Skillv2.6.0

ClawScan security

Config Modification · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 5:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code largely matches its stated purpose (guarding and validating local OpenClaw JSON config changes), but there are notable inconsistencies and missing pieces (references to external rollback/backup scripts and notification channels) that you should review before installing or enabling it.
Guidance: This skill appears to implement a reasonable local config-guard, but take these precautions before installing or enabling it: - Missing helper scripts: The code calls rollback/backup helper scripts at ~/.openclaw/workspace/.lib/config-rollback-guard.py and similar paths, which are not included in the skill bundle. Confirm those scripts exist and inspect them — otherwise rollbacks/backups may fail or behave unexpectedly. - Notifications: The code mentions telegram/signal channels but only writes a local alert_queue.json. Verify how alerts are delivered and where notification credentials would be kept; do not assume tokens are handled safely elsewhere. - Test in staging: The skill will call subprocesses and may restart the OpenClaw gateway. Test the full flow in a non-production environment to ensure the referenced binaries/scripts are present and safe. - Verify restart behavior: The guard attempts to run a local 'openclaw' binary (or a fallback node path). Ensure that path resolution is correct and that automatic restarts are acceptable in your environment. - Ask the author or maintainer for: (1) the missing rollback/backup scripts, (2) documentation of how alerts are delivered and where credentials (if any) reside, and (3) confirmation about fswatch vs kqueue/polling requirements. If you cannot obtain those, treat the skill as risky and avoid enabling automatic/daemon operation.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (protecting ~/.openclaw JSON configs) aligns with the code: it reads/writes ~/.openclaw, snapshots backups, performs schema/diff/health checks and can restart the local OpenClaw gateway. However, the code repeatedly invokes external helper scripts (e.g., ~/.openclaw/workspace/.lib/config-rollback-guard.py and a backup script) that are not present in the skill manifest. meta.json lists system dependency 'curl' though I saw no use of curl in included files. SKILL.md mentions fswatch but the guard implements kqueue/polling in Python (fswatch binary not actually required). These mismatches (missing referenced scripts and small dependency/implementation differences) are unexplained and should be clarified.
Instruction Scope: noteRuntime instructions and code are mostly scoped to local config management under ~/.openclaw and do not declare external credential access. The skill will: monitor files, create snapshots under ~/.openclaw/backup, run local Python scripts, and attempt to restart the OpenClaw gateway via a local binary. It uses subprocess.run to call rollback/backup scripts and to restart the gateway; because the rollback/backup scripts are referenced but not included, this could cause failures or unexpected behavior. The SKILL.md asserts 'Does NOT send data to external servers' — the code does reference notification channels (telegram/signal) but only queues alerts to a local alert_queue.json; no outbound HTTP calls were found in the included files. Still, instructions grant broad discretion to run local commands and restart services, so test in a safe environment first.
Install Mechanism: okThere is no external install spec (no downloads or package installs) and the code is included in the skill bundle, which is lower install risk. No archives or remote URLs are fetched by the skill itself. The main install risk arises from runtime subprocess calls to local rollback/backup scripts (expected to exist elsewhere on disk) and launching a guard daemon — those runtime actions will modify local state but are not caused by a remote installer.
Credentials: noteThe skill declares no required environment variables or credentials, and the included code does not attempt to read external secrets. It logs alerts and may queue messages for 'telegram'/'signal' channels, but authentication tokens for those channels are not requested or present in the code — this is plausible (queueing for a separate delivery agent) but should be documented. Overall, the environment access (only ~/.openclaw and local services) is proportionate to the stated purpose, but the lack of included rollback scripts and the alert queue mechanism raise questions about where credentials (if needed for notifications) are stored and how alerts are delivered.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable; it intends to run a long-lived guard process (config-fswatch-guard.py) but that is normal for a filesystem-monitoring tool and requires explicit startup by the user. It does not request elevated privileges in code (no sudo calls). Autonomous invocation is allowed (default) — combined with the ability to restart the gateway this widens impact if enabled by an agent, so run with care.