Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fortress Agent Suite
v1.0.0Fortress Agent Suite provides self-healing, health monitoring, automated maintenance, and LLM model management for OpenClaw agents in production.
⭐ 0· 14·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (self-healing, health monitoring, model manager) aligns with many of the scripts. However the code assumes full access to /root/.openclaw, can restart the gateway, echo into /proc, modify crontab and git commit the workspace, and auto-install other skills. The SKILL.md and README omit that root/system-level privilege and autonomous installation capability. Those capabilities are disproportionate to what the prose advertises without explicit warning.
Instruction Scope
SKILL.md instructs only to download, make scripts executable, and add crontab. It does not disclose that the scripts will: edit /root/.openclaw/openclaw.json, restart gateways, edit crontab automatically (workspace_watchdog), perform automatic git commits, drop page cache (/proc/sys/vm/drop_caches), send Telegram messages using a local token file, or fetch and auto-install arbitrary skills from an external API. The self_improver's automatic 'openclaw skills install' grants the suite broad network-driven authority beyond its stated install steps.
Install Mechanism
No install spec (instruction-only plus code) — user must place files and create cron entries. The code itself reaches out to external services (clawhub.ai and GitHub API) and invokes the platform installer ('openclaw skills install'), which will pull and execute external code. That runtime code-fetching behavior is high-risk and not called out in SKILL.md.
Credentials
Registry metadata declares no required env vars or config paths, but the scripts expect and read files under /root/.openclaw (openclaw.json, /root/.openclaw/secrets/openrouter.token, /root/.openclaw/telegram_config, logs, workspace). They also assume binaries/tools (openclaw, git, crontab) and root privileges for some actions. The mismatch between declared requirements and actual file/credential access is a serious omission.
Persistence & Privilege
The suite installs cron jobs (crontab_template.txt) and workspace_watchdog will proactively re-add missing cron entries, making the behavior persistent. It edits agent config and restarts services, and self_improver can autonomously install new skills — a form of persistent, network-driven privilege. While 'always' is false, the cron-driven persistence plus self-modifying behavior increases blast radius.
Scan Findings in Context
[os.system-exec] unexpected: Multiple uses of os.system and shell invocation (e.g., gateway restart, git commits, adding to crontab, curl commands). Some are plausible for maintenance (restart/cleanup), but shell execution increases risk particularly where input is not strictly controlled.
[network-fetch-skill-api] unexpected: self_improver fetches skill metadata from https://clawhub.ai/api/skills/{slug} and then runs 'openclaw skills install'. Automatic remote fetching and installation of skills is not disclosed in SKILL.md and allows arbitrary remote code to be introduced.
[write-root-config] expected: Scripts read/write /root/.openclaw/openclaw.json and backup/restore it — that is consistent with a self-healing agent manager, but should have been declared in installation instructions and require root privileges.
[modify-crontab] unexpected: workspace_watchdog modifies the system crontab to ensure jobs exist. The SKILL.md told the user to add cron entries, but did not disclose that the scripts will also edit crontab automatically.
[system-cache-drop] unexpected: system_watchdog writes '3' to /proc/sys/vm/drop_caches via shell — requires root and can affect system state. This is an invasive operation and wasn't called out in the README/INSTALL.
What to consider before installing
This package contains useful maintenance scripts but also performs invasive, system-level actions and can autonomously install other skills from the network. Before installing: (1) do not run as root until you audit the code; run in a sandboxed/test instance first; (2) inspect and, if needed, remove or disable scripts you don't trust (especially self_improver.py and workspace_watchdog.py); (3) review and harden the crontab entries and CANDIDATES list so no unwanted skills are auto-installed; (4) back up /root/.openclaw before allowing any restore/backup script to run; (5) if you need notifications, create and control /root/.openclaw/telegram_config yourself (do not reuse shared tokens); (6) prefer manual installation of models/skills rather than allowing automatic remote installs — or add allowlists to the installer. If you want to proceed safely, require explicit human approval before running self_improver and avoid giving these scripts root privileges on production hosts.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4xssr2g99kywqkpqdv24gd8493yz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.