ClawHub

Config Modification

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local OpenClaw config-safety skill, but it should be reviewed because it can automatically roll back configs, run a persistent watcher, and restart the local gateway with some unclear scoping.

Review carefully before installing, especially on production OpenClaw systems or configs containing API keys. Do not enable the background guard until you verify the external rollback helper, understand exactly which files may be restored, and are comfortable with automatic gateway restarts and local diff logging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
os.path.expanduser("~/.local/share/fnm/node-versions/v24.13.0/installation/bin/openclaw")
        )
        try:
            result = subprocess.run(
                [openclaw_bin, "gateway", "restart"],
                capture_output=True, text=True, timeout=30
            )
Confidence
83% confidence
Finding
result = subprocess.run( [openclaw_bin, "gateway", "restart"], capture_output=True, text=True, timeout=30 )

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly states it does not send data to external servers, yet the alerting matrix later names Telegram and Signal as notification channels. This inconsistency is security-relevant because operators may trust the no-exfiltration claim while the design appears to permit outbound messaging, which could leak configuration contents, filenames, error details, or environment metadata.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The API and log messages imply rollback applies to the provided config_path, but the implementation ignores that argument and always runs a fixed rollback script with no target config passed. This can cause rollback of the wrong configuration, failed recovery during incidents, or a false sense of protection when operators believe a specific config was reverted.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic rollback and fswatch-based continuous protection, but it does not clearly and explicitly warn that the skill may automatically revert configuration files after detecting changes. In a configuration-management context, undocumented automatic write-back behavior can cause confusion, overwrite intended edits, and create operational risk during troubleshooting or production changes.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "config change" is broad enough to match ordinary user requests that are not necessarily asking to invoke this skill, which can cause unintended activation. In a skill that edits configuration and performs automated guard/rollback actions, accidental invocation increases the chance of unauthorized or surprising config modifications.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list does not define clear scope boundaries, exclusions, or confirmation requirements, so common phrases may activate the skill in ambiguous contexts. Because this package is intended to modify configs and includes automation hooks like guard/watch behavior, weak activation controls materially raise the risk of unintended file changes or rollback actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal