ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Config Modification

v2.6.0

Enforces a two-layer guarded process for modifying critical JSON config files with immediate syntax checks and periodic health validation to prevent faulty c...

0· 573·3 current·4 all-time
by@halfmoon82
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (protecting ~/.openclaw JSON configs) aligns with the code: it reads/writes ~/.openclaw, snapshots backups, performs schema/diff/health checks and can restart the local OpenClaw gateway. However, the code repeatedly invokes external helper scripts (e.g., ~/.openclaw/workspace/.lib/config-rollback-guard.py and a backup script) that are not present in the skill manifest. meta.json lists system dependency 'curl' though I saw no use of curl in included files. SKILL.md mentions fswatch but the guard implements kqueue/polling in Python (fswatch binary not actually required). These mismatches (missing referenced scripts and small dependency/implementation differences) are unexplained and should be clarified.
Instruction Scope
Runtime instructions and code are mostly scoped to local config management under ~/.openclaw and do not declare external credential access. The skill will: monitor files, create snapshots under ~/.openclaw/backup, run local Python scripts, and attempt to restart the OpenClaw gateway via a local binary. It uses subprocess.run to call rollback/backup scripts and to restart the gateway; because the rollback/backup scripts are referenced but not included, this could cause failures or unexpected behavior. The SKILL.md asserts 'Does NOT send data to external servers' — the code does reference notification channels (telegram/signal) but only queues alerts to a local alert_queue.json; no outbound HTTP calls were found in the included files. Still, instructions grant broad discretion to run local commands and restart services, so test in a safe environment first.
Install Mechanism
There is no external install spec (no downloads or package installs) and the code is included in the skill bundle, which is lower install risk. No archives or remote URLs are fetched by the skill itself. The main install risk arises from runtime subprocess calls to local rollback/backup scripts (expected to exist elsewhere on disk) and launching a guard daemon — those runtime actions will modify local state but are not caused by a remote installer.
Credentials
The skill declares no required environment variables or credentials, and the included code does not attempt to read external secrets. It logs alerts and may queue messages for 'telegram'/'signal' channels, but authentication tokens for those channels are not requested or present in the code — this is plausible (queueing for a separate delivery agent) but should be documented. Overall, the environment access (only ~/.openclaw and local services) is proportionate to the stated purpose, but the lack of included rollback scripts and the alert queue mechanism raise questions about where credentials (if needed for notifications) are stored and how alerts are delivered.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable; it intends to run a long-lived guard process (config-fswatch-guard.py) but that is normal for a filesystem-monitoring tool and requires explicit startup by the user. It does not request elevated privileges in code (no sudo calls). Autonomous invocation is allowed (default) — combined with the ability to restart the gateway this widens impact if enabled by an agent, so run with care.
What to consider before installing
This skill appears to implement a reasonable local config-guard, but take these precautions before installing or enabling it: - Missing helper scripts: The code calls rollback/backup helper scripts at ~/.openclaw/workspace/.lib/config-rollback-guard.py and similar paths, which are not included in the skill bundle. Confirm those scripts exist and inspect them — otherwise rollbacks/backups may fail or behave unexpectedly. - Notifications: The code mentions telegram/signal channels but only writes a local alert_queue.json. Verify how alerts are delivered and where notification credentials would be kept; do not assume tokens are handled safely elsewhere. - Test in staging: The skill will call subprocesses and may restart the OpenClaw gateway. Test the full flow in a non-production environment to ensure the referenced binaries/scripts are present and safe. - Verify restart behavior: The guard attempts to run a local 'openclaw' binary (or a fallback node path). Ensure that path resolution is correct and that automatic restarts are acceptable in your environment. - Ask the author or maintainer for: (1) the missing rollback/backup scripts, (2) documentation of how alerts are delivered and where credentials (if any) reside, and (3) confirmation about fswatch vs kqueue/polling requirements. If you cannot obtain those, treat the skill as risky and avoid enabling automatic/daemon operation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769tez712w9mtpe1ahh7jkzh837jvb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments