ClawHub

OpenClaw Watchdog Pro

Security checks across malware telemetry and agentic risk

Overview

The skill is a real OpenClaw watchdog, but it installs always-on recovery with elevated privileges and automatic repair actions that deserve manual review before use.

Install only if you intentionally want an always-on OpenClaw watchdog that can restore configuration, restart the gateway, and run repair commands automatically. Review the installer first, avoid root/SYSTEM deployment where possible, protect `~/.openclaw/backups`, and know how to remove the service/task and shell alias before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer appends an `oc` alias into `~/.bashrc` and possibly `~/.profile` without consent, which creates persistence in the user's shell environment unrelated to the core watchdog function. Modifying shell startup files broadens the skill's control surface and can surprise users or override expected command behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
On Windows the installer creates a scheduled task that runs as `SYSTEM` with highest privileges at startup, which is far more powerful than necessary for routine config backup and gateway monitoring. If the watchdog script or its path is tampered with, this persistence mechanism becomes a high-impact privilege-escalated execution path.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The generated systemd unit runs the watchdog continuously as `root`, even though the described functionality does not inherently require full system privileges. A bug or compromise in the watchdog process would therefore execute with maximum local authority and could alter system state or user data broadly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The watchdog escalates from gateway restart into `openclaw doctor --fix --non-interactive`, which is a broad self-repair action whose side effects are not bounded to the gateway. In an automated loop, this can make system-wide configuration changes or repair actions without operator approval, increasing the blast radius from a simple service outage to unintended host or application modifications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill metadata includes broad trigger phrases such as '配置备份', 'gateway 监控', '自动恢复', and 'watchdog', which could match ordinary user requests and cause the skill to be invoked unexpectedly. In a skill that performs installation, persistence setup, monitoring, and recovery actions, accidental activation increases the risk of disruptive system changes without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that after repeated failures the watchdog will automatically restore backups and invoke 'openclaw doctor --fix' for deep repair, but it does not present strong warnings about the scope or risks of these actions. Automatic recovery and repair can overwrite configuration, restart services, and alter system state in ways that are disruptive or dangerous if triggered incorrectly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer silently edits shell startup files without prior warning or approval, establishing persistent changes in the user's interactive environment. Even if intended as convenience, this violates least surprise and can be abused to alter future command behavior or normalize unauthorized profile modification.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Linux install path creates and enables a persistent system service, restarts it immediately, and configures it to run with elevated privileges without explicit warning or consent. Because the skill's purpose is watchdog monitoring, persistence is contextually plausible, but silently installing privileged autorun behavior makes the package materially more dangerous if the watchdog code is flawed or later changed.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
launchctl list | grep openclaw
launchctl unload ~/Library/LaunchAgents/com.openclaw.watchdog.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.watchdog.plist
```
Confidence
86% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
launchctl list | grep openclaw
launchctl unload ~/Library/LaunchAgents/com.openclaw.watchdog.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.watchdog.plist
```

#### Windows
Confidence
78% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
launchctl list | grep openclaw
launchctl unload ~/Library/LaunchAgents/com.openclaw.watchdog.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.watchdog.plist
```

#### Windows
Confidence
78% confidence
Finding
plist

Tool Parameter Abuse

High
Category
Tool Misuse
Content
schtasks /query /tn "OpenClaw Watchdog"

# 删除并重新创建
schtasks /delete /tn "OpenClaw Watchdog" /f
```

#### cron (备用方案)
Confidence
84% confidence
Finding
delete /tn

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal