Claw Config
WarnAudited by ClawScan on May 14, 2026.
Overview
Claw Config is mostly aligned with its self-configuration purpose, but it can persistently change OpenClaw settings and its self-scope protections have bypass and edge-case risks that need manual review.
Install only if you are comfortable giving this skill authority to edit OpenClaw configuration. Always inspect plan output before apply, avoid --force-shared unless a human operator explicitly requested it, and treat any agents.list, auth, secrets, gateway, model, commands, or skills change as a high-impact administrative action.
Publisher note
Pure-Python 3 stdlib (no pip deps). Outbound network: only curl GET to docs.openclaw.ai for official docs cache. Writes only to ~/.openclaw/openclaw.json via openclaw config patch and ~/.openclaw/.maintenance-{backups,cache}/.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misused or over-trusted invocation could change settings that affect other agents or the whole OpenClaw installation, not just the caller.
The guard recognizes many shared or sensitive configuration areas but provides a force-shared bypass. That exceeds the advertised single-agent self-modification boundary and could let an agent alter gateway, auth/session, secrets, model, command, or skill settings if invoked.
path[0] in {"agents", "gateway", "secrets", "auth", "session", "models", "meta", "wizard", "plugins", "acp", "tools", "hooks", "commands", "talk", "env", "messages", "skills", "browser", "canvasHost"} ... "re-run with --force-shared if intentional."Do not allow autonomous use of --force-shared. Restrict apply to explicit allowlisted self-owned paths, and require human approval for shared, auth, secrets, gateway, model, command, or skills changes.
A patch intended to update one agent could accidentally remove or alter other agents' configuration if the full array is not preserved and the dry-run is not carefully reviewed.
The visible check flags non-self agent IDs only when they are present in the submitted agents.list patch. Because the artifacts document array replacement semantics, an agents.list patch that omits other agents can still cascade by replacing or removing entries outside the caller's slice.
if path == ["agents", "list"] and isinstance(node, list): for i, entry in enumerate(node): ... if eid and eid != self_id: other_agents.append(f"agents.list[{i}] (id={eid})") returnReject agents.list array replacement by default, or compare the proposed array against the current config and require explicit human confirmation for any added, removed, or changed non-self agent entry.
Users may trust the tool to prevent all cross-agent impact when it still needs human review for shared sections and array changes.
This absolute safety claim is stronger than the visible implementation supports, given the force-shared bypass and agents.list replacement edge case. Overstating safety can cause users or agents to skip careful review of high-impact diffs.
Wrong-agent writes are impossible by construction.
Qualify the safety language, document the exact limitations and bypasses, and make the high-impact paths fail closed unless a human explicitly approves them.
Installation may rely on local tools and PATH changes that are not visible from the registry requirements summary.
The bundled README/install.sh describe use of local openclaw, python3, and curl plus a symlink install. This appears purpose-aligned, but the registry metadata under-declares setup/runtime expectations.
No install spec — this is an instruction-only skill. Required binaries (all must exist): none.
Declare required binaries and install behavior in metadata, or make clear that the code must be manually installed and invoked with the expected local OpenClaw CLI.
Stale or tampered cached docs could mislead an agent about configuration semantics, though the skill says schema should remain the source of truth.
The skill intentionally stores retrieved documentation for reuse in later agent decisions. The cache is versioned and age-reported, which mitigates the risk, but users should still understand that cached retrieved context can influence future config changes.
cache files live under `~/.openclaw/.maintenance-cache/docs/<openclaw-version>/<slug>` ... Each `docs` call also reports cache age on stderr
Keep the cache versioned and refreshable, prefer schema validation over cached prose, and consider integrity checks or cache clearing when troubleshooting.