← Back to Skills Marketplace
708
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-json-editing
Description
Advanced editing of OpenClaw JSON5 configs with schema validation, merge patching, env var substitution, and type-safe modifications using jq.
Usage Guidance
This skill appears intended to edit OpenClaw configuration files and handle env-var substitution, but its metadata and documentation don't line up. Before installing: 1) Ask the publisher why jq is required and request concrete examples showing how jq is used (or remove jq if unused). 2) Confirm whether the agent will read files under ~/.openclaw and environment variables (including API keys) at runtime — those are sensitive. 3) If you plan to use it, run the skill in a sandbox or with limited test configs first, and back up ~/.openclaw. 4) Prefer an updated SKILL.md that lists required binaries/CLI tools, enumerates any environment variables it will read, and provides explicit commands the agent will run so you can verify there is no unexpected exfiltration of secrets.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-json-editing
Version: 1.0.0
The skill bundle is designed for legitimate OpenClaw configuration management, including editing JSON, handling environment variables, and configuring AI model providers. However, it is classified as 'suspicious' due to the inclusion of a `jq` command (`jq '.. | objects | .apiKey? // .token? // .password? | select(.)' ~/.openclaw/config.json`) explicitly designed to 'Deep search for all API keys (for audit)' within configuration files (SKILL.md). While framed as an audit tool, this command directly targets and extracts highly sensitive credentials. An AI agent executing this command, especially if susceptible to prompt injection, could easily be instructed to exfiltrate the collected secrets, representing a significant data exposure vulnerability. Additionally, the skill demonstrates the agent's ability to make external network requests using `curl` with API keys from environment variables, further highlighting its high-risk capabilities.
Capability Assessment
Purpose & Capability
The skill claims advanced JSON5 editing and 'type-safe modifications using jq', but the SKILL.md is almost entirely TypeScript code examples (JSON5, Zod, fs) and contains no concrete jq commands or examples. Requiring the jq binary in metadata is disproportionate given the instruction content; either jq is unnecessary or the documentation is incomplete. Also the skill references OpenClaw-specific CLI commands (openclaw config validate/patch/path) without declaring them as required binaries or explaining how the agent will invoke them.
Instruction Scope
SKILL.md includes explicit file paths (e.g. ~/.openclaw/config.json, ~/.openclaw/agents/<id>/config.json, sessions/state dir) and code showing reading/writing those files and collecting environment variable references (OPENAI_API_KEY, ANTHROPIC_API_KEY). These are concrete instructions that imply the agent should read user config files and environment variables and write back to disk. The skill metadata does not declare or explain this access, so the runtime instruction set has broader scope than the declared surface.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing new will be written to disk at install time. That lowers install-time risk.
Credentials
The SKILL.md explicitly discusses substituting values like ${OPENAI_API_KEY} and ${ANTHROPIC_API_KEY:-fallback-key} and includes code to collect env-var paths. However the registry metadata declares no required environment variables or credentials. That mismatch is concerning because the skill's legitimate function (editing configs that embed API keys) requires reading environment variables and potentially handling secrets, yet no environment access is declared or scoped.
Persistence & Privilege
always:false (normal) and the skill does not request system-wide privileges, but its instructions include code to write config files under ~/.openclaw and modify agent config files. Writing user configuration is a legitimate capability for a config-editing skill, but it means the agent will modify persistent data on the host if invoked — the user should expect file writes to their OpenClaw state directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-json-editing - After installation, invoke the skill by name or use
/openclaw-json-editing - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Full source code analysis (1.2k+ files). JSON5 configs, model families/reasoning variants (grok-4-1-fast auto-switching), provider setup, Zod schemas, jq patterns, env substitution, atomic writes, security best practices. Essential for OpenClaw config mastery.
Metadata
Frequently Asked Questions
What is OpenClaw JSON Editing Masterclass?
Advanced editing of OpenClaw JSON5 configs with schema validation, merge patching, env var substitution, and type-safe modifications using jq. It is an AI Agent Skill for Claude Code / OpenClaw, with 708 downloads so far.
How do I install OpenClaw JSON Editing Masterclass?
Run "/install openclaw-json-editing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw JSON Editing Masterclass free?
Yes, OpenClaw JSON Editing Masterclass is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw JSON Editing Masterclass support?
OpenClaw JSON Editing Masterclass is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw JSON Editing Masterclass?
It is built and maintained by avirweb (@avirweb); the current version is v1.0.0.
More Skills