{"skill":{"slug":"lulu-monitor","displayName":"LuLu Monitor","summary":"AI-powered LuLu Firewall companion for macOS. Monitors firewall alerts, analyzes connections with AI, sends Telegram notifications with Allow/Block buttons....","description":"---\nname: lulu-monitor\ndescription: AI-powered LuLu Firewall companion for macOS. Monitors firewall alerts, analyzes connections with AI, sends Telegram notifications with Allow/Block buttons. Use when setting up LuLu integration, handling firewall callbacks, or troubleshooting LuLu Monitor issues.\n---\n\n# LuLu Monitor\n\nAI-powered companion for [LuLu Firewall](https://objective-see.org/products/lulu.html) on macOS.\n\n![LuLu Monitor Screenshot](screenshot.png)\n\n## What It Does\n\n1. Monitors LuLu firewall alert popups\n2. Extracts connection info (process, IP, port, DNS)\n3. Spawns a fast AI (haiku) to analyze the connection\n4. Sends Telegram notification with risk assessment\n5. Provides 4 action buttons: Always Allow, Allow Once, Always Block, Block Once\n6. Executes the action on LuLu when user taps a button\n\n## Auto-Execute Mode (Optional)\n\nFor reduced interruptions, enable auto-execute mode. When the AI has high confidence (known safe programs like curl, brew, node, git connecting to normal destinations), it will:\n1. Automatically execute the Allow action\n2. Still send a Telegram notification explaining what was auto-allowed\n\n**To enable:**\n```bash\n# Create config.json in install directory\ncat > ~/.openclaw/lulu-monitor/config.json << 'EOF'\n{\n  \"telegramId\": \"YOUR_TELEGRAM_ID\",\n  \"autoExecute\": true,\n  \"autoExecuteAction\": \"allow-once\"\n}\nEOF\n```\n\n**Options:**\n- `autoExecute`: `false` (default) - all alerts require manual button press\n- `autoExecuteAction`: `\"allow-once\"` (default, conservative) or `\"allow\"` (permanent rule)\n\n## Installation\n\n### Prerequisites\n\nRun the check script first:\n```bash\nbash scripts/check-prerequisites.sh\n```\n\nRequired:\n- **LuLu Firewall**: `brew install --cask lulu`\n- **Node.js**: `brew install node`\n- **OpenClaw Gateway**: Running with Telegram channel configured\n- **Accessibility Permission**: System Settings > Privacy > Accessibility > Enable Terminal/osascript\n\n### Gateway Configuration (Required)\n\nThe monitor calls `sessions_spawn` via OpenClaw's `/tools/invoke` HTTP API. This tool is blocked by default. Add it to the allowlist in `~/.openclaw/openclaw.json`:\n\n```json5\n{\n  \"gateway\": {\n    \"tools\": {\n      \"allow\": [\"sessions_spawn\"]\n    }\n  }\n}\n```\n\nWithout this, alerts will be detected but fail to forward (404 in logs).\n\n### Install\n\n```bash\nbash scripts/install.sh\n```\n\nThis will:\n1. Clone the repo to `~/.openclaw/lulu-monitor/`\n2. Install npm dependencies\n3. Set up launchd for auto-start\n4. Start the service\n\n### Verify\n\n```bash\ncurl http://127.0.0.1:4441/status\n```\n\nShould return `{\"running\":true,...}`\n\n## Sending Alerts with Inline Buttons\n\n⚠️ **The `message` tool's `buttons`/`components` parameter does NOT work for Telegram inline buttons.** You must use the CLI via `exec`:\n\n```bash\nopenclaw message send --channel telegram --target <chat_id> \\\n  --message \"🔔 LuLu Alert: <summary>\" \\\n  --buttons '[[{\"text\":\"✅ Always Allow\",\"callback_data\":\"lulu:allow\"},{\"text\":\"✅ Allow Once\",\"callback_data\":\"lulu:allow-once\"}],[{\"text\":\"❌ Always Block\",\"callback_data\":\"lulu:block\"},{\"text\":\"❌ Block Once\",\"callback_data\":\"lulu:block-once\"}]]'\n```\n\nAfter sending via CLI, reply with `NO_REPLY` to avoid duplicate messages.\n\n## Handling Callbacks\n\nWhen user clicks a Telegram button, OpenClaw receives a callback like:\n```\ncallback_data: lulu:allow\ncallback_data: lulu:allow-once\ncallback_data: lulu:block\ncallback_data: lulu:block-once\n```\n\nTo handle it, call the local endpoint:\n```bash\ncurl -X POST http://127.0.0.1:4441/callback \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"action\":\"allow\"}'  # or \"block\", \"allow-once\", \"block-once\"\n```\n\nThis will:\n1. Click the appropriate button on LuLu alert\n2. Set Rule Scope to \"endpoint\"\n3. Set Rule Duration to \"Always\" or \"Process lifetime\"\n4. Edit the Telegram message to show result\n\n## Troubleshooting\n\n### Service not running\n```bash\n# Check status\nlaunchctl list | grep lulu-monitor\n\n# View logs\ntail -f ~/.openclaw/lulu-monitor/logs/stdout.log\n\n# Restart\nlaunchctl unload ~/Library/LaunchAgents/com.openclaw.lulu-monitor.plist\nlaunchctl load ~/Library/LaunchAgents/com.openclaw.lulu-monitor.plist\n```\n\n### Accessibility permission issues\nAppleScript needs permission to control LuLu. Go to:\nSystem Settings > Privacy & Security > Accessibility\nEnable: Terminal, iTerm, or whatever terminal you use\n\n### Alert not detected\n- Ensure LuLu is running: `pgrep -x LuLu`\n- Check if alert window exists: `osascript -e 'tell application \"System Events\" to tell process \"LuLu\" to get every window'`\n\n## Uninstall\n\n```bash\nbash ~/.openclaw/lulu-monitor/skill/scripts/uninstall.sh\n```\n","topics":["Telegram"],"tags":{"latest":"2.0.0"},"stats":{"comments":0,"downloads":2142,"installsAllTime":81,"installsCurrent":1,"stars":0,"versions":8},"createdAt":1770471212698,"updatedAt":1779076724671},"latestVersion":{"version":"2.0.0","createdAt":1772343632130,"changelog":"Multi-user push, action logging, actor display","license":null},"metadata":null,"owner":{"handle":"easonc13","userId":"s17fkwdq9n4cahgs1jfqas4avx884bwy","displayName":"Eason Chen","image":"https://avatars.githubusercontent.com/u/43432631?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1779957001400}}