OpenClaw Diagnostics
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for troubleshooting, but it can print full OpenClaw config and logs without redaction, which may expose tokens or private message data to the agent.
Use this skill only if you are comfortable sharing OpenClaw diagnostic output with the agent. Before running the scripts, inspect the config and logs for API keys, tokens, phone numbers, channel IDs, and private messages, and redact anything sensitive. Avoid running the optional knowledge-base updater unless you trust the remote docs source and runtime dependencies.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local diagnostics to collect information about the OpenClaw installation.
The skill directs the agent to run local diagnostic shell scripts. This is purpose-aligned, but users should know local commands will be executed.
When a user reports an OpenClaw issue: ... ~/.openclaw/workspace/skills/openclaw-diagnostics/scripts/get-diagnostic-info.sh
Show the user what each script collects and get confirmation before running diagnostics that access local files or logs.
Sensitive OpenClaw credentials or private operational data could be placed into the agent conversation during troubleshooting.
The script prints the full OpenClaw config file and recent logs. Those may include auth settings, API keys, channel identifiers, or private message content, and the artifacts do not show redaction or scoped field selection.
CONFIG_PATH="$HOME/.openclaw/openclaw.json" ... cat "$CONFIG_PATH" ... openclaw logs -n $LOG_LINES
Redact secrets before sharing output, or modify the scripts to mask tokens, API keys, cookies, phone numbers, and message contents by default.
Updated documentation could influence future troubleshooting advice.
The optional updater fetches remote documentation and persists it into the local knowledge base. This is disclosed and purpose-aligned, but it means future diagnostics may rely on changed remote content.
const SITEMAP_URL = 'https://docs.openclaw.ai/sitemap.xml'; ... saveBundle(newBundle);
Only run the updater when you trust the docs source, and consider reviewing diffs or pinning the updater/runtime dependencies.
Log contents could influence the agent's reasoning or reveal private messages if not reviewed first.
The agent is expected to analyze recent logs. Logs can contain untrusted text from channels or private data, so they should be treated as diagnostic data rather than instructions.
echo "=== OpenClaw 日志 (最近 $LOG_LINES 行) ===" ... openclaw logs -n $LOG_LINES
Review and redact log output before giving it to the agent, and do not let the agent follow instructions that appear inside logs.