Back to skill

Security audit

OpenClaw Watch Dog

Security checks across malware telemetry and agentic risk

Overview

This watchdog mostly matches its monitoring purpose, but it installs a persistent service, handles secrets, sends diagnostics to Telegram, and can perform high-impact recovery actions with weak safeguards.

Review carefully before installing. Use a dedicated Telegram bot token and rotate it if pasted into chat or shell history. Do not provide OpenAI or Anthropic keys unless a later version clearly requires them. Understand that this creates an always-on background service that can restart OpenClaw, send operational diagnostics to Telegram, and reinstall OpenClaw after marker-file approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
APPROVE_REINSTALL.unlink(missing_ok=True)
        await send_telegram(session, cfg, "🔧 <b>Watch Dog:</b> Reinstalling OpenClaw (approved by user)...")
        try:
            subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120,
                           capture_output=True, text=True)
            await asyncio.sleep(5)
            subprocess.run(["openclaw", "gateway", "start"], timeout=30,
Confidence
88% confidence
Finding
subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120,
                           capture_output=True, text=True)
            await asyncio.sleep(5)
            subprocess.run(["openclaw", "gateway", "start"], timeout=30,
                           capture_output=True, text=True)
        except Exception as e:
            log.error("Reinstall failed: %s", e)
Confidence
81% confidence
Finding
subprocess.run(["openclaw", "gateway", "start"], timeout=30, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
APPROVE_REINSTALL.unlink(missing_ok=True)
        await send_telegram(session, cfg, "🔧 <b>Watch Dog:</b> Reinstalling OpenClaw (approved by user)...")
        try:
            subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120,
                           capture_output=True, text=True)
            await asyncio.sleep(5)
            subprocess.run(["openclaw", "gateway", "start"], timeout=30,
Confidence
88% confidence
Finding
subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["npm", "install", "-g", "openclaw"], timeout=120,
                           capture_output=True, text=True)
            await asyncio.sleep(5)
            subprocess.run(["openclaw", "gateway", "start"], timeout=30,
                           capture_output=True, text=True)
        except Exception as e:
            log.error("Reinstall failed: %s", e)
Confidence
83% confidence
Finding
subprocess.run(["openclaw", "gateway", "start"], timeout=30, capture_output=True, text=True)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The troubleshooting guide documents an automatic recovery path that can escalate from restart attempts to reinstalling the OpenClaw package, which goes beyond passive monitoring and alerting. Even though it is gated by a local approval file, this is still a system-modifying capability that materially expands the skill's power and attack surface.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented command `npm install -g openclaw` performs a global package installation, which is a privileged and high-impact system change for a watchdog whose stated purpose is monitoring and recovery. If triggered unexpectedly or influenced by another component, it could alter the host environment, introduce supply-chain risk, or overwrite a previously trusted installation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The setup script accepts and stores OpenAI and Anthropic API keys even though the stated functionality is a watchdog with Telegram alerts. Collecting unrelated high-value secrets expands the blast radius if the host or config is compromised and violates least-privilege expectations for this skill.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comment says AI keys are optional for future extensions, but the script still captures and encrypts them into the installed configuration immediately. This creates unnecessary secret retention and can mislead users into providing credentials for features that do not exist yet.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comment claims diagnostics stay on-device, but operational details are later transmitted to Telegram. Misleading documentation is dangerous because operators may enable the feature believing it does not exfiltrate service state or failure metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger terms are broad and generic, such as 'monitoring', 'auto-fix', and 'gateway health', which can cause the skill to activate in conversations that did not intend to install or configure a persistent watchdog. Unintended invocation is especially risky here because the skill requests secrets and performs setup steps with system-level side effects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks the user to provide a Telegram bot token and chat ID directly in chat without warning that the bot token is a credential that grants control over the Telegram bot. Collecting secrets through the conversational channel increases the chance of accidental exposure, logging, reuse by the platform, or mishandling by downstream tooling.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list is broad and generic enough to match common support requests such as 'monitoring' or 'auto-fix,' which can invoke the skill outside a clearly intended OpenClaw setup context. Because this skill can request secrets and install a persistent background service, unintended activation increases the chance of credential solicitation or persistence actions in the wrong conversation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly asks the user to send a Telegram bot token and chat ID to the agent, but it does not warn that the bot token is a secret that grants control over the Telegram bot. Soliciting sensitive credentials through chat is dangerous because the secret may be retained in conversation history, logs, or downstream tooling, enabling account compromise and misuse of the bot.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The uninstall section contains destructive commands that delete service definitions and the watchdog data directory without clearly warning that removal is permanent. In documentation, this creates a realistic risk of accidental self-inflicted loss of configuration, logs, and service persistence rather than an exploit-driven compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive credentials are passed as command-line arguments, which may be exposed through shell history, process listings, audit logs, or CI job output. Even if later encrypted at rest, the secrets are already exposed during invocation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The watchdog silently sends operational status and failure information to Telegram, an external third party, with no clear runtime user consent or prominent disclosure in the workflow. Even if intended for monitoring, this can leak sensitive metadata about system availability, deployment state, and potentially incident timing to an external service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The uninstall section includes commands that delete service definitions and recursively remove the watchdog directory, but it does not clearly warn that these actions are destructive and may permanently remove local configuration, logs, or encrypted credentials. In documentation consumed by agents or users, omission of a warning increases the risk of accidental data loss during troubleshooting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accepts Telegram and AI API secrets directly via command-line flags. On many systems, process arguments are exposed to other local users through tools like ps, shell history, audit logs, or CI job logs, so these credentials may be disclosed despite later encrypting them at rest.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accepts a Telegram bot token as a positional command-line argument, which commonly exposes the secret through shell history, process listings, audit logs, and CI job output. Even though the token format is validated, that does not protect its confidentiality; anyone who obtains the token can send messages as the bot and potentially access bot-scoped interactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Telegram alerting sends operational data to a third-party service without a strong, explicit disclosure in the runtime behavior shown here. In a monitoring skill, this matters because outage details, health state, and diagnostic summaries can reveal system status to external parties.

Ssd 3

Medium
Confidence
98% confidence
Finding
Directing the user to send the Telegram bot token and chat ID back to the agent is a concrete secret-handling flaw, not just missing warning text. A Telegram bot token is an authentication secret; if exposed, an attacker could send messages as the bot, read bot interactions, or hijack alerting workflows.

Ssd 3

Medium
Confidence
98% confidence
Finding
This is a direct natural-language request for disclosure of a secret credential: the user is told to send the Telegram bot token to the agent so setup can proceed. That creates an unnecessary secret-handling path through the model and chat channel, increasing exposure to accidental disclosure, logging, replay, or unauthorized reuse of the token.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# macOS
launchctl unload ~/Library/LaunchAgents/com.openclaw.watchdog.plist
rm ~/Library/LaunchAgents/com.openclaw.watchdog.plist

# Linux
systemctl --user stop openclaw-watchdog
Confidence
87% confidence
Finding
rm ~/Library/LaunchAgents/com.openclaw.watchdog.plist # Linux systemctl --user stop openclaw-watchdog systemctl --user disable openclaw-watchdog rm ~/.config/systemd/user/openclaw-watchdog.service #

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# macOS
launchctl unload ~/Library/LaunchAgents/com.openclaw.watchdog.plist
rm ~/Library/LaunchAgents/com.openclaw.watchdog.plist

# Linux
systemctl --user stop openclaw-watchdog
Confidence
87% confidence
Finding
rm ~/Library/LaunchAgents/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Linux
systemctl --user stop openclaw-watchdog
systemctl --user disable openclaw-watchdog
rm ~/.config/systemd/user/openclaw-watchdog.service

# Both
rm -rf ~/.openclaw/watchdog
Confidence
85% confidence
Finding
rm ~/.config/systemd/user/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
openclaw-watchdog/references/troubleshooting.md:71

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
openclaw-watchdog/SKILL.md:101

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
references/troubleshooting.md:71

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL.md:102