ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Security Monitor

v4.2.1

Proactive security monitoring, threat scanning, and auto-remediation for OpenClaw deployments

5· 2.9k·24 current·24 all-time
byAdrian Birzu@adibirzu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the files included: a 59-point scanner, per-check remediation scripts, IOC lists, a dashboard, and an installer. However the registry metadata claims 'instruction-only' with no required binaries/env, while the SKILL.md (embedded comment) lists required binaries (bash, curl, node, lsof) and optional ones. The presence of 70 code files (scripts, ioc lists, dashboard server) contradicts the 'no install spec / instruction-only' label in the registry — this is a packaging/metadata incoherence the user should be aware of.
!
Instruction Scope
SKILL.md and README instruct running scripts that read local OpenClaw state (logs, openclaw.json, skills dir, .openclaw workspace) and, when remediation is invoked, execute fixes (remediate.sh + 59 remediation scripts). Remediation supports an AUTO-APPROVE env var (OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1) that would allow unattended changes. The dashboard server reads config and logs and by default binds to 127.0.0.1 but can be configured via env to bind elsewhere — exposing sensitive data if changed. All of this is coherent with a security-monitor, but it gives the skill potential to read sensitive files and to perform system modifications; confirm you are comfortable granting that to code you install and audit remediation scripts before using auto-approve.
Install Mechanism
There is no registry-level install spec, but an included install.sh clones https://github.com/adibirzu/openclaw-security-monitor.git into ~/.openclaw/workspace/skills and marks scripts executable. Cloning from GitHub is a standard release mechanism; install.sh explicitly says it does not auto-run scans or install cron jobs. The package also includes update-ioc.sh and other scripts that may fetch threat feeds — review those fetch targets before running. No arbitrary single-file downloads or obscure hosts are used in install.sh itself.
Credentials
The registry lists no required env vars; SKILL.md documents optional envs (OPENCLAW_TELEGRAM_TOKEN, OPENCLAW_HOME). The code reads HOME and the OpenClaw directory (~/.openclaw), and the scanner explicitly looks for credential files and environment leakage (.env, .ssh, .aws, keychain, openclaw.json). Those accesses are expected for a host security scanner but they mean the tool will read sensitive files. It does not request unrelated cloud credentials or multiple external tokens up front, which is proportionate to its stated purpose.
Persistence & Privilege
The skill is not always-included, is user-invocable, and has disable-model-invocation=true (the model cannot autonomously invoke it). The installer does not auto-add cron/LaunchAgents; persistence (daily cron) is optional/manual. Still, remediation scripts can be used in unattended mode via OPENCLAW_ALLOW_UNATTENDED_REMEDIATE — treat that as a high-privilege action and avoid enabling it without review.
What to consider before installing
This package looks like a genuine OpenClaw security monitor, but there are a few red flags you should act on before installing or running it: - Metadata mismatch: the registry claims 'no required binaries / instruction-only' while the SKILL.md lists required tools (bash, curl, node, lsof) and the bundle contains many scripts. Treat the package as an installed toolset, not a harmless README. - Audit remediation scripts before use: remediate.sh runs 59 per-check fixers and supports an auto-approve env var (OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1). Do NOT run remediation with auto-approve until you have reviewed the scripts and tested them in a safe environment. - Review network fetches: update-ioc.sh / other updater scripts will pull threat feeds/upgrades. Inspect those scripts to see which hosts they contact and consider restricting network access or running them manually. - Dashboard exposure: dashboard/server.js defaults to 127.0.0.1, but binding host is configurable by env. Keep it bound to loopback and do not expose the dashboard to external networks unless you understand and accept the risk of exposing logs/config. - Least privilege and backups: run the scanner in --dry-run first, back up critical OpenClaw config files (openclaw.json, device.json, SOUL.md, MEMORY.md) before remediation, and prefer a quarantined/test instance for initial runs. If you want higher assurance, request the full contents of update-ioc.sh and the remediation scripts that would modify your system, or run the package inside an isolated VM/container and validate behavior before deploying to production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97acch6dnrt0tsb4vx2hzbz4n82yrqb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments