ClawHub

Gateway Watchdog Discord

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate gateway watchdog, but it can modify OpenClaw configuration and restart services automatically despite documentation describing default operation as read-only.

Install only if you are comfortable with a background watchdog that can post gateway incident details to Discord and may repair or restart OpenClaw automatically. Before scheduling it, explicitly set GW_WATCHDOG_AUTO_HEAL_ON_ALERT=0 and GW_WATCHDOG_AUTO_ROLLBACK_ON_CONFIG_INVALID=0 unless you want automatic config rollback, doctor --fix, and gateway restart behavior; protect config.env and Discord tokens as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell execution, environment access, and file read/write behavior in the documentation, but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or hosting systems may treat the skill as lower risk than it actually is, while the skill can install persistence, read secrets from environment variables, and write state or launchd artifacts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The watchdog is not limited to monitoring: it can restore `openclaw.json.good` over the active `openclaw.json`, changing live service configuration. That is security-relevant because a monitoring script gains write authority over operational state and can silently alter recovery behavior beyond what users would expect from health checking.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script automatically promotes the current config to the long-term baseline after two healthy checks, which permanently changes future rollback behavior. This expands the blast radius of any bad or attacker-induced config drift because the altered config can become the new trusted recovery point without human review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
On critical alerts, the script can automatically overwrite the active config, run `openclaw doctor --fix`, restart the gateway, and query status, all without an interactive confirmation. This is dangerous because a monitoring path becomes an autonomous repair path capable of disruptive or unsafe state changes, potentially compounding an incident or masking tampering.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends alert content to Discord via webhook or bot API, exporting operational status, outage duration, failure reasons, and auto-heal summaries to a third party. Even if intended for alerting, this is an external data egress path that can leak sensitive infrastructure details and configuration-change summaries if the webhook/channel is misconfigured or compromised.

Session Persistence

Medium
Category
Rogue Agent
Content
- `scripts/gateway-watchdog.sh` - health checks + state machine + Discord notification.
- `scripts/install-launchd.sh` - installs a user LaunchAgent from template.
- `references/com.openclaw.gateway-watchdog.plist.template` - launchd template.
- `references/cron-agent-turn.md` - isolated cron prompt template.

## Health checks
Confidence
84% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal