OpenClaw Sacred Rules
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent OpenClaw recovery helper, but its auth reset and backup scripts touch sensitive auth files and include unsafe path and restore behavior that should be reviewed before use.
Review the scripts before running them. In particular, fix reset_cooldowns.sh so it uses your actual auth profile path and only resets the intended fields, and treat ~/openclaw-backups as sensitive because it can contain API keys and auth data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running this script could fail after creating a backup, modify the wrong local auth profile if that path exists, or reset provider safeguards more broadly than the user expected.
The script checks and backs up the current user's auth file, but the Python block edits a fixed /Users/admin path and clears every provider's cooldown/error state rather than only expired cooldowns.
AUTH_FILE="$HOME/.openclaw/agents/main/agent/auth-profiles.json" ... auth_file = '/Users/admin/.openclaw/agents/main/agent/auth-profiles.json' ... # Clear all cooldowns and error states
Do not run this script as-is. Pass the checked $AUTH_FILE into Python, display and confirm the target path, and limit changes to the intended expired cooldown fields.
The backup may contain sensitive credentials; if the backup folder is shared, synced, or left with weak permissions, those credentials could be exposed locally.
The backup script intentionally copies local environment and auth profile files, which may contain gateway passwords, API keys, tokens, or account state, into a persistent backup directory.
FILES=( "$HOME/.openclaw/openclaw.json" "$HOME/.openclaw/.env" "$HOME/.openclaw/agents/main/agent/auth-profiles.json" ) ... cp "$file" "$BACKUP_DIR/"
Protect backup directories with restrictive permissions, avoid sharing or syncing them, encrypt them if possible, and delete old backups when no longer needed.
A user following the restore instruction could misplace auth files, fail to restore the system correctly, or copy sensitive files into unintended locations during an outage.
The script flattens files from different original directories into one backup folder, then suggests restoring everything to ~/.openclaw/, which does not match the nested auth-profiles.json path or the optional LaunchAgents path.
cp "$file" "$BACKUP_DIR/" ... echo "To restore: cp $BACKUP_DIR/* ~/.openclaw/"
Preserve relative paths in the backup or provide explicit per-file restore commands for openclaw.json, .env, auth-profiles.json, and any LaunchAgent file.
Install-time metadata may not warn users that using the skill involves running local bash/Python scripts against OpenClaw configuration and auth files.
The artifacts include executable helper scripts, but the registry metadata does not declare their runtime dependencies or local path expectations, and no upstream homepage/source is provided.
Source: unknown; Homepage: none ... Required binaries: none ... No install spec — this is an instruction-only skill ... Code file presence 4 code file(s)
Declare required binaries such as bash, python3, and openclaw; declare expected ~/.openclaw paths; and provide verifiable source/provenance information.