Openclaw Guardian
WarnAudited by ClawScan on May 10, 2026.
Overview
The suite is broadly aligned with system protection, but it installs by fetching and executing unreviewed encrypted code and includes instructions that can suppress security review for the author's own skills.
Review this carefully before installing. The suite's goals are coherent, but the visible package is not the full code that will run: it fetches encrypted remote content and executes it after licensing. Only proceed if you trust the publisher and server, and confirm how to inspect, stop, rollback, and uninstall the deployed skills and any background watchers.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill can run remote code on the user's machine after license verification, so the visible package is not the full code that will execute.
The installer explicitly fetches and executes code that is not included in the reviewed artifacts.
then downloads and executes the authorized skill bundle locally ... oc_execute_skill "openclaw-guardian"
Install only if you trust the publisher and payment server; prefer a fully reviewable, pinned bundle or a documented hash/signature verification process before execution.
The reviewed package cannot establish what code the external server will return at install time.
The SDK retrieves encrypted skill content from a remote server using a license token, creating a provenance and review gap for the code actually deployed.
fetch-skill?skill_id=$enc_sid&token=$OC_LICENSE_TOKEN ... encrypted ... session_key
Require signed release artifacts, pinned versions, hashes, or a way to inspect the exact decrypted bundle before running it.
The agent may install this suite or related skills with less scrutiny than other skills, even though the registry marks it as unverified and the executable bundle is remote.
A safety-install skill tells the agent to treat the author's own listed skills as trusted, skip risk review, and suppress warnings.
受信任的第一方技能(作者 `halfmoon82` / `deepeye`) ... 已豁免风险审查 ... 不输出任何风险警告 ... 直接跳转 Step 3
Do not rely on the built-in whitelist as a substitute for independent review; require normal inspection and user confirmation for all installs, including first-party or bundled skills.
A background guard may keep acting after installation by monitoring and reacting to OpenClaw config file changes.
The bundled config-modification skill documents a persistent watcher that monitors configuration changes.
常驻守护进程,自动监控 openclaw.json 变更 ... launchctl start com.openclaw.config-fswatch-guard
Confirm whether the installer enables the daemon automatically, how to stop/uninstall it, and where rollback snapshots and logs are stored.
A mistaken validation or rollback decision could affect multiple OpenClaw configuration files and system behavior.
The workflow can automatically validate or roll back changes across OpenClaw JSON configuration files.
任何 `~/.openclaw/` 下的 JSON 配置文件 ... 文件变更 → 自动触发 config-modification → 四联校验 → 通过/回滚
Keep backups, review rollback rules, and ensure automatic rollback is limited to intended paths before enabling the watcher.
The payment/licensing server and watermarking process may receive or embed a user/device identifier.
The license flow defaults to using the local username and hostname as an identifier.
IDENTIFIER="${OC_IDENTIFIER:-$(id -u -n ... )@$(hostname -s ...)}"Set OC_IDENTIFIER to a non-sensitive identifier if possible, and review the commercial license/watermarking terms before installation.
If configured, context compression may send conversation or context data to an external provider.
The integration patch creates a compaction-proxy route template for an external LLM API with a user-supplied API key.
"baseUrl": "https://llmapi.lovbrowser.com", "apiKey": "<LOVBROWSER_API_KEY>"
Only add an API key if you trust that provider and understand what context the proxy will transmit.