Back to skill

Security audit

OpenClaw Guardian by MyClaw.ai

Security checks across malware telemetry and agentic risk

Overview

This watchdog is disclosed and purpose-aligned, but it can keep running and automatically change, reset, and restart an OpenClaw workspace without per-action approval.

Install only if you intentionally want an unattended recovery daemon with authority to modify, commit, hard-reset, and restart the configured OpenClaw workspace. Use a dedicated git-backed workspace, set GUARDIAN_WORKSPACE explicitly, keep backups or stash important changes, test recovery behavior before production use, and leave DISCORD_WEBHOOK_URL unset unless external status notifications are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents shell-capable behavior such as process management, git operations, and background execution, yet it declares no permissions or equivalent trust boundary information. This is dangerous because users and orchestration systems may treat the skill as low-risk while it can modify workspace state and persist processes on the host.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The suggested invocation phrase, "Help me install openclaw-guardian to harden my gateway," is broad natural language that could overlap with ordinary support requests and trigger installation of a persistent watchdog. In context, the skill performs autonomous repair, rollback, and background execution, so accidental invocation could lead to meaningful system changes without sufficiently explicit consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automatic `openclaw doctor --fix`, `git reset --hard`, restart behavior, and daily commits without a prominent warning that these actions can overwrite uncommitted work or alter repository history/state. In this context the behavior is core to the skill, which makes the missing warning more dangerous because destructive recovery is normalized as routine maintenance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Discord webhook feature sends system status to a third party, but the documentation does not clearly warn about what metadata may leave the host or the privacy implications of using an external webhook. This can expose operational details, failure states, hostnames, paths, or other sensitive status information to an external service without informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
chmod +x ~/.openclaw/guardian.sh

# 3. Start
nohup ~/.openclaw/guardian.sh >> /tmp/openclaw-guardian.log 2>&1 &
```

Note: Use repository-level git config, not --global:
Confidence
95% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
Add to `~/.openclaw/start-gateway.sh` before the final `exec` line:
```bash
pkill -f "guardian.sh" 2>/dev/null || true
nohup /home/ubuntu/.openclaw/guardian.sh >> /tmp/openclaw-guardian.log 2>&1 &
```

Full docs: https://github.com/LeoYeAI/openclaw-guardian
Confidence
97% confidence
Finding
nohup

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Checks Gateway health every 30 seconds (`GUARDIAN_CHECK_INTERVAL`, default: 30)
- On failure: runs `openclaw doctor --fix` up to 3 times (`GUARDIAN_MAX_REPAIR`, default: 3)
- If still down: `git reset --hard` to last stable commit, restart Gateway
- Daily automatic `git commit` snapshot of workspace
- Optional Discord webhook alerts (`DISCORD_WEBHOOK_URL`)
Confidence
99% confidence
Finding
git reset --hard

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.