Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Self-Heal Watchdog
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mostly matches its self-healing purpose, but its unattended failover script can evaluate local state/config values as code, making background use risky.
Treat this as a Review item before installing. The watchdog's automatic launchd service, gateway restarts, and model config changes are expected for its purpose, but the current failover script should be fixed to avoid `eval` and unescaped model/state interpolation before unattended use.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI05: Unexpected Code Execution
High
What this means
If the local watchdog state or OpenClaw config contains a malicious or malformed model value, the unattended failover path could run commands or Python code as the user.
Why it was flagged
The script converts JSON state values into shell assignments with `eval` and later inserts the selected model directly into Python source. Those values come from persistent watchdog state and OpenClaw config rather than fixed constants.
Skill content
STATE_FILE="$WATCHDOG_DIR/watchdog-state.json"; eval "$(python3 -c ... print(f'CURRENT_MODEL=\"{d.get(...)}\"') ...)"; ... d['agents']['defaults']['model']['primary'] = '$NEXT_MODEL'Recommendation
Do not use this version unattended until `eval` and unescaped code interpolation are removed. Parse JSON without eval, pass values to Python via arguments/stdin, and validate model identifiers.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
The skill can change which model OpenClaw uses and restart the gateway without asking again after installation.
Why it was flagged
The failover script automatically changes the default OpenClaw model and restarts the gateway. This is central to the stated watchdog purpose, but it is a high-impact mutation.
Skill content
d['agents']['defaults']['model']['primary'] = '$NEXT_MODEL' ... openclaw gateway restart >> "$LOG_FILE" 2>&1 &
Recommendation
Install only if you want automatic recovery behavior; test with `DRY_RUN=1`, keep backups, and monitor the watchdog log after enabling it.
#
ASI10: Rogue Agents
Medium
What this means
Once installed, the watchdog keeps running in the background and can continue restarting OpenClaw or changing model config until disabled or uninstalled.
Why it was flagged
Setup creates and loads a launchd agent that runs the watchdog every 60 seconds. The persistence is disclosed and purpose-aligned, but it continues operating after installation.
Skill content
cat > "$LAUNCHD_PLIST" << PLISTEOF ... <key>StartInterval</key> <integer>60</integer> ... launchctl load "$LAUNCHD_PLIST"
Recommendation
Review the launchd plist before installing, and use the documented unload or `setup.sh --uninstall` path if you no longer want the background service.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
Users may not realize from the metadata alone that installation depends on local system tools and creates launchd persistence.
Why it was flagged
The registry metadata does not declare the shell-based setup path or the local tools needed by the provided scripts, even though installation creates a persistent service.
Skill content
Source: unknown; Homepage: none; Required binaries ... none; No install spec — this is an instruction-only skill.
Recommendation
Review the included scripts before running setup; the publisher should declare required binaries, OS support, and persistence behavior in metadata/install specs.