Agent Guardian
WarnAudited by ClawScan on May 10, 2026.
Overview
Agent Guardian’s watchdog goal is coherent, but its install and patch path adds persistent root services and unsafe command hooks that could let chat content run commands on the host.
Do not install this on a real gateway until the execSync command-injection patterns are fixed. If you still test it, use an isolated host, review the gateway patch manually, run services with least privilege, protect state files outside /tmp, and plan how to remove the cron and systemd service.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the patch is applied, a crafted chat message or generated reply could run commands on the bot/gateway host.
The recommended gateway patch embeds outbound text and inbound user content into shell commands. JSON.stringify does not prevent shell command substitution such as $() inside double-quoted shell strings.
execSync(`echo ${JSON.stringify(text)} | python3 /path/to/agent-guardian/scripts/lang-filter.py`, ...); ... execSync(`python3 /path/to/agent-guardian/scripts/detect-language.py ${JSON.stringify(event.content)}`, ...)Do not apply the patch until shell execution is replaced with execFile/spawn argument arrays or stdin, with no shell interpolation of chat content.
Applying the patch can change how all QQ Bot messages are processed and can break or weaken the gateway if the patch is incorrect or unsafe.
The skill includes an automatic patch script that edits installed QQ Bot gateway source files and inserts hooks into message handling.
PLUGIN_DIR="/root/.openclaw/extensions/qqbot" ... cp "$SRC/gateway.ts" "$SRC/gateway.ts.bak" ... awk -i inplace ... "$SRC/gateway.ts"
Use a supported plugin extension point or require manual code review before patching gateway source; keep backups and test outside production.
A UX monitoring skill would gain persistent root-level execution on the host after installation.
The installer creates a system-level service that restarts automatically and runs as root, even though the registry does not declare privileged requirements.
cat > /etc/systemd/system/agent-guardian-query.service << EOF ... Restart=always ... User=root
Declare the privilege requirement clearly, run under a dedicated least-privileged user, and provide install/uninstall controls.
The skill can keep sending status reports and responding to trigger files in the background until the user manually disables the cron and service.
The installer adds recurring cron behavior and enables a background daemon that continues operating after setup.
crontab /tmp/crontab-guardian.tmp ... systemctl enable agent-guardian-query.service ... systemctl restart agent-guardian-query.service
Install only if you want persistent monitoring; document exact jobs/services created and include a cleanup command.
Another local process could potentially cause status or queue information to be sent to an unintended target on the configured channel.
The daemon trusts a shared /tmp trigger file for the recipient identity and sends status output based on it, without authenticating the file origin or validating the target against the configured user.
TRIGGER_FILE="/tmp/status-query-trigger" ... print(d.get('from', '')) ... openclaw message send --channel "$CHANNEL" --target "$TARGET" --message "$MSG"Use a private directory with restrictive permissions, validate targets against the installed configuration, and authenticate trigger writes.
Installation depends on external package sources and may change the host environment.
The installer pulls runtime dependencies from package managers, including an unpinned Python package, even though no install spec or required binaries are declared.
pip3 install langdetect -q ... apt-get install -y inotify-tools -q
Review dependencies before installing, pin Python package versions, and declare required binaries/install steps in metadata.