LuLu Monitor
v2.0.0AI-powered LuLu Firewall companion for macOS. Monitors firewall alerts, analyzes connections with AI, sends Telegram notifications with Allow/Block buttons....
⭐ 0· 1.4k·0 current·1 all-time
byEason Chen@easonc13
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (LuLu firewall companion that sends Telegram alerts and applies allow/block actions) matches the files and instructions: it requires LuLu, Node, OpenClaw Gateway (with Telegram channel) and installs a local Node service to inspect alerts and call back to LuLu. Using the OpenClaw CLI and local HTTP endpoints is coherent with the purpose.
Instruction Scope
SKILL.md and scripts limit activity to local endpoints, LuLu UI automation (AppleScript/Accessibility), and OpenClaw Gateway calls. However, the instructions explicitly require adding sessions_spawn to OpenClaw's allowlist and rely on invoking the gateway's /tools/invoke API — that is broader than just reading local alerts because it enables a gateway tool that can spawn sessions. The skill also recommends using CLI exec to send Telegram inline buttons and instructs creating a config file in ~/.openclaw/lulu-monitor/config.json. There is no instruction to exfiltrate secrets, but the gateway allowlist change is significant and should be reviewed.
Install Mechanism
The included install.sh clones a GitHub repository (https://github.com/EasonC13-agent/lulu-monitor.git) and runs npm install, then creates a launchd plist to run src/index.js. Cloning from GitHub is traceable (not a random IP or pastebin), but npm install runs third-party packages (and lifecycle scripts), which can execute arbitrary code on install. The skill writes files to ~/.openclaw/lulu-monitor and installs a persistent service — moderate install risk that is expected for this kind of tool but worth auditing the remote repo and package.json before running.
Credentials
The skill does not request secret environment variables and only needs the OpenClaw instance to be configured with a Telegram channel. That is proportionate. However, it asks you to modify OpenClaw's config to allow the sessions_spawn tool; this is a privilege escalation for the gateway and is not locally scoped to just this skill's config (so it increases the system-wide capabilities available to other code interacting with the gateway).
Persistence & Privilege
The installer creates a launchd service that runs continuously under the user's account. That's expected for a monitoring agent, but combined with the required OpenClaw allowlist change (sessions_spawn) it increases persistent privileges and attack surface: a persistent agent plus a broadly enabled gateway tool could enable remote command/session spawning via the gateway. 'always' is false, but the skill still requests persistent presence and a global gateway permission change.
What to consider before installing
This skill mostly does what it claims, but it makes two changes you should review before installing: (1) it clones and runs code from a GitHub repo and runs npm install — inspect the repository (especially src/index.js and package.json scripts) before running install.sh to ensure there are no malicious install scripts or unexpected network calls; (2) it instructs you to add sessions_spawn to your OpenClaw gateway allowlist — that enables a powerful tool globally on your gateway and increases the potential blast radius if other code accesses the gateway. Also review the generated launchd plist and logs, and be cautious with the optional auto-execute mode (it can automatically allow connections). If you don't want to trust the remote repo, consider manually reviewing and vendorizing the code, or running the service in a restricted environment (separate user account or VM) and only enabling sessions_spawn if you understand and accept the implications.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
LuLu Monitor
AI-powered companion for LuLu Firewall on macOS.
What It Does
- Monitors LuLu firewall alert popups
- Extracts connection info (process, IP, port, DNS)
- Spawns a fast AI (haiku) to analyze the connection
- Sends Telegram notification with risk assessment
- Provides 4 action buttons: Always Allow, Allow Once, Always Block, Block Once
- Executes the action on LuLu when user taps a button
Auto-Execute Mode (Optional)
For reduced interruptions, enable auto-execute mode. When the AI has high confidence (known safe programs like curl, brew, node, git connecting to normal destinations), it will:
- Automatically execute the Allow action
- Still send a Telegram notification explaining what was auto-allowed
To enable:
# Create config.json in install directory
cat > ~/.openclaw/lulu-monitor/config.json << 'EOF'
{
"telegramId": "YOUR_TELEGRAM_ID",
"autoExecute": true,
"autoExecuteAction": "allow-once"
}
EOF
Options:
autoExecute:false(default) - all alerts require manual button pressautoExecuteAction:"allow-once"(default, conservative) or"allow"(permanent rule)
Installation
Prerequisites
Run the check script first:
bash scripts/check-prerequisites.sh
Required:
- LuLu Firewall:
brew install --cask lulu - Node.js:
brew install node - OpenClaw Gateway: Running with Telegram channel configured
- Accessibility Permission: System Settings > Privacy > Accessibility > Enable Terminal/osascript
Gateway Configuration (Required)
The monitor calls sessions_spawn via OpenClaw's /tools/invoke HTTP API. This tool is blocked by default. Add it to the allowlist in ~/.openclaw/openclaw.json:
{
"gateway": {
"tools": {
"allow": ["sessions_spawn"]
}
}
}
Without this, alerts will be detected but fail to forward (404 in logs).
Install
bash scripts/install.sh
This will:
- Clone the repo to
~/.openclaw/lulu-monitor/ - Install npm dependencies
- Set up launchd for auto-start
- Start the service
Verify
curl http://127.0.0.1:4441/status
Should return {"running":true,...}
Sending Alerts with Inline Buttons
⚠️ The message tool's buttons/components parameter does NOT work for Telegram inline buttons. You must use the CLI via exec:
openclaw message send --channel telegram --target <chat_id> \
--message "🔔 LuLu Alert: <summary>" \
--buttons '[[{"text":"✅ Always Allow","callback_data":"lulu:allow"},{"text":"✅ Allow Once","callback_data":"lulu:allow-once"}],[{"text":"❌ Always Block","callback_data":"lulu:block"},{"text":"❌ Block Once","callback_data":"lulu:block-once"}]]'
After sending via CLI, reply with NO_REPLY to avoid duplicate messages.
Handling Callbacks
When user clicks a Telegram button, OpenClaw receives a callback like:
callback_data: lulu:allow
callback_data: lulu:allow-once
callback_data: lulu:block
callback_data: lulu:block-once
To handle it, call the local endpoint:
curl -X POST http://127.0.0.1:4441/callback \
-H "Content-Type: application/json" \
-d '{"action":"allow"}' # or "block", "allow-once", "block-once"
This will:
- Click the appropriate button on LuLu alert
- Set Rule Scope to "endpoint"
- Set Rule Duration to "Always" or "Process lifetime"
- Edit the Telegram message to show result
Troubleshooting
Service not running
# Check status
launchctl list | grep lulu-monitor
# View logs
tail -f ~/.openclaw/lulu-monitor/logs/stdout.log
# Restart
launchctl unload ~/Library/LaunchAgents/com.openclaw.lulu-monitor.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.lulu-monitor.plist
Accessibility permission issues
AppleScript needs permission to control LuLu. Go to: System Settings > Privacy & Security > Accessibility Enable: Terminal, iTerm, or whatever terminal you use
Alert not detected
- Ensure LuLu is running:
pgrep -x LuLu - Check if alert window exists:
osascript -e 'tell application "System Events" to tell process "LuLu" to get every window'
Uninstall
bash ~/.openclaw/lulu-monitor/skill/scripts/uninstall.sh
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…