Safe Config Modifier

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to safely edit OpenClaw configuration, but its secret-masking helpers can fail and may expose API keys or tokens during preview.

Install only if you are comfortable letting the skill read and change your core OpenClaw configuration. Do not rely on its preview scripts to hide secrets; manually redact API keys and bot tokens before sharing output, review the exact diff before using the confirmation phrase, and keep the backup files private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document includes realistic token and API key configuration examples for Telegram, Kimi, Brave, and web search without adjacent guidance on secret handling, redaction, storage hygiene, or avoiding accidental sharing. In the context of a skill specifically designed to modify ~/.openclaw/openclaw.json, this increases the chance users will paste real credentials into configs, logs, screenshots, or commit history, leading to credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal