Gateway Guardian
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill’s gateway-protection purpose is coherent, but it installs persistent services and contains unsafe shell-config handling plus unpinned remote script downloads that warrant careful review.
Review the installer before running it. Prefer a version that uses packaged or pinned scripts, safely stores guardian.conf without shell sourcing, and sends alerts only to a clearly configured owner or approved team channel.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed notification name or config value could run shell commands when the service starts or sends notifications.
The runtime executes guardian.conf as shell. SKILL.md generates that file from conversation-derived values such as BOT_NAME without showing shell escaping, so crafted values could execute commands under the user account.
[ -f "$_GUARDIAN_LIB_DIR/guardian.conf" ] && source "$_GUARDIAN_LIB_DIR/guardian.conf"
Do not source user-generated config directly. Store config as JSON or parse key/value lines safely, quote here-doc delimiters, validate allowed characters, and shell-escape any value written to a shell file.
The code actually installed and run persistently may change after review, making it harder for users to know what they are trusting.
The installer can fetch executable scripts from an unpinned GitHub main branch, which may differ from the reviewed artifact version.
BASE_URL="https://raw.githubusercontent.com/Dios-Man/gateway-guardian/main" ... curl -fsSL "$BASE_URL/$f" -o "$SKILL_DIR/$f"
Install the packaged reviewed files when available, or pin downloads to a specific commit and verify checksums before chmod/systemd registration.
Gateway alerts and log excerpts could be sent to an unintended recent user or chat in a multi-user setup.
Notifications are sent to the most recently active direct session, or another active session, rather than being strictly pinned to the installer or configured owner.
direct = [s for s in real if ':direct:' in s['key']] ... target.sort(key=lambda x: x.get('updatedAt', 0), reverse=True) ... print(target[0]['key'])Pin notifications to the installer/fallback target by default, require explicit opt-in for team channels, and avoid sending journal/log excerpts to dynamically selected sessions.
After installation, the guardian continues operating in the background until stopped or uninstalled.
The skill intentionally installs a persistent systemd user service that restarts automatically.
ExecStart=/bin/bash $SKILL_DIR/config-watcher.sh Restart=always RestartSec=3
Install only if you want continuous background monitoring, and verify the documented uninstall steps stop and disable the systemd units.
The skill can change gateway availability and may interrupt active conversations while recovering the service.
The recovery script has authority to reset and restart the OpenClaw gateway as part of crash recovery.
systemctl --user reset-failed openclaw-gateway.service 2>/dev/null systemctl --user restart openclaw-gateway.service
Confirm this automatic restart behavior is desired for the host, and keep reliable backups before enabling auto-rollback/recovery.
Gateway incident records may persist in agent memory beyond the immediate recovery task.
The skill writes incident summaries into OpenClaw workspace memory for later reuse.
MEMORY_DIR="$HOME/.openclaw/workspace/memory" ... echo "## ${_MSG_MEMORY_HEADER} ($(date '+%H:%M'))" >> "$file"Document retention clearly, avoid storing sensitive log contents in memory, and provide a simple cleanup option.