Skillv1.0.0

ClawScan security

Safe Edit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code implements the advertised backup-and-rollback behavior, but it writes cron/at/scheduled-task artifacts under /root, may auto-install packages, and does not declare the system access/paths it needs — these mismatches warrant caution.
Guidance: This skill largely does what it says — it backs up files and schedules a 15-minute rollback — but before installing or enabling it, consider: - The provided script writes under /root/.openclaw (backups, logs, scripts) and may need root or equivalent permissions to operate on system config files; ensure you are comfortable granting that level of access. - If the host lacks the 'at' command the script will try to run apt-get/yum to install it; that implies network package installs and elevated privileges. If you do not want automatic package installs, run or inspect the script manually and install dependencies yourself. - The script generates rollback scripts and scheduled tasks (at jobs, schtasks, or background sleep processes). Review the generated rollback script content (it copies backups over targets) so you know exactly what will be executed later. - The skill metadata does not declare these filesystem/scheduler requirements — treat that as an omission. Prefer running the script in a controlled environment first (non-production) and review/modify paths (BACKUP_DIR, ROLLBACK_SCRIPT) before allowing the agent to invoke it on critical targets. If you want to proceed safely: manually install and audit safe-edit.sh, create a non-root backup directory and adjust BACKUP_DIR/ROLLBACK_SCRIPT, and confirm the host's package/install behavior so the script will not perform unexpected installs.

Review Dimensions

Purpose & Capability: okThe name/description (safe-edit = backup + delayed rollback for config edits) match the provided shell script and SKILL.md: the script creates backups, schedules a 15-minute rollback, and supports cancel/confirm operations across platforms. The functionality implemented is coherent with the stated purpose.
Instruction Scope: noteThe SKILL.md instructs the agent to run safe-edit start/confirm/cancel on target files and to recommend safe-edit for any config edits — that is consistent with the script. The instructions do not ask the agent to read unrelated secrets or contact external endpoints. However the policy to 'always recommend' safe-edit for any config change gives the agent broad discretion to frequently schedule operations and create artifacts on the host.
Install Mechanism: noteThere is no install spec (instruction-only) which limits remote code fetch risks. The provided shell script will attempt to call package managers (apt-get/yum) to install at if missing — this implies network package installation may occur at runtime if at is absent. That is expected for the feature, but it is an implicit side-effect not declared in metadata.
Credentials: concernThe skill metadata declares no required env/config access, yet the script uses and writes to system paths (/root/.openclaw/backups, /root/.openclaw/scripts, /root/.openclaw/logs) and may create scheduled tasks (at, schtasks) and rollback scripts. Running these operations typically requires elevated filesystem and scheduler permissions. The mismatch between claimed 'no required config paths' and actual writes under /root is a proportionality concern that users should be aware of.
Persistence & Privilege: noteThe skill does not set always:true and is user-invocable (normal). The script persists artifacts (backup files, rollback scripts, at jobs, scheduled tasks, background sleep PIDs) on disk and in system scheduler, which is necessary for rollback but means the skill creates persistent state and scheduled actions on the host. This behavior is expected but worth auditing before use.