ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DeadClaw

v1.0.1

Emergency kill switch for OpenClaw agents. Instantly halts all running agents, pauses scheduled jobs, kills active sessions, and logs everything — triggered...

0· 545·0 current·0 all-time
byZen Fox@kintupercy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included scripts (kill, restore, status, watchdog). However the SKILL.md claims message triggers 'work immediately with no setup' while the scripts rely on the OpenClaw CLI or Docker exec and environment configuration (workspace, whitelist, trigger source). The skill also provides phone/widget setup docs that require a Telegram bot token and chat ID (user-provided), which the registry metadata does not declare. Overall capability aligns with purpose but some operational requirements are under-specified.
!
Instruction Scope
Runtime instructions and included scripts perform high-privilege actions: killing processes, stopping Docker containers, backing up and modifying crontabs, and running docker exec openclaw commands. The SKILL.md and scripts reference environment variables and config files (DEADCLAW_*, OPENCLAW_WORKSPACE, network-whitelist.txt, OPENCLAW_PROCESS_PATTERN, DEADCLAW_TRIGGER_SOURCE) that are not declared in the registry metadata. Trigger words include common terms like 'kill' and '🔴' which are prone to accidental activation. The watchdog auto-triggers kills based on local checks — this grants the skill broad autonomous power over the host.
Install Mechanism
There is no install spec (instruction-only skill), so nothing is downloaded/executed during installation beyond the skill bundle itself. The code is provided in the skill package (shell scripts), so the attack surface is the scripts' runtime behavior rather than a remote install URL. This is lower-risk than an arbitrary download, but scripts will run on the host when invoked.
!
Credentials
Registry metadata lists no required environment variables, yet SKILL.md and the scripts read many env vars and config paths (DEADCLAW_MAX_RUNTIME_MIN, DEADCLAW_MAX_TOKENS, DEADCLAW_WHITELIST, DEADCLAW_WORKSPACE, OPENCLAW_PROCESS_PATTERN, DEADCLAW_TRIGGER_SOURCE, DEADCLAW_TRIGGER_METHOD). The phone shortcut docs instruct users to put Telegram bot tokens/chat IDs into device shortcuts (user-controlled), but the skill itself may attempt to use openclaw CLI or docker exec to send messages — which could require platform credentials or access the OpenClaw gateway. The mismatch between declared and used env/config access is a red flag.
Persistence & Privilege
always:false (good). The skill includes a long-running watchdog (scripts/watchdog.sh) that, when started, autonomously monitors and can auto-trigger kills. Autonomous invocation (disable-model-invocation:false) is platform default; combined with the watchdog's ability to self-trigger, this increases blast radius. The skill does not declare modifications to other skills' configs, but it does modify system crontabs and manage services — operations that are high-privilege and persistent while the watchdog runs.
What to consider before installing
This package appears to implement a real emergency 'kill switch', but exercise caution before installing: - Inspect the scripts (kill.sh, watchdog.sh, restore.sh, status.sh) yourself or have an admin do so. They perform destructive host actions (kill processes, stop Docker containers, modify crontab). Use --dry-run first. - The skill reads many environment variables and a network whitelist file that are not declared in the registry metadata. Configure DEADCLAW_WHITELIST, DEADCLAW_WORKSPACE, and DEADCLAW_* thresholds explicitly before starting the watchdog. - Change or restrict trigger words immediately. Words like "kill" are easy to fire accidentally. Consider requiring a less common passphrase or adding an authorization step before performing destructive actions. - The phone/home-screen shortcuts require storing a Telegram bot token/chat ID on the device — keep these secrets secure. Prefer sending triggers through a locked, private channel and limit which chat IDs can trigger the skill. - Do not start the watchdog until you’ve tested kill/restore with --dry-run and confirmed the scripts only target expected OpenClaw processes (set OPENCLAW_PROCESS_PATTERN if needed). - Because the watchdog can autonomously kill processes, consider leaving it disabled initially or run it with conservative thresholds and monitoring turned on (dry-run mode) until you trust its behavior. If you cannot audit the scripts or you need stricter guarantees, prefer a kill mechanism implemented by the platform (OpenClaw core) with built-in access controls rather than a third-party skill.

Like a lobster shell, security has layers — review code before you run it.

dockervk970mamjj08dkkk1xh4ffasgd982wh1hemergencyvk970mamjj08dkkk1xh4ffasgd982wh1hkill-switchvk970mamjj08dkkk1xh4ffasgd982wh1hlatestvk970mamjj08dkkk1xh4ffasgd982wh1hsafetyvk970mamjj08dkkk1xh4ffasgd982wh1hwatchdogvk970mamjj08dkkk1xh4ffasgd982wh1h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments