maxclaw-doctor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local file-versioning safety tool; it keeps local backup copies of changed or deleted files and includes user-directed setup commands, but the provided artifacts do not show hidden sharing or malicious behavior.
Use this skill if you want local rollback protection, but confirm every file path before modification/deletion, avoid recording secrets unless necessary, secure or clean ~/.openclaw/minivcs/, and review any Python/Homebrew/package-manager setup commands before running them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user selects the wrong file path, a file could be moved to trash or restored over current content.
The skill exposes local file deletion/move and restore workflows. This is central to the stated file-protection purpose and SKILL.md requires user confirmation, but wrong paths could still affect user files.
不要直接删除文件,改用 `record_delete`,文件自动移入 trash;python "$SKILL_DIR/scripts/minivcs/minivcs.py" delete <file_path> --project-root <project_root>
Confirm the exact file path and project root before delete, restore, or rollback operations, and ask to view history or diffs when unsure.
Sensitive file contents may remain in local backup directories after the original file is changed or deleted.
The skill persistently stores diffs, snapshots, deleted-file copies, and backups locally. Those copies may include configuration or .env files that contain secrets.
数据统一存储在 `~/.openclaw/minivcs/` ... `snapshots/` ... `trash/` ... `backups/`; 重要文件 ... 配置文件(`.yaml/.toml/.env` 等)
Avoid recording highly sensitive files unless needed, restrict access to ~/.openclaw/minivcs/, and periodically review or clean retained backups.
Running remote installer or package-manager commands can modify the local system beyond this skill.
SKILL.md includes user-directed dependency installation through external package managers and a remote shell installer. This is a common setup pattern but has supply-chain risk if run blindly.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Use trusted official installers where possible, review commands before running them, and avoid curl-to-bash unless you trust the source.
Users may misunderstand whether large or sensitive binary files will be copied into the backup area.
The documentation gives inconsistent guidance about binary-file handling, first saying binary files are copied as .bak backups and later saying they are not recorded.
二进制文件...存为 `.bak` 备份 ... 若涉及二进制文件(图片、PDF 等),不会被记录,需用户自行保管
Clarify binary-file behavior before relying on the skill for binary recovery or before using it on sensitive media/PDF files.