Clauditor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clauditor Version: 0.1.2 The skill bundle is a security watchdog with strong defensive features like HMAC-chained logs, UID-filtered monitoring, and detection rules for exfiltration, injection, and tampering. However, it is classified as suspicious due to a few risky capabilities and inconsistencies. The `alerter` crate (crates/alerter/src/lib.rs) includes an `AlertChannel::Command` that allows executing arbitrary commands configured in the daemon's TOML file, which, while protected by file permissions, is a powerful primitive. Additionally, the `wizard/wizard.sh` script grants the `sysaudit` user membership to the `clawdbot` group for `/proc` access, a privilege escalation for a stated purpose. There's also a discrepancy in the GitHub repository URL between `SKILL.md` and `wizard/install.sh`, and the `systemd-core-check` sentinel binary is installed by `wizard/wizard.sh` but not provided in the analyzed files, indicating a potential incompleteness or packaging issue.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A background watchdog may remain running under a misleading systemd-like name and may be harder to identify or disable than a normally named user-installed service.
The service is intentionally persistent and uses a stealthy name resembling a system component, which can make it harder for users or administrators to notice and manage.
Separate `sysaudit` daemon (stealth service name: `systemd-journaldd`)
Install only if you explicitly want a tamper-resistant watchdog; inspect the service unit and uninstall path, and consider renaming the service and log directory to transparent names.
The installed daemon can observe privileged filesystem execution signals for the target UID and depends on root-level system capabilities.
The collector requires very high local privileges and uses filesystem-level fanotify marking, which is broader than a simple per-directory watch even though it later filters events.
//! Requires CAP_SYS_ADMIN or root. ... FAN_MARK_FILESYSTEM marks the entire filesystem at the kernel level
Verify the exact target_uid, watch paths, service sandboxing, and Linux capabilities before enabling it; run with the least privilege that still meets your monitoring needs.
If an agent treats this file as operative instructions, it could take actions outside the user's install or audit task.
The package includes agent-facing instructions that could redirect an agent into autonomous development, sub-agent spawning, commits, and GitHub pushes unrelated to normal end-user use.
Every Turn (Orchestrator/Opus) ... Spawn Engineer sub-agent for current bead (via Codex `--full-auto`) ... Commit ... Push to GitHub
Do not let AGENTS.md override the user’s task; treat it as repository-development documentation only, or remove it from the installed skill package.
A misconfigured or tampered alert configuration could cause commands to run as the daemon user.
The alerter can execute configured commands when alerts fire; this is disclosed and purpose-aligned for alerting, but it is an automatic execution path.
Command channel executes user-provided commands (ensure config is trusted) ... Command { command: String, args: Vec<String> }Keep /etc/sysaudit/config.toml tightly permissioned, avoid the command alert channel unless necessary, and prefer syslog/file alerts for routine use.
Audit logs may reveal sensitive local activity, filenames, or operational patterns even without any evidence of network exfiltration.
The default configuration monitors a broad Clawdbot home path and persists the resulting activity to local audit logs.
watch_paths = ["/home/clawdbot"] # Directories to monitor ... log_path = "/var/lib/.sysd/.audit/events.log"
Limit watch_paths to what you need, protect log access, define retention/rotation expectations, and review digest output before sharing it.