ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aegis Protocol

v0.12.6

Self-healing stability monitor for AI agents - 5 core checks + 15 extended checks, auto-recovery, health scoring

0· 28·0 current·0 all-time
by@ankechenlab-node
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (self-healing stability monitor) align with required capabilities: the code runs system checks (pm2, nginx, docker, disk, memory), restarts services, and persists state under the workspace. No unrelated cloud credentials or strange binaries are declared.
!
Instruction Scope
SKILL.md declares only local diagnostics and controlled recovery, which matches most of the code, but there are inconsistencies: SECURITY.md and other docs mention an SSL cert check (a possible external network call) despite SKILL.md claiming 'No external network calls'. Development notes explicitly state 'Direct use exec: 绕过 ACP 限制' (bypassing platform restrictions). The code calls system-level commands (systemctl, pm2, docker, openclaw sessions kill) and logs to /var/log — these actions are powerful and should be limited and audited.
Install Mechanism
No remote download/install step is declared; code is bundled in the skill. That reduces supply-chain risk from arbitrary external installers. There is no brew/npm/url-based install present.
Credentials
The skill declares no required environment variables or credentials for runtime, which is appropriate. However publishing docs reference ClawHub tokens (~/.clawhub/token.json) for authorship/publishing (not runtime). The code expects workspace at /root/.openclaw/workspace and will read/write multiple files there (config, cache, healing memory). No explicit credential exfiltration is requested, but commands like 'git status' and 'apt list --upgradable' can reveal system state.
!
Persistence & Privilege
always:false and user-invocable are good, but the skill writes persistent files (cache, healing-memory) in a hardcoded workspace and appends to /var/log/aegis-protocol.log. It also includes commands to restart services and kill sessions. The DEVELOPMENT_REPORT note about using exec to 'bypass ACP runtime restrictions' is a higher-risk design choice because it intentionally circumvents platform gating and expands what the skill can do at runtime.
What to consider before installing
This skill appears to implement a real system watchdog, but review and take precautions before installing: - Audit the code yourself (aegis-protocol.py) looking specifically for any network calls (ssl/socket usage, curl/wget), commands that read secrets (~/.ssh, ~/.aws, /etc), or base64/obfuscated execution paths. The repository includes full source so you can inspect it. - Note that the code logs to /var/log/aegis-protocol.log and writes persistent files under /root/.openclaw/workspace — consider running it as a non-root user or in a sandboxed environment to limit impact. - The development notes explicitly state exec is used to bypass ACP restrictions. Ask the author why that is necessary; prefer a version that uses approved runtime APIs rather than raw shell execution where possible. - Verify and tighten configuration before enabling auto-recovery (heal): set conservative thresholds and populate the whitelist so it cannot kill important sessions or restart critical services unexpectedly. - If you want to try it, test in an isolated VM/container first (not a production host) and monitor logs for unexpected network activity or attempts to access credential files. If you need, I can extract the parts of aegis-protocol.py that perform network/IO/restart operations and summarize them line-by-line so you can more easily audit the risky bits.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97eatx060nk66gv242y70x6wd848d54bugfixvk973xkexmnmt5nk5bme2bsnbgx8481amdocumentationvk97eatx060nk66gv242y70x6wd848d54latestvk97eatx060nk66gv242y70x6wd848d54monitoringvk97eatx060nk66gv242y70x6wd848d54notificationsvk9735f2jnczcyewhn8fq03v9v5849jncopenclawvk97eatx060nk66gv242y70x6wd848d54securityvk97ex76w42fb63njc71ak3j7a184814qself-healingvk97eatx060nk66gv242y70x6wd848d54smart-recoveryvk974k41g3wvkah081d5aa7ydz9848f6xstabilityvk97eatx060nk66gv242y70x6wd848d54watchdogvk97eatx060nk66gv242y70x6wd848d54

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments