Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
OpenClaw Watch Dog
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real OpenClaw watchdog, but it installs a persistent auto-recovery service and contains support for storing unrelated OpenAI/Anthropic API keys that are not needed for its stated purpose.
Review this skill before installing. It is designed to run continuously and restart OpenClaw automatically, so only enable it if you want that behavior. Provide only the Telegram bot token and chat ID; do not provide OpenAI or Anthropic API keys unless the maintainer clearly documents why they are needed.
Static analysis
Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
If a user provides these extra API keys, the watchdog stores sensitive credentials that are not needed for the current monitoring feature.
Why it was flagged
The setup script accepts and stores OpenAI and Anthropic API keys even though the stated watchdog function only needs Telegram credentials for alerts.
Skill content
--openai-key) OPENAI_KEY="$2"; ... --anthropic-key) ANTHROPIC_KEY="$2"; ... 'openai_key': sys.argv[3], 'anthropic_key': sys.argv[4]
Recommendation
Do not provide OpenAI or Anthropic keys to this skill. The maintainer should remove unused credential parameters or clearly document and scope any future use.
#
ASI10: Rogue Agents
Low
What this means
The watchdog will keep running after setup and can continue monitoring and acting until the user disables or uninstalls it.
Why it was flagged
The setup installs a long-running user-level background service that starts automatically and stays alive.
Skill content
'RunAtLoad': True, 'KeepAlive': True ... systemctl --user enable openclaw-watchdog ... systemctl --user restart openclaw-watchdog
Recommendation
Install only if you want continuous monitoring, and keep the uninstall/disable commands available.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
This can change the local OpenClaw installation and running gateway state. The restart behavior is automatic; the reinstall path is documented as approval-gated.
Why it was flagged
The watchdog can run local system commands to restart the gateway and, after an approval file exists, reinstall OpenClaw globally.
Skill content
subprocess.run(["openclaw", "gateway", "restart"] ...); ... subprocess.run(["npm", "install", "-g", "openclaw"] ...)
Recommendation
Review the auto-recovery behavior before enabling it, and ensure ~/.openclaw/watchdog/approve-reinstall is only created intentionally.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
Setup depends on whatever aiohttp version is available at install time, which can affect reproducibility and supply-chain assurance.
Why it was flagged
The installer pulls an unpinned Python dependency during setup.
Skill content
"$VENV_DIR/bin/pip" install --quiet aiohttp
Recommendation
Prefer pinned dependency versions or review the package source before installation.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
Telegram will receive the alert messages and the bot token can control that Telegram bot.
Why it was flagged
Alerts are sent through Telegram using the user's bot token and chat ID, which is expected for this skill but still sends alert content to an external provider.
Skill content
url = f"https://api.telegram.org/bot{token}/sendMessage" ... "chat_id": chat_id, "text": textRecommendation
Use a dedicated Telegram bot for this watchdog, avoid putting secrets in alert messages, and revoke the token if it may have been exposed.