Config Guard

Security checks across malware telemetry and agentic risk

Overview

This skill is openly meant to edit OpenClaw configuration, but its secret-masking safeguards are broken enough that API keys or tokens may be exposed during the advertised safe preview.

Review this skill carefully before installing. It is not clearly malicious, but do not rely on its redacted preview to protect secrets. Use it only if you can inspect the exact config changes yourself, avoid showing full previews while screen sharing or logging terminals, make your own backup, and confirm only after verifying the diff and understanding any gateway restart.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill claims changes must only occur after a specific confirmation phrase, but the documented commands are directly executable and contain no actual enforcement mechanism. In an agentic context, this can lead to unauthorized configuration edits or service restarts if the agent follows the procedural steps without implementing a real confirmation gate.

Natural-Language Policy Violations

High

Confidence: 78% confidence
Finding: Requiring a fixed Chinese phrase for authorization creates a brittle confirmation policy that can confuse users and increase the chance of improper consent handling. In a security-sensitive config-editing skill, unclear or language-restricted approval flows can cause accidental execution or block informed confirmation from users who do not understand the phrase requirement.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads and prints a sensitive configuration file to the terminal, but its redaction is incomplete and fragile. The sed pattern appears malformed and only targets a narrow set of key names, so secrets in other fields, nested formats, or edge cases may be exposed in shell history, terminal scrollback, logs, or screen sharing; in the skill context, this is more dangerous because the tool is explicitly designed to handle ~/.openclaw/openclaw.json, which likely contains credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal