Skillv1.0.3

ClawScan security

Openclaw Gateway Guardian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 5:27 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement a local guardian for an OpenClaw gateway, but its documentation, runtime instructions, and metadata contain multiple mismatches (missing commands, undeclared binary dependency, and guidance to run with high system privileges) that should be resolved before trusting it.
Guidance: This package is not clearly dishonest or malicious, but it has multiple inconsistencies you should resolve before installing: - Confirm the presence and trustworthiness of the `openclaw` CLI on the host; the guardian calls `openclaw gateway restart` but the skill metadata does not declare that binary as required. - The README/SKILL.md mention commands (init, health) and notification features that the included script does not implement — expect limited functionality (start/stop/status/logs) as shipped. - The docs encourage creating scheduled tasks (even under SYSTEM); avoid running unfamiliar scripts as SYSTEM. If you need autostart, prefer running under a dedicated low-privilege service account and review the install script (there are references to an install_powerShell script that is not present in the package manifest). - Inspect the script yourself (it is small): it writes files under ~/.openclaw_guardian, creates PID/state files, and uses subprocess to restart the gateway. Run it in a safe test environment first to confirm behavior. - If you plan to rely on notifications, verify whether those features are implemented or implement them yourself; do not paste secrets into configs unless you understand where they will be used. If the author can (a) declare the `openclaw` binary requirement, (b) update/remove docs so commands match the actual script (or ship an updated script implementing init/health/notifications), and (c) avoid recommending SYSTEM-level scheduled tasks or clearly explain why elevated privileges are required, the package would be much more coherent and easier to trust.

Review Dimensions

Purpose & Capability: noteThe stated purpose (monitor and restart an OpenClaw gateway) matches the script's behavior: it checks a local port and calls `openclaw gateway restart`. However the package metadata does not declare the openclaw CLI as a required binary even though the code depends on it. Documentation promises notification channels (Feishu/Telegram/WeChat) and an 'init' workflow that the shipped script does not implement. These are inconsistencies between claimed capabilities and actual implementation.
Instruction Scope: concernSKILL.md (and other docs) instruct users to run commands such as `python scripts/gateway_guardian.py init`, `health`, and references to logs/health/notifications — but the included Python script only supports start|stop|status|logs. The docs also recommend creating scheduled tasks that run as SYSTEM. The runtime instructions therefore ask the agent/user to perform actions the shipped code does not support or that escalate privileges; this is scope creep and can mislead operators.
Install Mechanism: okThere is no external install spec or downloads — the skill is instruction-only with a local Python script and a small requirements.txt (aiohttp). That lowers supply-chain risk. No network-download install steps or obscure URLs are present in the package itself.
Credentials: noteThe skill declares no required environment variables, but the documentation and example config reference notification tokens and webhooks. The runtime script does not read environment secrets (notifications are disabled by default), but it depends on an external `openclaw` CLI which is not declared in metadata. Also docs suggest running scheduled tasks as SYSTEM (implying higher privileges) without documenting why such privilege is needed.
Persistence & Privilege: concernThe package instructs (in multiple docs) how to create an OS-level scheduled task and even shows it running under the SYSTEM account. The skill metadata itself doesn't request persistent/global privileges, but the install/deployment instructions encourage configuration that would run the guardian with system-level privileges. Combined with the undeclared dependency on an external CLI, this is a privilege-related concern and should be a conscious operator decision rather than a default.