Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Claw Operations Manager
v3.0.0OpenClaw operations management center v3 with multilingual support, intelligent descriptions, automatic git-based snapshots, and one-click rollback. Every op...
⭐ 0· 130·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (audit, snapshots, rollback, web UI) matches the included scripts and docs: many Python scripts for auditing, snapshot/git management, rollback, and a web dashboard are present. However the registry metadata claims no required binaries or config paths while the runtime docs and code clearly expect/use git, sqlite and a persistent workspace under ~/.openclaw (database, snapshots, web server). That metadata omission is inconsistent and should be treated as an integrity issue.
Instruction Scope
SKILL.md and INTEGRATION.md instruct the user to: run scripts/init.py and server_v3.py, create shell aliases (audit_wrapper.sh) that wrap arbitrary shell commands, and integrate wrappers into OpenClaw's tool execution to capture 'all tool calls (exec, read, write, browser, etc.)'. Those instructions will cause the skill to observe and record essentially every operation the agent/user performs (including command parameters and file contents implied by file-change tracking). The skill also defaults to monitoring sensitive paths (e.g., ~/.ssh, /etc/ssh). Capturing and storing such broad data is coherent with an audit tool but is high-risk: review the code that implements capture, storage, and any external network operations before enabling automatic integration.
Install Mechanism
There is no install spec (instruction-only), yet the package contains 15+ executable scripts and web templates. That means files are bundled but nothing is automatically installed — the user is expected to run them. This is lower automatic-execution risk, but because code exists and runtime instructions ask you to run/ integrate them, you should inspect the code. Also SKILL.md references git/restic/rsync for full restores but the package metadata did not declare git as required.
Credentials
The skill declares no required environment variables or credentials, which is good, but it creates and uses persistent artifacts under the user's home (~/.openclaw: audit.db, snapshots) and suggests monitoring extremely sensitive paths including ~/.ssh and /etc/ssh. The skill will therefore have access to secrets/configuration stored on disk if the user enables monitoring/integration. The metadata omission of required config paths (it uses ~/.openclaw) and required binaries (git) is inconsistent and increases risk because the platform's gating logic may not surface these needs to users.
Persistence & Privilege
always:false and model invocation is allowed (default). The skill does not request forced inclusion, but the instructions recommend persistent changes to the environment (shell aliases, integration into OpenClaw's execution flow, and running a background web server). Those are user-driven persistence steps — not automatic — but they materially increase the blast radius if enabled. Exercise caution before making the integration changes permanent.
What to consider before installing
What to consider before installing or enabling this skill:
- The skill includes code that, if you follow its integration steps, will capture and log essentially all tool calls and filesystem changes. This is consistent with an audit tool, but it also means it can see sensitive data (files, command arguments, keys in ~/.ssh, etc.). Only enable monitoring of sensitive paths after reviewing the code.
- Metadata omissions: the package metadata claims no required binaries or config paths but the README and scripts expect git, Python, and a workspace under ~/.openclaw (audit.db, snapshots). Verify presence of git and sqlite and be aware the skill will create repositories and a DB in your home directory.
- Don't apply global changes immediately. In particular:
- Do not add the suggested shell alias to your global shell rc files until you've reviewed audit_wrapper.sh and tested it in a safe environment.
- Avoid modifying OpenClaw core execution flow until you've audited the integration code (scripts/auto_audit.py, scripts/audited_ops.py) to ensure it only logs locally and does not transmit data externally.
- Inspect network usage: grep the code for outbound network operations (requests, urllib, socket, subprocess calls to curl/wget) and any hard-coded remote endpoints before running the server. If the web UI binds only to localhost that reduces remote exposure, but double-check server code for host/port and CORS or callbacks.
- Review data storage and protections: the skill stores audit.db and snapshots under ~/.openclaw. Ensure you understand retention, access controls, and encryption (it recommends chmod 600 for audit.db). Consider placing the workspace in a sandbox/container or on a test machine first.
- Test in a sandbox: run the code inside a disposable VM or container, exercise audit and rollback flows, and verify that restores behave as documented and that no data leaves the machine.
- If you lack time/expertise: ask for a short code review focusing on server_*.py, audited_ops.py, audit_wrapper.sh, setup_auto_audit.sh, snapshot.py, and any code that handles network I/O or subprocess execution. If those files are audited and acceptable, follow the recommended least-privilege steps: limit monitored paths, avoid auto-integration, and lock down the web UI to localhost with authentication.
If you want, I can (a) list the specific files you should inspect first, (b) search the tree for network calls and subprocess exec patterns, or (c) help craft safer integration steps (e.g., run in container, limit paths, enable auth).Like a lobster shell, security has layers — review code before you run it.
latestvk970arc221xsq706fh1s90pca983232p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.