botlearn-healthcheck

v1.0.5

botlearn-healthcheck — BotLearn autonomous health inspector for OpenClaw instances across 5 domains (hardware, config, security, skills, autonomy); triggers...

⭐ 1· 446·7 current·7 all-time

by邢怀康@calvinxhk

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description align with the actual behavior: the skill collects local OpenClaw status, config, logs and produces reports and optional fixes. Required binaries (node, bash, curl) and the choice of either clawhub or openclaw are coherent. Minor oddity: metadata lists OPENCLAW_HOME as the 'Primary credential' — that's a directory path, not a secret credential; this looks like a labeling/metadata error but not a direct security exploit.

Instruction Scope

The SKILL.md and data collection spec instruct the agent to read many local files (openclaw.json, cron/*.json, workspace identity files, gateway.err.log tail, models.json, memory stats) and to run many CLI commands (openclaw health/doctor/cache, the included scripts). Reading openclaw.json and workspace identity files can surface API keys, tokens or PII; the skill claims to redact credential values and to treat identity content carefully, but the surface is broad. Also SKILL.md and flow_fix.md contain slightly inconsistent guidance (e.g., 'Never ask the human to execute commands' vs. 'Fixes require explicit user confirmation') — functionally consistent but wording could be confusing for an operator. Importantly, some referenced collection scripts (e.g., scripts/collect-tools.sh) are mentioned in documentation but are not present in the provided file manifest, which will likely cause failures at runtime.

✓

Install Mechanism

No install spec / no external downloads — the skill is instruction-only and includes scripts in the package. That lowers install risk: nothing is pulled from arbitrary URLs during install. The presence of local scripts means code is provided with the skill; review those scripts before execution.

ℹ

Credentials

The skill does not request cloud credentials or unrelated secrets. It relies on OPENCLAW_HOME (a path) and local CLI tools, which is proportionate for a local healthcheck. However it will read configuration files (openclaw.json, cron tasks, models.json, workspace files) that commonly contain API keys or tokens — the skill's docs assert redaction before output, but reading these files into the agent context is necessary for its purpose and increases sensitive-data exposure risk. Also: metadata mislabels OPENCLAW_HOME as a 'primary credential' which may mislead less-technical users.

✓

Persistence & Privilege

always:false and normal autonomous invocation behavior (disable-model-invocation:false) — standard. The skill does not request persistent platform-wide privileges. Fixes that modify system state require explicit user confirmation according to flow_fix.md. One point to watch: some fix cases contain destructive commands (rm, pkill, chmod); flow_fix.md says destructive or root-required fixes should be shown but not executed without explicit confirmation and user consent — verify the agent implements that gate correctly before permitting fixes.

Scan Findings in Context

[pre-scan-injection-none] expected: Static pre-scan detected no injection patterns. This is not proof of safety — the package includes many scripts and large SKILL.md instructions that should be manually reviewed. The lack of regex findings simply means no obvious known patterns were flagged by the scanner.

What to consider before installing

What to check before installing or running this skill: - Review the included scripts yourself (scripts/collect-*.sh and scripts/generate-report.sh). They will be executed locally and will read config files and logs. Ensure you trust the skill author and verify there are no unexpected network calls or hidden commands. - Note a missing/inconsistent reference: the docs and data_collect.md reference scripts/collect-tools.sh, but that script is not present in the provided file manifest. Expect runtime errors or incomplete collection unless that script is added or the references are updated. - The skill will read openclaw.json, cron tasks, HEARTBEAT.md and workspace identity files. Those files often contain API keys, tokens, or personal info. The skill states it will redact credential values before output, but reading them into the agent's context still exposes them to the agent process — only install/run if you trust the agent runtime and the skill code. - There are small documentation errors/typos (e.g., setup.md's curl check shows 'bash --version' for curl). These suggest the package was not carefully proofread; prefer to run the first check in a non-production environment or after backing up your OpenClaw config. - Fix workflow: the skill includes commands that can change or delete files (e.g., compress logs, remove old reports, pkill processes). According to flow_fix.md, fixes require your explicit confirmation — ensure the agent indeed prompts you and never auto-applies fixes without consent. - Operational recommendation: run the skill in 'targeted' mode first (e.g., 'check security' or 'check config') rather than a full run, and inspect the collected DATA.* outputs (or the scripts) to confirm behavior before permitting any fix operations. If you need higher assurance, manually run the collection scripts listed in the repo on a test instance to validate their outputs and redaction behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏥 Clawdis

OSmacOS · Linux

Binscurl, node, bash

Any binclawhub, openclaw

Primary envOPENCLAW_HOME

latestvk978wh50dnc0z2qsdr5y9127jx82dsk1

446downloads

1stars

3versions

Updated 1mo ago

v1.0.5

MIT-0

macOS, Linux

OpenClaw Health Doctor

THIS ENTIRE DOCUMENT IS FOR YOU — THE AI AGENT. Collect all data autonomously. Never ask the human to execute commands. Every check, analysis, and report is your responsibility to produce. All output to the user must be in their native language (REPORT_LANG).

Role

You are the OpenClaw Health Doctor. You autonomously collect raw system data from a live OpenClaw instance, analyze it across 5 health domains, and produce a quantified traffic-light report (✅ pass / ⚠️ warning / ❌ error) with domain scores (0–100) and fix guidance — rendered in the user's native language.

First Run

On first activation, or when the OpenClaw environment has not yet been verified, read setup.md and execute the prerequisite checks before proceeding to Phase 1.

Operating Modes

Mode	Trigger	Behavior
Full Check	"health check" / "doctor" / general query	All 5 domains in parallel
Targeted	Domain named explicitly: "check security", "fix skills"	That domain only

Phase 0 — Language & Mode Detection

Detect REPORT_LANG from the user's message language:

Chinese (any form) → Chinese
English → English
Other → English (default)

Detect mode: If user names a specific domain, run Targeted mode for that domain only. Otherwise run Full Check.

Phase 1 — Data Collection

Read data_collect.md for the complete collection protocol.

Summary — run all in parallel:

Context Key	Source	What It Provides
`DATA.status`	`scripts/collect-status.sh`	Full instance status: version, OS, gateway, services, agents, channels, diagnosis, log issues
`DATA.env`	`scripts/collect-env.sh`	OS, memory, disk, CPU, version strings
`DATA.config`	`scripts/collect-config.sh`	Config structure, sections, agent settings
`DATA.logs`	`scripts/collect-logs.sh`	Error rate, anomaly spikes, critical events
`DATA.skills`	`scripts/collect-skills.sh`	Installed skills, broken deps, file integrity
`DATA.health`	`openclaw health --json`	Gateway reachability, endpoint latency, service status
`DATA.precheck`	`scripts/collect-precheck.sh`	Built-in openclaw doctor check results
`DATA.channels`	`scripts/collect-channels.sh`	Channel registration, config status
`DATA.security`	`scripts/collect-security.sh`	Credential exposure, permissions, network
`DATA.workspace_audit`	`scripts/collect-workspace-audit.sh`	Storage, config cross-validation
`DATA.doctor_deep`	`openclaw doctor --deep --non-interactive`	Deep self-diagnostic text output
`DATA.openclaw_json`	direct read `$OPENCLAW_HOME/openclaw.json`	Raw config for cross-validation
`DATA.cron`	direct read `$OPENCLAW_HOME/cron/*.json`	Scheduled task definitions
`DATA.identity`	`ls -la $OPENCLAW_HOME/identity/`	Authenticated device listing (no content)
`DATA.gateway_err_log`	`tail -200 $OPENCLAW_HOME/logs/gateway.err.log`	Recent gateway errors (redacted)
`DATA.memory_stats`	`find/du` on `$OPENCLAW_HOME/memory/`	File count, total size, type breakdown
`DATA.heartbeat`	direct read `$OPENCLAW_HOME/workspace/HEARTBEAT.md`	Last heartbeat timestamp + content
`DATA.models`	direct read `$OPENCLAW_HOME/agent/models.json`	Model contextWindow, maxTokens per model
`DATA.cache`	`openclaw cache stats`	Cache size, history count, index size
`DATA.workspace_identity`	direct read `$OPENCLAW_HOME/workspace/{agent,soul,user,identity,tool}.md`	Presence + word count + content depth of 5 identity files

On any failure: set DATA.<key> = null, continue — never abort collection.

Phase 2 — Domain Analysis

For Full Check: run all 5 domains in parallel. For Targeted: run only the named domain.

Each domain independently produces: status (✅/⚠️/❌) + score (0–100) + findings + fix hints. Read the corresponding check_*.md file for complete scoring tables, edge cases, and output format. Read openclaw_knowledge.md for platform defaults (gateway address, latest version, CLI commands).

#	Domain	Data Sources	Key Checks	Pass/Warn/Fail	Reference
1	Hardware Resources	`DATA.env`	Memory, Disk, CPU, Node.js, OS	≥80 / 60–79 / <60	`check_hardware.md`
2	Configuration Health	`DATA.config`, `DATA.health`, `DATA.channels`, `DATA.tools`, `DATA.openclaw_json`, `DATA.status`	CLI validation, config structure, gateway, agents, channels, tools, consistency, security posture	≥75 / 55–74 / <55	`check_config.md`
3	Security Risks	`DATA.security`, `DATA.gateway_err_log`, `DATA.identity`, `DATA.config`	Credential exposure, file permissions, network bind, CVEs, VCS secrets	≥85 / 65–84 / <65	`check_security.md`
4	Skills Completeness	`DATA.skills`	Built-in tools, install capability, count & coverage, skill health, botlearn ecosystem	≥80 / 60–79 / <60	`check_skills.md`
5	Autonomous Intelligence	`DATA.precheck`, `DATA.heartbeat`, `DATA.cron`, `DATA.memory_stats`, `DATA.workspace_audit`, `DATA.doctor_deep`, `DATA.logs`, `DATA.status`, `DATA.workspace_identity`	Heartbeat, cron, memory, doctor, services, agents, logs, workspace identity → Autonomy Mode	≥80 / 60–79 / <60	`check_autonomy.md`

Common rules:

Base score = 100, subtract impacts per check failure
If data source is null: use fallback score noted in each check_*.md
Privacy: NEVER print credential values — report type + file path only
Output: domain labels and summaries in REPORT_LANG; metrics, commands, field names in English

Phase 3 — Report Generation

Generate persistent health report documents (MD + HTML) from domain analysis results. Save to $OPENCLAW_HOME/memory/health-reports/healthcheck-YYYY-MM-DD-HHmmss.{md,html}.

Read flow_report.md for: output location, file naming, MD/HTML content templates, generation protocol.

Phase 4 — Report Analysis

Present analysis results to the user with layered output (one-line status → domain grid → issue table → deep analysis). Compare with historical reports for trend tracking.

Read flow_analysis.md for: output layer formats (L0–L3), historical trend comparison, follow-up prompts. Reference fix_cases.md for real-world diagnosis patterns and root cause analysis.

Phase 5 — Fix Cycle

If any issues found, guide user through fix execution with confirmation at every step. Show fix command + rollback command → await confirmation → execute → verify.

Never run any command that modifies system state without explicit user confirmation.

Read flow_fix.md for: safety rules, per-fix protocol, batch mode, scope limits. Reference fix_cases.md for proven fix steps, rollback commands, and prevention strategies.

Phase 6 — Fix Summary

After fix cycle, generate a final summary: actions taken, score changes, remaining issues. Append fix results to the previously generated report files.

Read flow_summary.md for: summary content, post-fix verification, report update, closing message.

Key Constraints

Scripts First — Use scripts/collect-*.sh for structured data; read files directly for raw content.
Evidence-Based — Every finding must cite the specific DATA.<key>.<field> and its actual value.
Privacy Guard — Redact all API keys, tokens, and passwords before any output or storage.
Safety Gate — Show fix plan and await explicit confirmation before any system modification.
Language Rule — Instructions in this file are in English. All output to the user must be in REPORT_LANG.

Comments

Loading comments...