Fortress Agent Suite
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed high-privilege maintenance suite, but it can keep root-level background jobs running, change OpenClaw/workspace state, and install other skills without per-action review.
Install only on a dedicated environment you fully control. Before enabling it, review or disable self_improver.py, remove any self-recreating cron behavior you do not want, back up your OpenClaw config, verify that secrets are not copied into backups, and run the scripts with the least privilege possible.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Parts of the suite may continue running in the background and changing system state after initial setup unless the user fully removes the cron/watchdog behavior.
A watchdog script can re-add maintenance cron jobs if they are missing, which creates persistent autonomous behavior under the root OpenClaw environment.
if r not in cron: os.system(f"crontab -l | ... echo '*/30 * * * * /root/.openclaw/.venv/bin/python /root/.openclaw/scripts/self-healing/{r}' ... | crontab -")Require explicit opt-in for each cron job, provide a clear uninstall/disable path, and avoid self-recreating scheduled tasks without user confirmation.
Unwanted, broken, or sensitive workspace changes could be committed automatically and then treated as the preserved state.
The watchdog auto-adds and commits all workspace changes with no file exclusions or per-change approval.
os.system(f"git -C {WORKSPACE} add . && git -C {WORKSPACE} commit -m 'Auto-backup: ...'")Limit Git operations to specific safe paths, add exclusions for secrets, and require review before committing or restoring production workspace changes.
A production agent could gain new third-party skills or behavior changes without the user reviewing the installed package contents.
The self-improver can fetch candidate skills from a remote registry, check only readme/description text, and install them automatically; the default candidate is persona-oriented rather than maintenance-oriented.
DEFAULT_CANDIDATES = [{"slug": "soul-framework", "reason": "strengthen persona and identity coherence"}] ... safe, note = scan_content(skill.get('readme', skill.get('description', ''))) ... success, _ = install_skill(slug)Disable automatic skill installation by default, require human review of full package contents and provenance, and keep candidate lists explicit and signed or otherwise trusted.
If the candidates file is modified or poisoned, running this script with the suite's intended privileges could execute unintended shell commands.
The skill slug is loaded from a candidates file and interpolated into a shell command without validation or argument escaping.
slug = entry.get('slug') ... result = os.popen(f"openclaw skills install {slug} 2>&1").read()Validate slugs against a strict allowlist pattern and use subprocess with an argument list instead of shell interpolation.
Provider credentials and root OpenClaw configuration may be changed or duplicated in ways the registry metadata does not make clear.
The model manager reads a local OpenRouter token and writes it into the root OpenClaw config, but the registry metadata declares no credentials or required config paths.
token_file = SECRET_DIR / 'openrouter.token' ... key = token_file.read_text().strip() ... "apiKey": api_key ... CONFIG.write_text(...)
Declare credential/config requirements, document exactly where secrets are read and stored, and avoid copying provider API keys into broad backup or workspace locations.
Future agent behavior could be influenced by persistent notes written by this automation.
The self-improver writes installation events and candidate-provided reasons into a persistent MEMORY.md file that may be reused by future agent sessions.
MEMORY_FILE = WORKSPACE / 'MEMORY.md' ... append_memory(f"Installed skill {slug} because {reason} (stars={stars})")Keep self-improver logs separate from agent memory, sanitize any candidate-provided text, and mark such entries as non-authoritative audit records.