Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
OpenClaw Guardian
Security checks across static analysis, malware telemetry, and agentic risk
Overview
OpenClaw Guardian is mostly a coherent safety plugin, but it reads local OpenClaw session logs and sends recent user context to an LLM with weak session scoping, and the packaged files appear inconsistent.
Review carefully before installing. Use it only if you are comfortable with a plugin reading recent OpenClaw session messages and sending selected context, commands, and file paths to your configured LLM provider. Prefer a fixed version that scopes context to the current session, documents credential/data use, and resolves the package path/version inconsistencies. Keep normal OpenClaw sandboxing and manual approvals enabled for destructive actions.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI06: Memory and Context Poisoning
High
What this means
A message from a different or unrelated recent session could be sent to the LLM and could influence whether a destructive command is allowed or blocked.
Why it was flagged
The function accepts but does not use the session key, then selects the newest session file and reuses recent user messages as authority for confirming dangerous tool calls.
Skill content
export function readRecentContext(_sessionKey?: string): string { ... readdirSync(sessDir) ... sort((a, b) => b.mtime - a.mtime); ... const latest = join(sessDir, files[0].name); ... return userMessages.slice(-3).join("\n---\n")Recommendation
Scope context reads to the current sessionKey, minimize the amount of context sent, redact sensitive content, and require fresh user confirmation for destructive actions rather than relying on generic recent messages.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Your model provider may receive sensitive command names, file paths, and recent conversation text, and your provider account may incur token usage.
Why it was flagged
Flagged tool details and recent user-message context are sent to the configured LLM provider for voting.
Skill content
resp = await fetch(endpoint, { method: "POST", headers: { ... "x-api-key": llmApiKey ... }, body: JSON.stringify({ ... messages: [{ role: "user", content: userPrompt }] }) })Recommendation
Use only with a trusted provider, disclose this data flow clearly, and consider adding local-only or explicit-consent modes for sensitive contexts.
#
ASI03: Identity and Privilege Abuse
Low
What this means
The skill can spend tokens and authenticate to the configured model provider using the user's existing OpenClaw provider setup.
Why it was flagged
The plugin reuses existing OpenClaw model-provider credentials instead of requiring a separate key.
Skill content
llmApiKey = provider.apiKey; ... llmHeaders = { ...provider.headers, ...found.headers }; ... console.log(`[guardian] LLM ready: ${llmModel} via ${llmUrl}`);Recommendation
Document this credential use in metadata, prefer least-privilege provider keys where available, and make token/data costs clear to users.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
The skill is not a full manual-confirmation system; dangerous commands can still run if the LLM voter decides the user requested them.
Why it was flagged
The plugin automatically gates high-impact exec/write/edit calls and allows them to proceed when the LLM vote confirms user intent.
Skill content
api.on("before_tool_call", async (event, ctx) => { ... if (toolName === "exec") { match = checkExecBlacklist(...) } ... if (match.level === "critical") { const result = await multiVote(toolName, params ?? {}, sessionKey, 3, 3); ... if (!result.confirmed) { return { block: true, ... } } ... return; }Recommendation
Keep OpenClaw's normal sandboxing/allowlists/manual confirmations enabled for destructive operations, and do not treat this plugin as the only safety boundary.
#
ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means
The plugin may fail to load or may not run the reviewed code, leaving users with less protection than advertised.
Why it was flagged
The provided manifest lists audit-log.ts, blacklist.ts, and llm-voter.ts directly under scripts/, not under scripts/src/, and tsconfig.json contains '404: Not Found'. The reviewed package appears inconsistent or incomplete.
Skill content
import { initAuditLog, writeAuditEntry } from "./src/audit-log.js"; import { checkExecBlacklist, checkPathBlacklist } from "./src/blacklist.js"; import { initLlm, singleVote, multiVote } from "./src/llm-voter.js";Recommendation
Publish a complete, buildable package with matching paths, valid TypeScript configuration, consistent versions, and pinned source provenance.