ClawHub

Safe Edit

Security checks across malware telemetry and agentic risk

Overview

This is a plausible backup-and-rollback helper, but it schedules privileged rollback actions and can change the host system in ways users should review before installing.

Install only if you are comfortable with a helper that can back up sensitive files, schedule delayed rollback jobs, and possibly install the at package. Before using it, verify the rollback script at /root/.openclaw/scripts/rollback.sh exists and only restores the intended backup, run it only on explicit file paths you choose, and remember to confirm or cancel the scheduled rollback after validating the edit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically installs the `at` package with `apt-get`/`yum` when it is missing, which is a privileged side effect beyond the narrow purpose of preparing a rollback for a file edit. In a security-sensitive automation context, implicit package installation changes system state, may pull unreviewed dependencies, and can be abused to escalate the blast radius of running the skill as root.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
For Linux/FreeBSD/macOS paths that use `at`, the scheduled rollback runs a fixed external script at `/root/.openclaw/scripts/rollback.sh` rather than a command bound to the specific `target_file` and `backup_file` created by this invocation. That disconnect means rollback behavior depends on external mutable state and, if that script is replaced or altered, the helper may execute unintended privileged actions instead of restoring the intended file.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match many ordinary configuration-editing requests, which can cause the skill to be invoked when the user did not explicitly ask for it. In an agent setting, unintended invocation can alter workflow, introduce unnecessary privileged file-handling steps, or cause the assistant to run local commands on sensitive paths based on loosely matched language.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad natural-language expressions like '我想修改配置' and '修改系统配置', which can overlap with ordinary user discussion and cause the skill to activate in situations where the user did not explicitly request rollback tooling. In a system that auto-invokes skills, this can lead to unintended command suggestions or workflow interception around sensitive configuration files, increasing the chance of unsafe or confusing automation.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 'must use' guidance is defined with subjective criteria such as '不确定后果' and broad categories like '任何可能让服务崩溃的操作', without precise boundaries. Ambiguous mandatory-use rules can cause inconsistent agent behavior, overbroad activation on unrelated tasks, or omission when it actually matters, all of which are risky when operating on sensitive system configuration.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage string '修改配置文件前说'使用 safe-edit'即可自动设置回滚机制' creates a very broad invocation pattern tied to a common admin activity rather than a narrowly scoped trigger. In an agent environment, this can cause the skill to activate in unintended contexts and perform backup/rollback-related actions around sensitive configuration edits without sufficiently explicit user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal