LuLu Monitor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lulu-monitor Version: 2.0.0 The skill is classified as suspicious due to its requirement for high-risk permissions and capabilities, even though these are explicitly disclosed. Specifically, it instructs the user to allow the `sessions_spawn` tool in OpenClaw's gateway configuration (SKILL.md), which grants the AI agent broad command execution capabilities. The `install.sh` script also sets up a persistent `launchd` service, running a Node.js script (`src/index.js`, not provided) with system-level persistence, and the skill requires macOS Accessibility Permissions to interact with the LuLu Firewall GUI. While these capabilities are explained as necessary for the skill's stated purpose, they represent a significant attack surface and potential for abuse if the core logic were compromised or contained hidden malicious intent, classifying it as having risky capabilities without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A later change in the GitHub repo or an npm dependency could cause unreviewed code to run on your Mac with the service's firewall-monitoring authority.
The installer fetches the latest remote repository and production npm dependencies at install time, rather than using pinned, reviewed artifacts.
REPO_URL="https://github.com/EasonC13-agent/lulu-monitor.git" ... git clone "$REPO_URL" "$INSTALL_DIR" ... git pull origin main ... npm install --production
Use a pinned, reviewed release or commit, include the runtime source and lockfile in the skill package, and inspect the downloaded repository before starting the service.
Enabling a broad agent-spawning tool can increase what local OpenClaw integrations are allowed to do if the gateway or downloaded monitor code is misused.
The skill asks the user to enable a gateway tool that is blocked by default, but does not document narrow scoping to this monitor or to specific analysis-only prompts.
The monitor calls `sessions_spawn` via OpenClaw's `/tools/invoke` HTTP API. This tool is blocked by default. Add it to the allowlist ... "allow": ["sessions_spawn"]
Limit sessions_spawn to this skill if possible, require explicit approval for high-impact actions, and document the exact data and prompts sent to spawned sessions.
If implemented as documented, another local process could potentially trigger a LuLu decision while an alert is active.
The documented localhost callback can trigger firewall allow/block decisions, including durable rules, and the reviewed documentation does not show authentication or origin checks for that endpoint.
curl -X POST http://127.0.0.1:4441/callback ... -d '{"action":"allow"}' ... This will: Click the appropriate button on LuLu alert ... Set Rule Duration to "Always" or "Process lifetime"Require an authenticated, single-use callback token tied to the Telegram action and current alert, and avoid permanent firewall changes unless the user explicitly confirms them.
The monitor will keep running after installation until you unload or uninstall the LaunchAgent.
The skill installs a launchd job that starts at login and restarts automatically; this is aligned with continuous monitoring but is persistent background behavior.
<key>RunAtLoad</key>\n <true/>\n <key>KeepAlive</key>\n <true/> ... <string>$INSTALL_DIR/src/index.js</string>
Install only if you want continuous monitoring, verify the LaunchAgent contents, and use the uninstall script or launchctl to stop it when no longer needed.
Granting Accessibility to Terminal or osascript can let scripts automate user-interface actions, not just LuLu actions.
Accessibility permission is purpose-aligned for controlling LuLu dialogs, but it is a broad macOS UI-automation privilege.
Accessibility Permission: System Settings > Privacy > Accessibility > Enable Terminal/osascript ... AppleScript needs permission to control LuLu.
Grant Accessibility only to trusted apps, consider using a dedicated wrapper if available, and revoke the permission when you stop using the monitor.
Process names, destination IPs, ports, and DNS names from your Mac may be shared with external AI or Telegram services.
The skill discloses that local network-connection metadata is sent through AI/OpenClaw and Telegram notification flows.
Extracts connection info (process, IP, port, DNS) ... Spawns a fast AI (haiku) to analyze the connection ... Sends Telegram notification with risk assessment
Use it only if you are comfortable sending connection metadata to those services, and verify the Telegram recipient and gateway configuration.