Skillv6.1.0

ClawScan security

LobsterGuard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 1:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: LobsterGuard broadly fits its stated role (local security auditor + shield) but contains behaviors and implementation details that increase risk (persistent system services, privileged auto-fixes, and unsafe shell invocation patterns that could allow command injection); review and run only in an isolated environment after code review.
Guidance: What to consider before installing LobsterGuard: - Review the code first: inspect install.sh, scripts/fix_engine.py, scripts/check.py, and any systemd unit files to confirm exactly what will run as your user or under sudo. Pay particular attention to how arguments are passed to shell commands. - Run in isolation: install and test the skill inside a non-privileged container or VM (the SKILL.md even contains a Docker guide). Do not install directly on a production host until you’re comfortable. - Limit privileges: avoid giving sudo or system-wide install rights until you trust the code. Auto-fixes require sudo; prefer manual guidance for the first runs. - Use a dedicated Telegram bot/token: the TELEGRAM_BOT_TOKEN is sensitive. Create a bot limited to receiving messages (no other integrations) and use a chat dedicated to alerts. - Check for command-injection risk: the extension builds shell command strings from parameters (e.g., check_id, target_user). If you plan to allow autonomous invocation, ensure input is sanitized or run only in environments where those parameters are controlled. - Confirm persistence and roll-back: the installer adds systemd services and an OpenClaw extension. Ensure you can fully remove these (and test rollback) before granting permanent installation. If you are not comfortable auditing the code yourself, prefer running LobsterGuard only in an isolated environment and avoid granting sudo/system-wide installs until a trusted reviewer signs off.
Findings: [child_process_execSync_string_interpolation] unexpected: Multiple places (extension/dist/fix_tool.js and extension/dist/index.js) call execSync with a single shell string built from unescaped parameters (e.g., `python3 "fix_engine.py" ${args}` and `python3 "check.py"${flag}`). If user-controlled values (check_id, target_user, lang, or other args) reach these call-sites, it creates a command-injection risk. This pattern is plausible in a fix/list/execute interface exposed as a plugin tool. [persistent_systemd_install] expected: install.sh and SKILL.md claim installation of systemd user services/timers to enable auto-scanning and quarantine watching. This is expected for continuous monitoring but contributes to persistence and should be reviewed. [fs_watch_sensitive_paths] expected: File watcher monitors OpenClaw directories and system paths (/etc/ssh, /etc/sudoers, /etc/passwd). This is expected for integrity monitoring, but it grants the skill broad visibility into system state.

Review Dimensions

Purpose & Capability: noteName/description (security auditor & runtime shield) align with the files and binaries requested (python3, iptables, auditctl, ufw, etc.) and the presence of check/fix/watch code. Minor mismatch: registry source was 'unknown' yet SKILL.md points to a GitHub repo; SKILL.md also advertises 'no external APIs' but explicitly uses Telegram for alerts (the skill documents this).
Instruction Scope: concernRuntime instructions and code legitimately read system and OpenClaw configuration and can modify firewall, kernel params, systemd, and file permissions during 'auto-fix'. That is within a security auditor's remit but is high-privilege and must be gated by explicit user consent. The extension also registers a high-priority action interceptor (inspects/blocks agent commands) and a watcher that monitors /etc and other sensitive paths — this gives wide visibility into system and agent activity.
Install Mechanism: noteNo formal registry install spec; SKILL.md instructs a git clone from GitHub (a common release host) and running the included install.sh which copies code into ~/.openclaw and installs systemd user services. Using a GitHub repo and an included install.sh is expected for this type of skill, but install.sh and systemd unit contents must be reviewed because they create persistent services and write files on disk.
Credentials: noteOnly TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are required and the skill cites Telegram as the only external endpoint — that is proportionate for alert delivery. The skill also requests/assumes sudo for auto-fixes and will read many system files (declared in SKILL.md). The Telegram token is sensitive: use a dedicated bot/token and consider its access scope.
Persistence & Privilege: concernInstall creates systemd services/timers and an OpenClaw extension (persistent presence inside the agent). The extension registers a high-priority action hook that intercepts agent tool calls. Combined with the code-level issues below, this persistent, privileged presence increases blast radius if exploited or misused.