ClawHub

Gateway Watchdog

Security checks across malware telemetry and agentic risk

Overview

This skill matches its watchdog purpose, but its one-click path can run a persistent background process and includes an unpinned remote download-and-execute fallback.

Install only if you specifically want an always-on local process that can restart OpenClaw Gateway. Prefer reviewing and running the bundled gateway_watchdog.py directly instead of relying on install.py's remote download fallback; run it with least privileges, protect the generated config/PID files especially on Windows, and use the documented stop command when you no longer want monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""检查 Gateway 是否正常运行"""
    try:
        cmd = get_openclaw_cmd() + ["gateway", "status"]
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=15, shell=(platform.system() == "Windows") )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        log("Gateway 连续失败,准备重启...")
        cmd = get_openclaw_cmd() + ["gateway", "restart"]
        subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
subprocess.run( cmd, capture_output=True, text=True, timeout=60, shell=(platform.system() == "Windows") )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("=" * 50)
    try:
        cmd = get_openclaw_cmd() + ["gateway", "status"]
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=15, shell=(platform.system() == "Windows") )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log("手动重启 Gateway...")
    try:
        cmd = get_openclaw_cmd() + ["gateway", "restart"]
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=60, shell=(platform.system() == "Windows") )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        if platform.system() == "Windows":
            subprocess.run(f"taskkill /PID {pid} /F", shell=True)
        else:
            os.kill(int(pid), signal.SIGTERM)
        PID_FILE.unlink()
Confidence
98% confidence
Finding
subprocess.run(f"taskkill /PID {pid} /F", shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 检查进程是否存在
            if platform.system() == "Windows":
                result = subprocess.run(
                    f"tasklist /FI \"PID eq {old_pid}\"",
                    capture_output=True,
                    text=True,
Confidence
98% confidence
Finding
result = subprocess.run( f"tasklist /FI \"PID eq {old_pid}\"", capture_output=True, text=True, shell=Tru

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pid = f.read().strip()
        try:
            if platform.system() == "Windows":
                result = subprocess.run(
                    f"tasklist /FI \"PID eq {pid}\"",
                    capture_output=True,
                    text=True,
Confidence
98% confidence
Finding
result = subprocess.run( f"tasklist /FI \"PID eq {pid}\"", capture_output=True, text=True, shell=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 2. 启动 watchdog
    print("\n🚀 启动 Gateway Watchdog...")
    try:
        result = subprocess.run(
            [sys.executable, str(script_path), "start"],
            capture_output=True,
            text=True
Confidence
91% confidence
Finding
result = subprocess.run( [sys.executable, str(script_path), "start"], capture_output=True, text=True )

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file presents itself as a simple one-click installer/startup helper, but its real behavior includes downloading executable Python code from GitHub at runtime. This mismatch is dangerous because it reduces user scrutiny and conceals a high-risk trust boundary crossing that can lead to arbitrary code execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads a Python file from a mutable remote location and then executes it, without any manifest, version pinning, integrity verification, or signature check. This creates a direct remote code execution supply-chain risk: compromise of the repository, account, branch, or served file results in arbitrary local execution.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, natural-language requests such as '帮我 7/24 运行' and '保持 Gateway 运行', which can match ordinary user intent without clearly signaling that the skill will download code and start a persistent watchdog/background process. This increases the risk of accidental invocation and unintended system changes, especially because the skill performs installation and service-like actions rather than a reversible read-only task.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill description says it will check for a file, download `gateway_watchdog.py` from GitHub if missing, and execute `python gateway_watchdog.py start`, but it does not warn the user that this installs remote code and launches a long-running background watchdog. In this context, the omission is particularly dangerous because remote code retrieval plus persistent execution can materially alter the host and create a supply-chain or persistence risk if invoked without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently downloads and writes an executable Python file into the local directory with no explicit warning, trust prompt, or safety explanation. This increases the chance that users unknowingly stage malicious code on disk, especially because the source is a remote mutable URL.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script executes the downloaded Python file without any explicit safety warning, confirmation, sandboxing, or integrity validation. In this context, immediate execution of newly fetched code materially increases the danger because a user gets no chance to inspect or validate what will run.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal