ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Config Validator

v1.0.0

OpenClaw Agent配置验证器 - 自动检查openclaw.json与agent核心文档的一致性,检测过时引用,生成诊断报告并支持自动修复。当新增/调整agent或修改核心文档后使用此技能确保配置完整性。

0· 109·0 current·0 all-time
by@starai-2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill declares and implements functionality to read/write openclaw.json and inspect agent directories and core documents — these filesystem operations are coherent with a configuration validator. No unrelated cloud credentials, unusual binaries, or extraneous system access are requested.
Instruction Scope
SKILL.md and README describe read-only validation by default, a limited whitelist of safe auto-fixes, and sensitive items that require confirmation. The runtime instructions only reference local files (openclaw.json, agents directories, core docs) and interactive confirmation; there are no instructions to collect or transmit data to external endpoints.
Install Mechanism
No install spec or external downloads are present; the package is instruction-and-code only. Code is included in the repo (src/validator.js) but there is no installer that fetches remote archives or runs network installers.
Credentials
The skill does not request secrets or credentials. It optionally reads OPENCLAW_ROOT (used to locate the repo) and requires filesystem read/write permissions for openclaw.json and agent directories — this is proportional to its purpose. Ensure the tool is run with appropriate user privileges to avoid unintended system-wide file changes.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request permanent platform privileges or modify other skills. It performs local file modifications only when run in a repair mode (and the documentation states backups and confirmations are used).
Assessment
This skill appears internally consistent with a configuration-validator: it reads openclaw.json and agent directories and provides a safe whitelist for automatic fixes. Before you run it with --fix or grant write permissions: (1) run in dry-run / verbose mode first to review findings, (2) inspect src/validator.js locally (ensure backup/save behavior and no unexpected network or shell calls), (3) keep backups or run under version control, and (4) run as a user with only the necessary filesystem rights. Note: test-skill.js executes the validator with child_process.execSync (expected for a local integration test) — review it before running to avoid executing code from an unexpected path.
test-skill.js:22
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

agentvk97amdggw0ba0edj8r14gbpxkd8344avconfigvk97amdggw0ba0edj8r14gbpxkd8344avlatestvk97amdggw0ba0edj8r14gbpxkd8344avopenclawvk97amdggw0ba0edj8r14gbpxkd8344avvalidatorvk97amdggw0ba0edj8r14gbpxkd8344av

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments