Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Keepalive
v1.0.0Keep OpenClaw gateway running 24/7 on a laptop or workstation. Use when: (1) user reports gateway disconnects or crashes, (2) user asks how to make OpenClaw...
⭐ 1· 95·0 current·0 all-time
by@lgy2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the actions you'd expect to keep a gateway alive (registering services, power settings, healthchecks). However the registry metadata declares no required binaries or credentials while the instructions clearly require an 'openclaw' CLI and administrative tools (sudo, systemctl, schtasks/powershell, pmset, powercfg, npm, nssm). This mismatch (declared requirements: none vs actual commands: many) is a material incoherence.
Instruction Scope
Instructions stay on-topic (service registration, auto-restart, healthchecks, preventing sleep). They do, however, recommend system-wide and potentially disruptive changes (masking suspend targets, globally disabling sleep, altering power plans) and run privileged commands. The doc also instructs installing packages from npm (pm2) and using `openclaw gateway install` — the latter is opaque and could execute arbitrary privileged operations; the skill does not provide verification steps or show what that install command does.
Install Mechanism
There is no install spec (instruction-only), which is lower risk from the registry side. But the instructions ask users to run npm install -g pm2 (pulls remote code) and to run an unverified 'openclaw' CLI install command. Because there is no homepage, source repo, or checksums, the guidance to install or run global packages raises trust questions even though the mechanism itself is common.
Credentials
The skill does not request credentials or environment variables and the actions described do not require service tokens. No disproportionate secret or unrelated credential access is declared or implied.
Persistence & Privilege
The skill advises creating system services and changing OS-level power settings which require elevated privileges — appropriate for the task but high‑impact. Because the skill lacks provenance and the primary action (`openclaw gateway install`) is not auditable here, granting those privileges before verification could be risky.
What to consider before installing
This skill's instructions are coherent for keeping a local gateway running, but there are two red flags: (1) the README assumes and runs an 'openclaw' CLI and several admin-level OS commands while the registry metadata lists no required binaries or source, and (2) there's no homepage or repository to inspect what 'openclaw gateway install' actually does. Before running anything: (a) obtain the openclaw binary from an official, verifiable source (homepage or repo) and inspect its install script or run it in a sandbox/VM, (b) avoid running opaque install commands with sudo until you can review them, (c) prefer non-global installs (avoid npm -g) or pin package versions and review packages, (d) back up system settings before changing power/sleep configuration, and (e) consider using an isolated machine or container if you must test these instructions. If the publisher can provide a source repository, release checksums, or documentation showing exactly what 'openclaw gateway install' does, that information would raise confidence and could change the assessment to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97dy4z2g7k0d1hpt25630y60d836vsk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.