Config Management
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only network configuration management skill with purpose-aligned but high-impact device commands and sensitive config backup handling.
This skill appears coherent for network configuration assurance. Before using it, ensure the operator is authorized for the target devices, require manual approval for any write or rollback command, prefer secure archive transport such as SCP, protect stored configs and golden baselines, and verify any MCP or SSH dependency before enabling it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a write command is run on the wrong device or without review, it could disrupt routing, switching, management access, or security controls.
The skill documents commands that can replace or roll back live network device configuration, including a Cisco force option that bypasses normal confirmation. The same section labels these as WRITE operations and says to confirm authorization and a maintenance window, so this is purpose-aligned but high-impact.
⚠️ Replace with file | `configure replace flash:[file] force` | `rollback [n]` then `commit` | `configure replace flash:[file]`
Require explicit human approval for every write/remediation command, preview diffs before applying changes, and prefer staged or confirmed rollback mechanisms where available.
A user or agent with these privileges can view sensitive device configuration and potentially alter production network behavior.
The skill requires device access and may require privileged network configuration rights for remediation or archival. This is expected for the stated purpose, but it is sensitive authority.
SSH or console access to the device (read-only sufficient for assessment; enable/configure privilege required for remediation or archival steps)
Use least-privilege accounts for read-only assessment, restrict write privileges to approved operators, and log all privileged sessions.
Stored configuration backups could expose network topology, management settings, secrets, or weak credentials if kept on insecure storage or transferred over insecure protocols.
The skill instructs users to persist full device configurations and maintain multiple archives. These archives can contain sensitive network details and may become trusted baselines for later drift analysis.
Back up the current configuration with timestamped naming... `copy running-config tftp://[server]/[hostname]-YYYYMMDD-HHMM.cfg` ... Maintain a minimum of 3 archived configs per device
Prefer encrypted transfer such as SCP over TFTP/FTP, restrict archive access, redact or protect secrets, and validate golden baselines against an approved source.
A user may not realize an external MCP integration or local SSH client could be needed if the registry metadata is the only information they review.
Nested metadata declares an ssh requirement and a git-netops-mcp dependency, while the registry summary says there are no required binaries and no install spec. There is no code or automatic install shown, so this is a review-context note rather than evidence of unsafe execution.
openclaw: '{"emoji":"🔧","safetyTier":"read-write","requires":{"bins":["ssh"],"env":[]},"tags":["config","backup","drift"],"mcpDependencies":["git-netops-mcp"],"egressEndpoints":[]}'Verify whether git-netops-mcp is actually required, review its provenance before enabling it, and align registry requirements with the SKILL.md metadata.