ClawHub

Gateway Keepalive

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned, but it should be reviewed because it installs persistent background jobs and executes a local config file as shell code.

Install only if you want OpenClaw Gateway managed by persistent macOS LaunchAgents. Review the scripts first, keep ~/.openclaw/config/keepalive.conf writable only by you, do not place untrusted content in that file, understand that OpenClaw config can be restored from the golden backup automatically, and avoid Telegram credentials unless you need external notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (23)

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The skill markets itself as a keepalive mechanism, but the documented behavior extends into persistence setup, service installation/bootstrap, credential storage, and outbound notification traffic. This broader operational scope increases risk because users may approve it expecting passive monitoring while it actually establishes persistent background services and stores secrets locally.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes whatever shell code is present in `$HOME/.openclaw/config/keepalive.conf` via `source`, even though the stated purpose is only to read Telegram settings. If an attacker or another compromised local process can modify that file, arbitrary commands will run every time the health check executes, yielding code execution in the user's context on a recurring basis.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments indicate the file is merely read for Telegram notification settings, but the implementation actually executes it as shell code. This mismatch is dangerous because reviewers or operators may treat the file as inert data and overlook the fact that editing it grants command execution during scheduled runs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The installer solicits Telegram Bot Token and Chat ID and writes them into a persistent plaintext config file under ~/.openclaw/config. For a skill presented primarily as a keepalive/stability mechanism, collecting notification credentials expands scope and creates unnecessary secret-handling risk if file permissions are weak, backups are exposed, or logs/scripts later read the file insecurely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script creates and immediately loads two LaunchAgents, one with KeepAlive enabled and another that runs every 60 seconds, establishing persistent user-level execution. While persistence is consistent with a keepalive feature, it is still security-relevant because it modifies autorun behavior and continuously executes local scripts without explicit hardening, integrity checks, or prominent consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that recovery-history.log is permanently retained, but provides no retention warning, minimization guidance, or privacy considerations. Persistent logs can accumulate operational details, timestamps, failure causes, and possibly environment-specific information that may later be exposed to other local users, backups, or support workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recovery script silently overwrites the live configuration with a backup after repeated health check failures. In this context, that can destroy recent configuration changes, revert security settings, or restore an outdated but still syntactically valid configuration, creating integrity and availability risks during automated operation.

Session Persistence

Medium
Category
Rogue Agent
Content
└── health-check-recovery.sh          # 健康检测脚本

~/Library/LaunchAgents/
├── ai.openclaw.gateway.plist         # Gateway LaunchAgent
└── com.openclaw.health-check.plist   # 健康检测 LaunchAgent

~/.openclaw/backups/golden-config/
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
~/Library/LaunchAgents/
├── ai.openclaw.gateway.plist         # Gateway LaunchAgent
└── com.openclaw.health-check.plist   # 健康检测 LaunchAgent

~/.openclaw/backups/golden-config/
└── openclaw.json                     # 黄金备份配置
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
echo "🔧 创建 Gateway LaunchAgent..."
USERNAME=$(whoami)

cat > ~/Library/LaunchAgents/ai.openclaw.gateway.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
cat > ~/Library/LaunchAgents/ai.openclaw.gateway.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
Confidence
93% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
cat > ~/Library/LaunchAgents/ai.openclaw.gateway.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
Confidence
93% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
cat > ~/Library/LaunchAgents/ai.openclaw.gateway.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>ai.openclaw.gateway</string>
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
<string>/Users/$USERNAME/.local/bin:/Users/$USERNAME/.npm-global/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
    </dict>
  </dict>
</plist>
EOF

# 创建健康检测 LaunchAgent
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 创建健康检测 LaunchAgent
echo "🔧 创建健康检测 LaunchAgent..."
cat > ~/Library/LaunchAgents/com.openclaw.health-check.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Confidence
96% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
echo "🔧 创建健康检测 LaunchAgent..."
cat > ~/Library/LaunchAgents/com.openclaw.health-check.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
Confidence
93% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
echo "🔧 创建健康检测 LaunchAgent..."
cat > ~/Library/LaunchAgents/com.openclaw.health-check.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
Confidence
93% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
cat > ~/Library/LaunchAgents/com.openclaw.health-check.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.openclaw.health-check</string>
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
<string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
    </dict>
</dict>
</plist>
EOF

# 加载 LaunchAgents
Confidence
90% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
echo "🚀 加载 LaunchAgents..."

# 停止旧服务(如果存在)
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.plist 2>/dev/null || true
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.health-check.plist 2>/dev/null || true

# 加载新服务
Confidence
97% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 停止旧服务(如果存在)
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.plist 2>/dev/null || true
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.health-check.plist 2>/dev/null || true

# 加载新服务
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Confidence
96% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.health-check.plist 2>/dev/null || true

# 加载新服务
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.plist
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.health-check.plist

echo ""
Confidence
96% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 加载新服务
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.openclaw.gateway.plist
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.health-check.plist

echo ""
echo "✅ 安装完成!"
Confidence
88% confidence
Finding
plist

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal