← 返回 Skills 市场

Elegant Config Guardian

Name: Elegant Config Guardian
Author: wangwu-30

作者 wangwu-30 · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

436

总下载

当前安装

版本数

在 OpenClaw 中安装

/install elegant-config-guardian

功能描述

Safely apply OpenClaw config changes with automatic rollback and ack timeout guard. Use when editing ~/.openclaw/openclaw.json, restarting gateway, enabling...

使用说明 (SKILL.md)

Elegant Config Guardian

Use scripts/safe_apply.sh to enforce: backup → apply → restart → health check → optional ack wait → rollback on failure.

Run

bash scripts/safe_apply.sh \
  --config ~/.openclaw/openclaw.json \
  --apply-cmd 'python3 /tmp/patch.py' \
  --ack-timeout 60 \
  --require-ack

Ack mode

When --require-ack is enabled, the script prints an ack token file path. A successful manual ack is:

touch \x3Cack-file-path>

If timeout expires without ack, rollback is triggered automatically.

Defaults

Health probe command: openclaw gateway status and require RPC probe: ok
Restart command: openclaw gateway restart
Backup file: \x3Cconfig>.bak.YYYYmmdd-HHMMSS

Recommended workflow

Prepare a deterministic patch command (--apply-cmd).
Run with --require-ack --ack-timeout 45 for production changes.
Verify health.
Ack explicitly only after end-to-end validation.
Let timeout auto-rollback if validation cannot complete in time.

安全使用建议

This skill is internally coherent but treat it as powerful: it will overwrite your OpenClaw config and restart the gateway. Before running: 1) Ensure the 'openclaw' CLI is installed and functional (the script assumes it though the metadata doesn't declare it). 2) Carefully review and control the --apply-cmd you provide — the script uses eval and will execute whatever you pass (use a deterministic script you inspected, not untrusted input). 3) Run first in a safe/test environment to verify the health-check string and restart behavior. 4) Verify filesystem ownership and that backups are stored where you expect; be cautious with symlinked config files and permissions to avoid accidental overwrite of unintended files. 5) Prefer running as a user with just enough privileges (not root) unless elevated rights are required. If you want higher assurance, request that the skill metadata be updated to declare the 'openclaw' binary requirement and, optionally, replace eval usage with a safer invocation pattern.

功能分析

Type: OpenClaw Skill Name: elegant-config-guardian Version: 0.1.0 The skill's core script, `scripts/safe_apply.sh`, uses `eval "$APPLY_CMD"` to execute a user-provided command. This creates a severe shell injection vulnerability, allowing arbitrary command execution (RCE) with the privileges of the OpenClaw agent. While the skill's stated purpose is to safely apply configuration changes and the code itself does not contain explicit malicious payloads or instructions for data exfiltration, persistence, or unauthorized access, this critical flaw makes it highly exploitable, classifying it as suspicious.

能力评估

ℹ Purpose & Capability

The script implements exactly the advertised behaviour (safe apply + rollback + optional ack). One minor mismatch: the registry metadata lists no required binaries, but the runtime script expects the 'openclaw' CLI (and standard Unix tools like cp, grep). Declaring 'openclaw' as a required binary would be appropriate.

ℹ Instruction Scope

SKILL.md and the script are narrowly scoped to operating on the specified config file, restarting the gateway, and checking health. The script runs the user-supplied --apply-cmd via eval, which necessarily allows arbitrary commands — this is expected for a patch/apply hook but increases the importance of ensuring the apply command is trustworthy and deterministic.

✓ Install Mechanism

No install spec or external downloads are present; this is an instruction-only skill with a small bundled shell script. Nothing is written to disk by an installer.

✓ Credentials

The skill requests no secrets or environment variables. It accesses $HOME (default config path) and /tmp for ack/status files — appropriate for its purpose. No unrelated credentials or config paths are requested.

✓ Persistence & Privilege

The skill is user-invocable (not always:true) and doesn't attempt to persistently modify other skills or system-wide settings. It does restart the gateway and overwrite the config (expected given its purpose), so it needs the privilege to manage the OpenClaw gateway when invoked.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install elegant-config-guardian
安装完成后，直接呼叫该 Skill 的名称或使用 /elegant-config-guardian 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial elegant release: guarded config apply + auto rollback

元数据

Slug elegant-config-guardian

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题