openclaw configurator
v1.0.2A smart assistant specialized in helping users configure OpenClaw. It provides guidance based on vague user requirements (clarifying needs through multi-roun...
⭐ 0· 264·0 current·0 all-time
by@qomob
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (OpenClaw configurator) match the SKILL.md: it guides multi-round requirement capture and generates the set of .md configuration files for an OpenClaw workspace. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope
The runtime instructions correctly focus on eliciting user preferences and generating specified files, but they explicitly encourage capturing environment-specific details in TOOLS.md (camera names, SSH details, ElevenLabs voice settings) and recommend running 'openclaw onboard --install-daemon' and periodic heartbeats. These are within the configurator's scope but could cause collection/storage of sensitive data if the assistant or the user places secrets verbatim into workspace files.
Install Mechanism
No install spec, no code files, and nothing is downloaded or written by the skill itself. Instruction-only skills are the lowest install risk.
Credentials
The skill does not request environment variables or credentials itself, which is proportionate. However, it explicitly suggests including things like SSH connection info and third-party voice settings in generated files — this could encourage storing secrets or API keys in plaintext in ~/.openclaw/workspace if users follow instructions without care.
Persistence & Privilege
The skill is not always-enabled and agent invocation settings are default. It recommends using an install-daemon and periodic heartbeat tasks; those are reasonable for a persistent assistant but increase runtime persistence if the user chooses to enable them. The skill itself does not create or require persistent privileges.
Scan Findings in Context
[no-findings] expected: The static scanner found no code or regex matches because this is an instruction-only skill (only SKILL.md, SKILL_zh.md, and a small evals.json are present). That lack of findings is expected and does not imply absence of risk — the runtime instructions (which will be executed by the agent) are the primary surface to review.
Assessment
This skill appears to do what it says — help you produce OpenClaw configuration files — but it will ask you for potentially sensitive environment details and suggests storing them in ~/.openclaw/workspace. Before using it: 1) Do not paste private keys, passwords, or raw SSH credentials into generated .md files — use a secrets manager or environment variables instead. 2) If you enable a daemon or heartbeat, understand that it makes the assistant persistently active on your machine; only enable if you trust the installed OpenClaw runtime. 3) If you initialize a git repo for backups, add ~/.openclaw/workspace/ to .gitignore for any files that contain secrets. 4) Prefer 'pairing' or allowlists for public channels as suggested, and review all generated files before running any commands they reference (e.g., openclaw onboard).Like a lobster shell, security has layers — review code before you run it.
latestvk97cdhf59kkjw15mjxcmynqrxx83typj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.