OpenClaw Auto-Doctor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-auto-doctor Version: 1.0.0 The OpenClaw Auto-Doctor skill is classified as suspicious due to its inherent high-risk capabilities, primarily the potential for Remote Code Execution (RCE). The `SKILL.md` and `SPEC.md` files explicitly detail the skill's ability to automatically execute shell commands (e.g., `npm install`, `pip install`, `brew services start redis`, `gh search`) based on parsed error messages from logs. If an attacker can inject malicious commands into the monitored logs, these commands could be executed by the agent without sufficient sanitization, leading to arbitrary code execution. While the stated intent is benign (auto-fixing issues), the broad permissions, automatic execution of commands derived from untrusted input, and the potential need for administrator privileges make this a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change dependencies, configuration, permissions, services, or source files automatically, which may break the local environment or make unintended changes.
The skill can directly apply fixes, execute commands such as package installs, and supports a no-confirmation full-auto mode.
已知错误?→ 直接应用修复 ... 简单修复:执行预设命令(如 npm install) ... require_confirmation: false # 全自动模式
Require explicit user approval before every command, file write, permission change, service start, commit, or PR; add dry-run output and restrict fixes to user-approved project paths.
The agent may perform public GitHub actions under the user's account if the GitHub CLI is authenticated.
The skill uses the user's GitHub-authenticated identity to fork, commit, and publish pull requests, while registry metadata declares no primary credential.
Fork OpenClaw 仓库 ... 创建分支并提交更改 ... 创建 Pull Request ... 自动创建 PR 需要 GitHub 认证(使用 gh auth)
Declare GitHub authentication requirements, limit repository targets, and require explicit review before pushing branches or opening PRs.
A bad or poisoned solution could be saved and reused later as an automatic repair command.
The skill stores reusable fix commands from local, community, and GitHub sources, and later workflows can apply known fixes automatically.
解决方案库 ... 修复脚本或命令 ... 来源(社区/GitHub/自研) ... 用户确认的方案加入解决方案库
Store provenance for every solution, review commands before reuse, disable automatic execution of learned fixes, and allow users to inspect and delete the solution database.
Private file paths, stack traces, or secret-like log content could be included in external searches if not filtered.
The skill sends log-derived error messages or keywords to external search providers, which is purpose-aligned but may expose sensitive error text if logs contain secrets.
GitHub Issues - 使用 GitHub API 搜索相关 issues ... 搜索关键词:错误消息 + OpenClaw
Redact tokens, paths, and private data from log-derived queries, and ask before sending detailed error content to external services.
A monitoring session may continue processing errors and proposing or applying fixes longer than the user expects.
The design includes long-running background-style monitoring, which is expected for a log monitor but needs clear stop and scope controls.
后台异步处理,不阻塞主进程
Provide clear start/stop behavior, visible runtime status, limits on automatic actions, and an easy way to disable monitoring.