ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Config Optimizer

v1.0.0

OpenClaw Configuration Optimizer. Analyze and optimize OpenClaw config files for better performance and security. Triggers: optimize config, OpenClaw setting...

0· 39·0 current·0 all-time
by@sky-lv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to analyze and optimize OpenClaw configs, which fits the content. However the SKILL.md instructs running commands that require external tooling (node, openclaw CLI) and references a helper script (optimize-config.js) that is not included; yet the registry metadata declares no required binaries or install steps. The absence of a source/homepage also reduces traceability.
!
Instruction Scope
Instructions explicitly tell the user/agent to back up files, run a local Node script, validate config, and restart the OpenClaw gateway — actions that modify system state. Those are broadly within a config-optimizer's remit, but the script invoked (node optimize-config.js) is not provided and the doc does not require or explain how that script is obtained or reviewed. The SKILL.md references specific user file paths (~/.qclaw/openclaw.json) and API keys, which is expected, but there is no guidance about confirming user consent before restarting services.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which minimizes install-time risk. There is nothing being downloaded or written by an install step in the skill bundle.
Credentials
The skill declares no required environment variables or credentials, and the instructions recommend storing API keys in env vars (good practice). However, it references verifying API keys and reading config files in home directories — expected for this purpose. The mismatch between declared requirements (none) and actual command usage (node, OpenClaw CLI) is the primary proportionality concern.
Persistence & Privilege
The skill does not request always:true and is user-invocable. Autonomous invocation is allowed by platform default but is not combined with other high-privilege flags. The skill does instruct actions (restart gateway) that have system impact, so care is needed when granting autonomy.
What to consider before installing
This skill looks like it intends to help with OpenClaw config tuning, but there are inconsistencies you should resolve before running anything: 1) The doc tells you to run `node optimize-config.js` and `openclaw gateway restart` but the skill bundle contains no optimize-config.js and declares no required binaries—verify you have Node and the OpenClaw CLI installed and obtain/review the optimize-config.js source before running it. 2) Confirm file paths (the doc uses ~/.qclaw/openclaw.json — note the 'qclaw' vs 'openclaw' naming) to avoid operating on the wrong files. 3) Back up configs (the doc suggests cp) and test changes in a staging environment; do not let the agent autonomously execute restarts unless you explicitly permit it. 4) Ask the publisher for source/homepage or the missing script, or prefer a version that includes the optimizer script or a clear, reviewable installation step. If you proceed, run commands manually after inspection rather than granting broad autonomous rights.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fzae9kghgm5e52s8ern8yx84n6er

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments