openclaw-config-helper
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation explicitly identifies the use of secure password references (e.g., 'pass:api/key') as an 'error' and instructs that API keys must be hardcoded as plain-text strings in the configuration (found in SKILL.md under 'Case 3').
- [COMMAND_EXECUTION]: The skill executes multiple local commands including a custom 'gateway' tool and a Bash script 'scripts/check_config.sh' that utilizes 'jq' to parse system files.
- [DATA_EXFILTRATION]: The skill is designed to read and display sensitive configuration data from '~/.openclaw/openclaw.json' via the 'gateway action=config.get' command, which exposes system secrets to the chat interface.
- [EXTERNAL_DOWNLOADS]: The skill fetches documentation from 'docs.openclaw.ai', which is the vendor's official domain and is considered a safe operation for this use case.
Audit Metadata