OpenClaw macOS Always-On
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-macos-always-on Version: 1.0.1 The skill is designed to install OpenClaw as a macOS LaunchDaemon for 24/7 operation, which requires system-level persistence and `sudo` privileges. While its stated purpose is legitimate, it is classified as suspicious due to several high-risk behaviors: it installs a system-wide service (`/Library/LaunchDaemons/ai.openclaw.gateway.plist`), uses `sudo` for installation, and embeds the `OPENCLAW_GATEWAY_TOKEN` (a sensitive credential) directly into the plist file. Although the `SKILL.md` documentation transparently discusses these security considerations and the service runs as the user (not root), the direct handling of a sensitive token in a file and the establishment of system-level persistence represent significant vulnerabilities if the system is compromised, even without clear evidence of malicious intent for self-exploitation or exfiltration to external parties.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Another local user or process that can read the LaunchDaemon plist may recover the OpenClaw gateway token and potentially access or control the OpenClaw gateway.
The installer reads a local OpenClaw gateway auth token and writes it into the LaunchDaemon plist, then installs that plist with mode 644, making the token part of a broadly readable system configuration.
GATEWAY_TOKEN=$(openclaw config get gateway.auth.token 2>/dev/null | tr -d '"' || echo "") ... <key>OPENCLAW_GATEWAY_TOKEN</key> <string>$GATEWAY_TOKEN</string> ... sudo chmod 644 "$PLIST_PATH"
Avoid storing long-lived gateway tokens in world-readable plist files. Use a protected per-user config file, macOS Keychain, or a launchd mechanism that does not expose the token, and clearly document what credential is used.
If the remote repository or branch changes, the command could run code different from the reviewed package while still asking for privileged installation access.
The documented quick install executes a live script from the master branch rather than a pinned, reviewed artifact, and the setup requires sudo for system-level installation.
curl -fsSL https://raw.githubusercontent.com/happydog-intj/openclaw-macos-always-on/master/install.sh | bash ... **Admin access** (sudo required for installation)
Do not use curl-to-bash for this installer unless you first inspect the downloaded script. Prefer the bundled install.sh, a pinned commit or release, and a published checksum.
OpenClaw can continue receiving and processing bot messages while the Mac is locked, logged out, or unattended, and the machine may not sleep normally.
The skill intentionally creates persistent unattended agent operation and prevents system sleep, which is purpose-aligned but materially changes when OpenClaw can act.
After (LaunchDaemon + caffeinate): Screen locked ✅ Runs indefinitely ... User logged out ✅ Continues running ... Boot startup At system boot ... Sleep prevention `caffeinate -s`
Install only on a trusted always-on Mac, keep the bot’s permissions limited, monitor logs, and use the provided uninstall/stop commands when 24/7 operation is no longer needed.