Aegis Protocol
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a real monitoring tool, but its auto-heal mode can kill agent sessions or restart services with scoping and provenance issues users should review carefully.
Install only if you intentionally want a local monitor with authority to run shell diagnostics and repair services. Start with `init`, `status`, and `check`; review the config and whitelists; avoid `heal` or cron scheduling until you understand exactly which sessions and services can be changed. Verify the publisher/source, prefer least-privilege execution, and do not run the included token-display publishing commands on an end-user system.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous heal action could stop active agent work or restart production services.
The documented recovery commands mutate agent sessions and system services, including a broad `pm2 restart all`, and the artifacts do not show per-action approval before automatic recovery.
`openclaw sessions kill` ... `pm2 restart all` ... `systemctl restart nginx` ... `openclaw memory compact`
Use `check`/`status` first, require explicit confirmation for `heal`, scope recovery to named sessions/services, and avoid `pm2 restart all` unless the user has approved it.
Active sessions may be treated as failed and killed, especially if `heal` is run on a schedule.
The visible session check classifies running non-whitelisted sessions as stuck without using the documented timeout threshold, so recovery could propagate a bad check result into session termination.
if status == "running" and key not in whitelist:
stuck_sessions.append(key)Only classify sessions as stuck using reliable age/heartbeat data, honor `sessionTimeoutMinutes`, and make session killing opt-in with a preview of targets.
Users may have difficulty confirming which source code corresponds to the installed privileged skill.
The registry says version 0.12.9 with unknown source/homepage, while internal artifacts cite different versions and repositories; this is a provenance gap for a skill with exec and recovery authority.
"version": "0.12.6", "homepage": "https://github.com/mrring88/aegis-protocol", "repository": "https://github.com/mrring88/aegis-protocol.git"
Verify the publisher and repository manually, align registry metadata with the packaged code, and install only a release whose source and version are clear.
System commands will run on the host where the skill is used.
The skill runs shell commands for diagnostics and recovery; this is central to its monitoring purpose, but it executes with the local user's privileges.
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
Run it under the least-privileged account that can perform the intended checks, and review the command list before enabling recovery.
If configured, recovery actions could repeat every 10 minutes without a human reviewing each action.
The README provides a user-directed cron example that makes the auto-heal command run persistently and unattended.
*/10 * * * * python3 /path/to/aegis-protocol.py heal >> /var/log/aegis-protocol.log 2>&1
Do not schedule `heal` until thresholds, whitelists, logs, and recovery targets have been tested; consider scheduling `check` instead.
Stale or incorrect local state could affect future health checks or recovery behavior.
The skill persists local recovery memory, loop history, and cached check results, which is purpose-aligned but can influence later decisions.
HEALING_MEMORY = WORKSPACE / ".healing-memory.json" ... LOOP_HISTORY_FILE = WORKSPACE / ".loop-history.json" ... CACHE_FILE = WORKSPACE / ".aegis-cache.json"
Keep the workspace protected, review these files periodically, and clear them if recovery behavior looks wrong.
A user or agent could accidentally reveal a ClawHub token in chat or logs.
A developer publishing guide included in the package documents how to display a local ClawHub token; this is not part of the monitoring purpose and could expose credentials if followed.
Token 位置: ... `~/.clawhub/token.json` ... `cat ~/.clawhub/token.json`
Do not run token-display commands unless you are intentionally publishing; remove developer publishing docs from end-user installs.
Users may underestimate that the tool may need elevated permissions and write outside the OpenClaw workspace.
The code writes to a system log path, while the security documentation describes file writes as workspace-scoped; this can understate the privilege and filesystem impact.
LOG_FILE = Path("/var/log/aegis-protocol.log")Make the log path configurable, default to the workspace, and update the documentation to accurately describe any system-path writes.