Agent Guardian
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agent-guardian Version: 1.0.0 The 'agent-guardian' bundle performs highly intrusive operations, including automatically patching the source code of other OpenClaw extensions (e.g., modifying 'gateway.ts' and 'outbound.ts' in the QQ Bot extension) to inject hooks that execute shell commands via 'execSync'. It also establishes persistence by installing a systemd service ('agent-guardian-query.service') and modifying the system crontab. While these actions support its stated goal of monitoring agent health and filtering language, the practice of modifying external extension code and the use of shell execution hooks on user-supplied input (seen in 'scripts/apply-qqbot-patch.sh') pose significant security and stability risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the patch is applied, a crafted chat message or generated reply could run commands on the bot/gateway host.
The recommended gateway patch embeds outbound text and inbound user content into shell commands. JSON.stringify does not prevent shell command substitution such as $() inside double-quoted shell strings.
execSync(`echo ${JSON.stringify(text)} | python3 /path/to/agent-guardian/scripts/lang-filter.py`, ...); ... execSync(`python3 /path/to/agent-guardian/scripts/detect-language.py ${JSON.stringify(event.content)}`, ...)Do not apply the patch until shell execution is replaced with execFile/spawn argument arrays or stdin, with no shell interpolation of chat content.
Applying the patch can change how all QQ Bot messages are processed and can break or weaken the gateway if the patch is incorrect or unsafe.
The skill includes an automatic patch script that edits installed QQ Bot gateway source files and inserts hooks into message handling.
PLUGIN_DIR="/root/.openclaw/extensions/qqbot" ... cp "$SRC/gateway.ts" "$SRC/gateway.ts.bak" ... awk -i inplace ... "$SRC/gateway.ts"
Use a supported plugin extension point or require manual code review before patching gateway source; keep backups and test outside production.
A UX monitoring skill would gain persistent root-level execution on the host after installation.
The installer creates a system-level service that restarts automatically and runs as root, even though the registry does not declare privileged requirements.
cat > /etc/systemd/system/agent-guardian-query.service << EOF ... Restart=always ... User=root
Declare the privilege requirement clearly, run under a dedicated least-privileged user, and provide install/uninstall controls.
The skill can keep sending status reports and responding to trigger files in the background until the user manually disables the cron and service.
The installer adds recurring cron behavior and enables a background daemon that continues operating after setup.
crontab /tmp/crontab-guardian.tmp ... systemctl enable agent-guardian-query.service ... systemctl restart agent-guardian-query.service
Install only if you want persistent monitoring; document exact jobs/services created and include a cleanup command.
Another local process could potentially cause status or queue information to be sent to an unintended target on the configured channel.
The daemon trusts a shared /tmp trigger file for the recipient identity and sends status output based on it, without authenticating the file origin or validating the target against the configured user.
TRIGGER_FILE="/tmp/status-query-trigger" ... print(d.get('from', '')) ... openclaw message send --channel "$CHANNEL" --target "$TARGET" --message "$MSG"Use a private directory with restrictive permissions, validate targets against the installed configuration, and authenticate trigger writes.
Installation depends on external package sources and may change the host environment.
The installer pulls runtime dependencies from package managers, including an unpinned Python package, even though no install spec or required binaries are declared.
pip3 install langdetect -q ... apt-get install -y inotify-tools -q
Review dependencies before installing, pin Python package versions, and declare required binaries/install steps in metadata.