by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requested access and behavior line up with its stated purpose (validating and safely repairing OpenClaw agent configs); nothing in the package indicates unrelated credential access or network exfiltration, though you should review and run it in dry-run mode before allowing writes.
评估建议
This skill appears internally consistent with a configuration-validator: it reads openclaw.json and agent directories and provides a safe whitelist for automatic fixes. Before you run it with --fix or grant write permissions: (1) run in dry-run / verbose mode first to review findings, (2) inspect src/validator.js locally (ensure backup/save behavior and no unexpected network or shell calls), (3) keep backups or run under version control, and (4) run as a user with only the necessary filesystem r...详细分析 ▾
✓ 用途与能力
The skill declares and implements functionality to read/write openclaw.json and inspect agent directories and core documents — these filesystem operations are coherent with a configuration validator. No unrelated cloud credentials, unusual binaries, or extraneous system access are requested.
✓ 指令范围
SKILL.md and README describe read-only validation by default, a limited whitelist of safe auto-fixes, and sensitive items that require confirmation. The runtime instructions only reference local files (openclaw.json, agents directories, core docs) and interactive confirmation; there are no instructions to collect or transmit data to external endpoints.
✓ 安装机制
No install spec or external downloads are present; the package is instruction-and-code only. Code is included in the repo (src/validator.js) but there is no installer that fetches remote archives or runs network installers.
✓ 凭证需求
The skill does not request secrets or credentials. It optionally reads OPENCLAW_ROOT (used to locate the repo) and requires filesystem read/write permissions for openclaw.json and agent directories — this is proportional to its purpose. Ensure the tool is run with appropriate user privileges to avoid unintended system-wide file changes.
✓ 持久化与权限
The skill is not always-enabled and is user-invocable. It does not request permanent platform privileges or modify other skills. It performs local file modifications only when run in a repair mode (and the documentation states backups and confirmations are used).
⚠ test-skill.js:22
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/19
Initial release: OpenClaw Agent configuration validator with security mechanisms
● 无害
安装命令 点击复制
官方npx clawhub@latest install agent-config-validator
镜像加速npx clawhub@latest install agent-config-validator --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制