Skylv Agent Settings Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for configuration management, but it can involve production settings, secrets, and auto-sync, so users should verify the actual tooling before using it.
Before using this skill, confirm what config.js implementation will actually run, use least-privilege Git/Vault credentials, require explicit approval for production changes, and avoid enabling watch/auto-reload or version history for sensitive configs without review and retention controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unreviewed command could change production behavior or invalidate credentials.
The skill documents commands that can affect production configuration and rotate secrets. These are aligned with configuration management and shown as user-run examples, but they are high-impact operations.
node config.js env promote --from staging --to production --dry-run node config.js secrets rotate --env production --keys API_KEY,DB_PASSWORD
Use dry-run mode, require explicit approval for production changes, and confirm backups or rollback procedures before running mutation commands.
If connected to real secret stores, the agent could view, set, or rotate sensitive credentials depending on the external tool's permissions.
The skill explicitly includes secret management through a Vault-like provider. This is expected for the stated purpose, but it means the agent may need access to sensitive secret-management permissions.
"secrets": {
"provider": "vault",
"rotation": "90d",
"scanForLeaks": true
}Use scoped credentials, separate dev/staging/production access, avoid pasting raw secrets into chat, and audit any secret rotation actions.
Users may need to supply or trust an external/local config.js, whose behavior was not assessed in this review.
The documented workflow relies on a config.js helper, but the supplied artifact set is instruction-only and does not include that file, so the actual implementation and provenance are not reviewable here.
node config.js validate --file config.json --schema config.schema.json
Only run a config.js implementation from a trusted source and review its code, dependencies, and permissions before using it with production configs or secrets.
Old configuration values, including sensitive or unsafe settings if not filtered, could remain available through history or rollback.
The skill describes persistent configuration history. Since the same skill also handles environment variables and secrets, users should ensure sensitive values are excluded or protected in stored versions.
Full version history with diff and rollback capabilities.
Keep secrets out of version history, encrypt stored configuration data, and review rollback targets before reusing older configurations.
A malformed or malicious configuration commit could affect multiple environments or agents if auto-sync and auto-reload are enabled.
The skill supports syncing production configuration from Git and automatically reloading on changes. That is coherent for config management, but a bad config change could propagate quickly.
node config.js sync --source git --repo org/configs --path /production node config.js sync --watch --auto-reload --debounce 5s
Use branch protection, signed/reviewed config changes, staged rollout, and disable auto-reload for critical production systems unless monitored.