LuLu Monitor
WarnAudited by ClawScan on May 10, 2026.
Overview
LuLu Monitor has a coherent firewall-monitoring purpose, but it asks you to install and auto-run unpinned remote code with the ability to change firewall decisions.
Review the downloaded GitHub repository before installing, keep auto-execute disabled unless you fully trust the monitor, avoid permanent allow rules by default, and grant Accessibility/OpenClaw permissions only if you accept a persistent service that can act on LuLu firewall alerts.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A later change in the GitHub repo or an npm dependency could cause unreviewed code to run on your Mac with the service's firewall-monitoring authority.
The installer fetches the latest remote repository and production npm dependencies at install time, rather than using pinned, reviewed artifacts.
REPO_URL="https://github.com/EasonC13-agent/lulu-monitor.git" ... git clone "$REPO_URL" "$INSTALL_DIR" ... git pull origin main ... npm install --production
Use a pinned, reviewed release or commit, include the runtime source and lockfile in the skill package, and inspect the downloaded repository before starting the service.
Enabling a broad agent-spawning tool can increase what local OpenClaw integrations are allowed to do if the gateway or downloaded monitor code is misused.
The skill asks the user to enable a gateway tool that is blocked by default, but does not document narrow scoping to this monitor or to specific analysis-only prompts.
The monitor calls `sessions_spawn` via OpenClaw's `/tools/invoke` HTTP API. This tool is blocked by default. Add it to the allowlist ... "allow": ["sessions_spawn"]
Limit sessions_spawn to this skill if possible, require explicit approval for high-impact actions, and document the exact data and prompts sent to spawned sessions.
If implemented as documented, another local process could potentially trigger a LuLu decision while an alert is active.
The documented localhost callback can trigger firewall allow/block decisions, including durable rules, and the reviewed documentation does not show authentication or origin checks for that endpoint.
curl -X POST http://127.0.0.1:4441/callback ... -d '{"action":"allow"}' ... This will: Click the appropriate button on LuLu alert ... Set Rule Duration to "Always" or "Process lifetime"Require an authenticated, single-use callback token tied to the Telegram action and current alert, and avoid permanent firewall changes unless the user explicitly confirms them.
The monitor will keep running after installation until you unload or uninstall the LaunchAgent.
The skill installs a launchd job that starts at login and restarts automatically; this is aligned with continuous monitoring but is persistent background behavior.
<key>RunAtLoad</key>\n <true/>\n <key>KeepAlive</key>\n <true/> ... <string>$INSTALL_DIR/src/index.js</string>
Install only if you want continuous monitoring, verify the LaunchAgent contents, and use the uninstall script or launchctl to stop it when no longer needed.
Granting Accessibility to Terminal or osascript can let scripts automate user-interface actions, not just LuLu actions.
Accessibility permission is purpose-aligned for controlling LuLu dialogs, but it is a broad macOS UI-automation privilege.
Accessibility Permission: System Settings > Privacy > Accessibility > Enable Terminal/osascript ... AppleScript needs permission to control LuLu.
Grant Accessibility only to trusted apps, consider using a dedicated wrapper if available, and revoke the permission when you stop using the monitor.
Process names, destination IPs, ports, and DNS names from your Mac may be shared with external AI or Telegram services.
The skill discloses that local network-connection metadata is sent through AI/OpenClaw and Telegram notification flows.
Extracts connection info (process, IP, port, DNS) ... Spawns a fast AI (haiku) to analyze the connection ... Sends Telegram notification with risk assessment
Use it only if you are comfortable sending connection metadata to those services, and verify the Telegram recipient and gateway configuration.