← Back to Skills Marketplace
ground-control
by
Jonathan Jing
· GitHub ↗
· v0.3.5
362
Downloads
0
Stars
0
Active Installs
10
Versions
Install in OpenClaw
/install ground-control
Description
Post-upgrade verification system for OpenClaw. Defines a model/cron/channel ground truth file and a 5-phase automated verification flow (config integrity, AP...
README (SKILL.md)
ground-control
Post-upgrade verification for OpenClaw. Keeps your system honest after every upgrade.
🛠️ Installation
1. Ask OpenClaw (Recommended)
Tell OpenClaw: "Install the ground-control skill." The agent will handle the installation and configuration automatically.
2. Manual Installation (CLI)
If you prefer the terminal, run:
clawhub install ground-control
Permissions & Privileges
This skill requires the following OpenClaw capabilities:
gateway config.get— read current config (all phases)gateway config.patch— auto-fix config drift (Phase 1 only)cron list/cron update— verify and auto-fix cron jobs (Phase 3)sessions_spawn— smoke test sessions (Phase 2, 4, 5)message send— channel liveness test + summary report (Phase 5)
Auto-fix behavior: Phases 1 and 3 will automatically patch config/cron to match GROUND_TRUTH. Use --dry-run to disable auto-fix and get a report-only run.
Security & Redaction: This skill enforces a Zero-Secret Logging protocol.
- Immediate Redaction: Sensitive nodes (
auth,plugins) are stripped from memory after fetching runtime config. - Redacted Drift: Mismatches in sensitive fields are reported as
[REDACTED_SENSITIVE_MISMATCH]. - Functional Validation: API keys are tested through functional calls (Phase 2), never through literal comparison.
- No Persistence: Literal credentials are never written to
memory/files or messaging channels.
Environment variables: None.
When to use
- After running
openclaw updateornpm install -g openclaw@latest - When you suspect config drift (model changed, cron broken, channel down)
- Periodic health check via
/verifycommand
Setup
- Copy
templates/MODEL_GROUND_TRUTH.mdto your workspace root - Fill in your actual config values (models, cron jobs, channels)
- Add the GROUND_TRUTH sync rule to your AGENTS.md (see README)
- Run
/verifyto test
Files
templates/MODEL_GROUND_TRUTH.md— Ground truth template (copy to workspace root)scripts/post-upgrade-verify.md— Agent execution prompt for 5-phase verificationscripts/UPGRADE_SOP.md— Upgrade standard operating procedure
Usage Guidance
This skill is internally consistent for post-upgrade verification, but it performs powerful changes (gateway config.patch and cron update). Before installing: 1) Ensure the controlling agent has appropriate, least-privilege permissions; 2) Back up your runtime config; 3) Run the skill in --dry-run / report-only mode first to inspect the drift report and confirm redaction behavior; 4) Confirm the ops channel destination is internal and not an external webhook; 5) Review MODEL_GROUND_TRUTH.md to ensure it contains no secrets or credentials. If you rely on the skill's zero-secret logging, audit its first few runs to verify no secret leakage occurs.
Capability Analysis
Type: OpenClaw Skill
Name: ground-control
Version: 0.3.5
The skill is designed for post-upgrade verification and auto-repair of OpenClaw configurations and cron jobs. While it utilizes powerful capabilities like `gateway config.patch` and `cron update`, the skill's design is heavily security-focused. The `SKILL.md` and `scripts/post-upgrade-verify.md` files contain extensive and explicit 'Zero-Secret Logging Protocol' and 'Immediate Redaction' instructions, directing the AI agent to strip sensitive data from memory, avoid logging credentials, and only perform functional validation of API keys via `sessions_spawn`. Auto-fix actions are guarded with dry-run options and human confirmation prompts. The prompt injection surface is used to enforce security boundaries, not to bypass them, and there is no evidence of intentional harmful behavior, data exfiltration, or obfuscation.
Capability Assessment
Purpose & Capability
The skill's name/description match what it does: 5-phase verification and optional auto-repair of config and cron. The capabilities it needs (read/patch config, list/update cron, spawn sessions, send messages) are coherent and necessary for those features.
Instruction Scope
All runtime instructions are contained to OpenClaw primitives (gateway, cron, sessions_spawn, message). The skill explicitly instructs the agent to redact sensitive nodes (auth/plugins/credentials) and to never log literal secrets. It reads runtime config and writes a non-sensitive report to memory/ and an ops channel (expected). This is scoped appropriately, but it relies on correct runtime enforcement of the redaction rules — a buggy agent implementation could still leak secrets.
Install Mechanism
Instruction-only skill with no install spec and no downloaded code. Lowest-risk install mechanism.
Credentials
The skill declares no environment variables or external credentials. It uses the platform's existing runtime capabilities to probe provider liveness and channels; this is proportional to its stated purpose.
Persistence & Privilege
The skill can auto-patch runtime config and cron (powerful operations). Auto-fix is bounded by guardrails (dry-run, pause if >3 fields changed, logs before/after). Users should ensure the agent has only necessary permissions and that backups are available before enabling auto-fix.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ground-control - After installation, invoke the skill by name or use
/ground-control - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.5
Updated version to v0.3.5 with full changelog integration.
v0.3.4
Added simplified installation instructions to SKILL.md for ClawHub display.
v0.3.3
Added simplified installation instructions to README.
v0.3.2
Added Security & Redaction Protocol for zero-secret logging.
v0.3.1
Remove stale curl/env-var references from CHANGELOG and verify script footer, add CHANGELOG v0.3.0 entry, clarify ops channel and memory write scope in Rules section
v0.3.0
Remove all API key/credential handling: Phase 2 now tests LLM providers via sessions_spawn only, no curl, no env vars, no non-LLM provider checks. credentials: none.
v0.2.2
Credential disclosure: added credentials.mode=user-declared in metadata, README Security Model section explaining why env vars are runtime-declared (Terraform analogy), credential handling guardrails table
v0.2.1
Fix credential exfiltration risk: endpoint validation with allowed_domain + HTTPS-only enforcement, explicit env_var naming (no enumeration), skip non-LLM checks when section absent, updated GROUND_TRUTH template with non_llm_providers schema
v0.2.0
Security hardening: explicit permissions/privileges disclosure, Phase 2 curl scope restricted to GROUND_TRUTH-declared providers only (no env enumeration), auto-fix guard rails (dry-run mode, 3-field pause threshold, before/after logging)
v0.1.0
Initial release: 5-phase post-upgrade verification system with auto-repair for config and cron drift
Metadata
Frequently Asked Questions
What is ground-control?
Post-upgrade verification system for OpenClaw. Defines a model/cron/channel ground truth file and a 5-phase automated verification flow (config integrity, AP... It is an AI Agent Skill for Claude Code / OpenClaw, with 362 downloads so far.
How do I install ground-control?
Run "/install ground-control" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ground-control free?
Yes, ground-control is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ground-control support?
ground-control is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ground-control?
It is built and maintained by Jonathan Jing (@jonathanjing); the current version is v0.3.5.
More Skills