ClawHub

Setup Validator

v1.0.1

Validate OpenClaw installation safety by checking for common security misconfigurations and setup issues. Use this skill during initial setup, periodic heart...

0· 38·0 current·0 all-time
by@marcusy2k
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the behavior: scripts examine ~/.openclaw (config and plugins), check sandbox settings, and verify versions via npm/openclaw. No unrelated credentials, services, or binaries are required beyond the optional use of npm/openclaw which the code already checks for.
Instruction Scope
SKILL.md directs the agent to run local Python scripts, make them executable, and optionally schedule via cron. The scripts only read OpenClaw-related paths (~/.openclaw/*), inspect manifests, and call npm/openclaw for version checks — all within the stated validator purpose. No instructions attempt to read unrelated system files or exfiltrate data.
Install Mechanism
There is no install spec; the skill is instruction-plus-local-scripts only. All included files are plain Python and markdown; there are no downloads or archive extraction steps that would introduce high-risk arbitrary code fetches.
Credentials
The skill declares no environment variables or credentials and the code does not require any secrets. It calls external commands (npm/openclaw) if available, and optionally imports PyYAML if present — these are reasonable for dependency/version and config parsing checks.
Persistence & Privilege
always is false and the skill does not try to modify other skills or system-wide agent configuration. It suggests user-managed cron scheduling; that is a user action rather than forced persistence by the skill itself.
Assessment
This skill appears to do what it claims: local checks of ~/.openclaw, plugin manifests, sandbox config, and dependency versions. Before installing or scheduling it to run periodically, review and consider: (1) run the scripts as an unprivileged user (do not run as root) so checks cannot accidentally change system state; (2) the cron suggestion runs the validator regularly — ensure you want automated periodic checks and log retention; (3) npm/openclaw calls may reach the network to check versions, so run in an environment where that is acceptable; (4) confirm file ownership/permissions of the scripts after installation (the SKILL.md suggests chmod) so only authorized users can modify them. If you need extra assurance, inspect the included Python files locally — they are small and readable and contain no hidden network endpoints or credential exfiltration.

Like a lobster shell, security has layers — review code before you run it.

latestvk9713sz8xqkyzq99ap4rdjvbns844twtsecurityvk9713sz8xqkyzq99ap4rdjvbns844twt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments