openclaw-monitor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-monitor Version: 1.0.0 The skill is classified as suspicious due to a critical arbitrary file read/write (AFR/AFW) vulnerability. The `monitor backup [--output path]` and `monitor restore <file>` commands, implemented in `src/backup.js` and exposed via `src/cli.js` and `SKILL.md`, directly use user-provided paths without sanitization. This allows an attacker, potentially via prompt injection against the AI agent, to read from or write to arbitrary file locations on the system, leading to data exfiltration, data corruption, or denial of service. While the functionality is intended for backup/restore, the lack of path validation creates a high-risk attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A failed task message containing paths, account names, internal system details, or secrets could be saved into a report that other skills or agents may treat as shareable.
The shareable ops health report can persist recent task command names and error messages into interchange/monitoring/ops/health.md. Error text may contain sensitive operational details, and this conflicts with the stated ops/state separation.
ops/ files contain ZERO actual costs, token counts, or user data ... status.recent_errors.map(e => `- ${e.command}: ${e.error || 'unknown error'}`)Keep ops/health.md to high-level indicators only, move command/error details to the private state reports, and redact or require opt-in before writing error messages to interchange files.
If the local sibling interchange module is missing, outdated, or tampered with, report generation could fail or behave differently from what this skill’s artifacts show.
The refresh path depends on a sibling module outside the provided skill manifest and package.json dependencies. This appears purpose-aligned for OpenClaw interchange generation, but it means refresh executes code not reviewed in this artifact set.
import { writeMd } from '../../interchange/src/index.js';Use a declared, pinned package or include the helper in the reviewed artifact set, and verify the local OpenClaw interchange module before running refresh.
A mistaken restore could overwrite the local monitoring history used for reports.
The restore command explicitly copies a selected backup over the monitoring database. This is a disclosed backup/restore feature, but it is a persistent data mutation without an in-code confirmation step.
const dest = dbPath || DEFAULT_DB_PATH; ... fs.copyFileSync(backupPath, dest);
Only run restore after confirming the backup file and keep a current backup before replacing the monitoring database.