v1.0.0

windows-healing-gateway

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:13 AM.

Analysis

This skill is purpose-aligned, but it should be reviewed carefully because it sets up persistent Windows repair tasks, can make automatic system changes, needs credentials, and omits the core PowerShell scripts it says will be run.

GuidanceBefore installing, ask for the missing PowerShell scripts to be included and review them. Only deploy if you are comfortable with persistent Windows scheduled tasks that run at boot/logon, automatic repair that may kill processes or disable plugins, and use of AI/Telegram credentials. Prefer test mode first, back up gateway configuration, scope tokens narrowly, and make sure you know how to disable or remove the OpenClaw scheduled tasks.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata

No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill. File manifest 6 file(s): docs/UPLOAD.md; scripts/OpenClaw-Gateway-AutoStart.xml; scripts/OpenClaw-Monitor-Service.xml; README.md; skill.json; SKILL.md

The package omits the PowerShell scripts that the artifacts tell users or tools to run, such as deploy-windows-healing.ps1, openclaw-fix.ps1, openclaw-monitor.ps1, and openclaw-gateway-starter.ps1. Those missing scripts are where the high-impact monitoring and repair logic would reside.

User impactThe installed skill may fail, or users may end up running unreviewed local or remotely obtained scripts to perform privileged repair actions.

RecommendationDo not deploy until the referenced PowerShell scripts are included in the reviewed package or pinned to a trusted source, and review them before allowing scheduled execution.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

| Port conflict | Kill conflicting process |
| Plugin error | Disable problematic plugin |

The documented automatic repair actions can terminate processes and change gateway/plugin behavior, but the artifacts do not define confirmation steps, allow-lists, rollback, or limits to ensure only the intended OpenClaw components are affected.

User impactA repair attempt could stop an unrelated process using a port or disable a plugin that the user still needs.

RecommendationRequire user confirmation for process termination and plugin disabling, restrict repairs to known OpenClaw-owned resources, and provide a dry-run and rollback path.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

scripts/OpenClaw-Monitor-Service.xml

<BootTrigger> ... <RegistrationTrigger> ... <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> ... <Arguments>-ExecutionPolicy Bypass -WindowStyle Hidden -File "%USERPROFILE%\.openclaw\scripts\openclaw-monitor.ps1"</Arguments>

The monitor task is configured to run persistently at boot/registration, with a hidden PowerShell window and no time limit. That persistence is disclosed and purpose-aligned, but the artifacts do not show clear stop, uninstall, or containment controls.

User impactAfter deployment, the monitor can keep running in the background and repeatedly perform repairs until the scheduled task is disabled or removed.

RecommendationDocument explicit opt-in, status visibility, and uninstall/disable commands for all OpenClaw scheduled tasks before installation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

MOONSHOT_API_KEY=your_moonshot_key
CODING_PLAN_KEY=your_coding_plan_key

# Optional (for alerts)
TELEGRAM_BOT_TOKEN=your_bot_token
TELEGRAM_CHAT_ID=your_chat_id

The skill expects AI-provider and Telegram credentials, which fit the stated AI diagnosis and alerting purpose, but these credentials are not declared in the registry requirements.

User impactInstalling users may not notice before setup that the skill needs provider keys and a Telegram bot/chat identity.

RecommendationDeclare the required and optional credentials in metadata, use least-privilege tokens, and keep the gateway.env file access-restricted.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

AI Diagnosis: Analyzes logs and applies intelligent fixes
Alert Notification: Sends alerts via Telegram when manual intervention needed

The skill describes AI log diagnosis and Telegram alerting, which are expected for its purpose, but the artifacts do not bound what log or diagnostic content may be shared with external services.

User impactGateway status, log details, or operational errors could be included in AI diagnosis or Telegram alerts.

RecommendationReview and limit alert/log content before enabling external AI or Telegram integrations, especially if gateway logs may contain secrets or private data.