openclaw-config-master Security Report — Low Risk | ClawSafe

15 /100

openclaw-config-master

Edit and validate OpenClaw Gateway config (openclaw.json / JSON5)

This is a legitimate OpenClaw configuration management skill with proper documentation. The flagged curl|sh pattern is for installing the OpenClaw CLI in CI workflows, not malicious code execution.

Skill Nameopenclaw-config-master

Duration28.6s

Enginepi

✓

Safe to install

No blocking action required. Consider adding explicit capability declarations to SKILL.md for transparency.

Findings 2 items

Severity	Finding	Location
Low	Missing capability declaration Doc Mismatch SKILL.md does not explicitly declare filesystem WRITE and shell WRITE permissions used by the config management scripts `No declared allowed-tools mapping` → Add explicit capability declaration for filesystem WRITE and shell WRITE operations	`SKILL.md:1`
Info	Unpinned remote script in documentation Supply Chain The GitHub workflow example downloads OpenClaw installer without version pinning (`curl -fsSL https://get.openclaw.dev \| sh`) `curl -fsSL https://get.openclaw.dev \| sh` → Consider pinning to a specific version for reproducibility: `curl -fsSL https://get.openclaw.dev/v{version} \| sh`	`agents/openai.yaml:8`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	Legitimate config backup/restore scripts in scripts/ directory
Shell	`READ`	`WRITE`	✓ Aligned	Scripts invoke openclaw CLI commands for config management
Network	`NONE`	`READ`	✓ Aligned	Workflow downloads OpenClaw installer from get.openclaw.dev

1 Critical 29 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://get.openclaw.dev | sh

references/common-errors.md:462

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/configuration

SKILL.md:61

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/configuration-reference

SKILL.md:62

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/cli/config

SKILL.md:63

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/cli/update

SKILL.md:64

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/cli/channels

SKILL.md:65

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/cli/skills

SKILL.md:66

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/cli/security

SKILL.md:67

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/models

SKILL.md:68

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/agents

SKILL.md:69

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/tools

SKILL.md:70

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/plugins

SKILL.md:71

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/cron

SKILL.md:72

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/gateway/session

SKILL.md:73

🔗

Medium External URL 外部 URL

https://get.openclaw.dev

references/common-errors.md:462

🔗

Medium External URL 外部 URL

https://api.yourprovider.com/v1

references/complex-operations.md:87

🔗

Medium External URL 外部 URL

https://t.me/BotFather

references/complex-operations.md:206

🔗

Medium External URL 外部 URL

https://t.me/userinfobot

references/complex-operations.md:245

🔗

Medium External URL 外部 URL

https://open.feishu.cn/

references/complex-operations.md:288

🔗

Medium External URL 外部 URL

https://discord.com/developers/applications

references/complex-operations.md:494

🔗

Medium External URL 外部 URL

https://api.slack.com/apps

references/complex-operations.md:525

🔗

Medium External URL 外部 URL

https://api.search.brave.com

references/complex-operations.md:645

🔗

Medium External URL 外部 URL

https://api.firecrawl.dev

references/complex-operations.md:650

🔗

Medium External URL 外部 URL

https://api.perplexity.ai

references/complex-operations.md:654

🔗

Medium External URL 外部 URL

https://push.example.com

references/complex-operations.md:906

🔗

Medium External URL 外部 URL

https://api.x.ai

references/openclaw-config-fields.md:431

🔗

Medium External URL 外部 URL

https://api.moonshot.cn

references/openclaw-config-fields.md:437

🔗

Medium External URL 外部 URL

https://api.minimaxi.com/anthropic

references/openclaw-config-fields.md:1314

📧

Info Email 邮箱地址

[email protected]

references/openclaw-config-fields.md:768

File Tree

14 files · 202.7 KB · 7843 lines

Markdown 7f · 6549L Shell 5f · 1286L JSON 1f · 5L YAML 1f · 3L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 3L · 107 B

├─ ▾ 📁 references

│ ├─ 📝 channels-config.md Markdown 466L · 13.1 KB

│ ├─ 📝 common-errors.md Markdown 1336L · 31.9 KB

│ ├─ 📝 complex-operations.md Markdown 1437L · 35.7 KB

│ ├─ 📝 openclaw-config-fields.md Markdown 1680L · 44.7 KB

│ ├─ 📝 schema-sources.md Markdown 86L · 3.9 KB

│ └─ 📝 version-migration.md Markdown 901L · 21.7 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 backup-config.sh Shell 208L · 5.0 KB

│ ├─ 🔧 openclaw-config-check.sh Shell 63L · 1.4 KB

│ ├─ 🔧 restore-config.sh Shell 350L · 8.1 KB

│ ├─ 🔧 validate-config.sh Shell 393L · 8.6 KB

│ └─ 🔧 validate-migration.sh Shell 272L · 6.3 KB

├─ 📋 _meta.json JSON 5L · 141 B

└─ 📝 SKILL.md Markdown 643L · 22.2 KB

Security Positives

✓ No credential harvesting or token theft patterns detected

✓ No data exfiltration or C2 communication

✓ No reverse shell or arbitrary code execution

✓ All shell scripts are documented configuration management tools

✓ No base64-encoded or obfuscated payloads

✓ Scripts use safe patterns (set -euo pipefail, argument parsing)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Config backup scripts properly validate before operations

Scan Report

Findings 2 items

File Tree

Security Positives