Elegant Config Guardian
v0.1.0Safely apply OpenClaw config changes with automatic rollback and ack timeout guard. Use when editing ~/.openclaw/openclaw.json, restarting gateway, enabling...
⭐ 0· 309·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The script implements exactly the advertised behaviour (safe apply + rollback + optional ack). One minor mismatch: the registry metadata lists no required binaries, but the runtime script expects the 'openclaw' CLI (and standard Unix tools like cp, grep). Declaring 'openclaw' as a required binary would be appropriate.
Instruction Scope
SKILL.md and the script are narrowly scoped to operating on the specified config file, restarting the gateway, and checking health. The script runs the user-supplied --apply-cmd via eval, which necessarily allows arbitrary commands — this is expected for a patch/apply hook but increases the importance of ensuring the apply command is trustworthy and deterministic.
Install Mechanism
No install spec or external downloads are present; this is an instruction-only skill with a small bundled shell script. Nothing is written to disk by an installer.
Credentials
The skill requests no secrets or environment variables. It accesses $HOME (default config path) and /tmp for ack/status files — appropriate for its purpose. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is user-invocable (not always:true) and doesn't attempt to persistently modify other skills or system-wide settings. It does restart the gateway and overwrite the config (expected given its purpose), so it needs the privilege to manage the OpenClaw gateway when invoked.
Assessment
This skill is internally coherent but treat it as powerful: it will overwrite your OpenClaw config and restart the gateway. Before running: 1) Ensure the 'openclaw' CLI is installed and functional (the script assumes it though the metadata doesn't declare it). 2) Carefully review and control the --apply-cmd you provide — the script uses eval and will execute whatever you pass (use a deterministic script you inspected, not untrusted input). 3) Run first in a safe/test environment to verify the health-check string and restart behavior. 4) Verify filesystem ownership and that backups are stored where you expect; be cautious with symlinked config files and permissions to avoid accidental overwrite of unintended files. 5) Prefer running as a user with just enough privileges (not root) unless elevated rights are required. If you want higher assurance, request that the skill metadata be updated to declare the 'openclaw' binary requirement and, optionally, replace eval usage with a safer invocation pattern.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Elegant Config Guardian
Use scripts/safe_apply.sh to enforce: backup → apply → restart → health check → optional ack wait → rollback on failure.
Run
bash scripts/safe_apply.sh \
--config ~/.openclaw/openclaw.json \
--apply-cmd 'python3 /tmp/patch.py' \
--ack-timeout 60 \
--require-ack
Ack mode
When --require-ack is enabled, the script prints an ack token file path.
A successful manual ack is:
touch <ack-file-path>
If timeout expires without ack, rollback is triggered automatically.
Defaults
- Health probe command:
openclaw gateway statusand requireRPC probe: ok - Restart command:
openclaw gateway restart - Backup file:
<config>.bak.YYYYmmdd-HHMMSS
Recommended workflow
- Prepare a deterministic patch command (
--apply-cmd). - Run with
--require-ack --ack-timeout 45for production changes. - Verify health.
- Ack explicitly only after end-to-end validation.
- Let timeout auto-rollback if validation cannot complete in time.
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…