Skylv Agent Settings Manager
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: skylv-agent-settings-manager Version: 1.0.0 The bundle contains metadata and documentation (SKILL.md) for a configuration management tool named 'agent-settings-manager'. While the documentation describes high-privilege operations such as secret rotation, environment syncing via Git, and configuration overrides, these are standard features for the stated purpose. No executable code (e.g., the referenced 'config.js') is included in the bundle, and the documentation contains no evidence of malicious intent, prompt injection, or data exfiltration logic.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unreviewed command could change production behavior or invalidate credentials.
The skill documents commands that can affect production configuration and rotate secrets. These are aligned with configuration management and shown as user-run examples, but they are high-impact operations.
node config.js env promote --from staging --to production --dry-run node config.js secrets rotate --env production --keys API_KEY,DB_PASSWORD
Use dry-run mode, require explicit approval for production changes, and confirm backups or rollback procedures before running mutation commands.
If connected to real secret stores, the agent could view, set, or rotate sensitive credentials depending on the external tool's permissions.
The skill explicitly includes secret management through a Vault-like provider. This is expected for the stated purpose, but it means the agent may need access to sensitive secret-management permissions.
"secrets": {
"provider": "vault",
"rotation": "90d",
"scanForLeaks": true
}Use scoped credentials, separate dev/staging/production access, avoid pasting raw secrets into chat, and audit any secret rotation actions.
Users may need to supply or trust an external/local config.js, whose behavior was not assessed in this review.
The documented workflow relies on a config.js helper, but the supplied artifact set is instruction-only and does not include that file, so the actual implementation and provenance are not reviewable here.
node config.js validate --file config.json --schema config.schema.json
Only run a config.js implementation from a trusted source and review its code, dependencies, and permissions before using it with production configs or secrets.
Old configuration values, including sensitive or unsafe settings if not filtered, could remain available through history or rollback.
The skill describes persistent configuration history. Since the same skill also handles environment variables and secrets, users should ensure sensitive values are excluded or protected in stored versions.
Full version history with diff and rollback capabilities.
Keep secrets out of version history, encrypt stored configuration data, and review rollback targets before reusing older configurations.
A malformed or malicious configuration commit could affect multiple environments or agents if auto-sync and auto-reload are enabled.
The skill supports syncing production configuration from Git and automatically reloading on changes. That is coherent for config management, but a bad config change could propagate quickly.
node config.js sync --source git --repo org/configs --path /production node config.js sync --watch --auto-reload --debounce 5s
Use branch protection, signed/reviewed config changes, staged rollout, and disable auto-reload for critical production systems unless monitored.