tool, but the instructions also resolve credential references by reading process.env and invoking `pass` (import path). The skill's runtime will therefore access environment variables and call system binaries (openclaw, pass, jq) — the SKILL.md does not declare these env/binary accesses explicitly. This grants the skill scope to read sensitive local state (env vars, pass entries) which is necessary for import but should be called out as a security-sensitive operation.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes remote code downloads. However the skill bundle actually contains many code files and CLI wrappers (bin/openclaw-config-onboard etc.) that will be executed from the user's workspace. No network-based installers or remote archives are used. The lack of an install step is reasonable but the package should declare that it needs Node and relies on local CLI tools.
Credentials: concernThe skill will resolve credential references by checking process.env and invoking `pass` (see EXPORT-TOKEN-SPEC.md and resolve-refs behavior described). That is proportionate to the import feature, but the registry metadata lists no required env vars or binaries. The tool may read any environment variables whose names appear in a token's credentialRefs list (e.g., CEREBRAS_API_KEY). Users must understand that importing will read those env vars or call pass to retrieve secrets; those accesses are not declared in the skill metadata.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide agent settings. It does invoke system-level operations such as restarting the OpenClaw gateway and running `openclaw doctor`, which are expected for a config-management tool. Autonomous invocation is allowed by default but not exceptional here.