Back to skill

Security audit

OpenClaw Watchdog Li

Security checks across malware telemetry and agentic risk

Overview

This watchdog mostly matches its stated OpenClaw recovery purpose, but it can automatically make persistent proxy changes that affect the wider host.

Install only if you are comfortable with a background watchdog restarting OpenClaw Gateway and changing host proxy configuration. In managed, corporate, or proxy-dependent environments, review or remove the disable_proxy routine first, especially the /etc/profile.d move, systemd environment clearing, and ~/.bashrc edit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a watchdog for process, channel, and network health, but the documented behavior includes disabling system proxy settings by altering shell and systemd user environment configuration. That is a materially different and invasive action that can affect unrelated applications, break enterprise networking policy, and hide the true cause of connectivity issues from operators. In this context, the mismatch makes the skill more dangerous because users may deploy it expecting monitoring/restart behavior, not system-wide network reconfiguration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The watchdog goes beyond monitoring and restart duties by modifying host proxy configuration under /etc/profile.d, user shell startup files, and user systemd environment. Those are persistent, host-wide or session-wide changes that can alter unrelated software behavior and network routing, increasing the blast radius well beyond the stated purpose of recovering OpenClaw Gateway.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script performs host-level configuration changes, including moving files in /etc and editing ~/.bashrc, despite being described as a watchdog. In a security context, this is dangerous because an operator may deploy it expecting low-risk health checks, while it silently mutates persistent system state and can disrupt other applications or future user sessions.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The comment says the function disables proxy when the network is abnormal, but the implementation also persistently edits shell initialization and system profile state. This mismatch is risky because it conceals the true scope of system modification, making review, approval, and incident response harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation does not prominently warn that the skill may automatically disable the system proxy during network anomalies. Automatic proxy removal can disrupt unrelated traffic, bypass expected security controls, and create hard-to-diagnose outages, especially in managed or corporate environments. The watchdog context does not justify changing global network settings without clear warning and consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description mentions recovery, but it does not clearly emphasize that the watchdog will autonomously restart the Gateway when faults are detected. Unannounced automatic restarts can interrupt active sessions, mask underlying failures, and in this specific Gateway/channel context may worsen rate-limits or service bans noted elsewhere in the document. This is primarily a safety and operational transparency issue rather than overtly malicious behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script disables proxy settings and edits user/system configuration automatically with no interactive confirmation or explicit runtime consent. Because this skill runs as a watchdog, those actions may be triggered repeatedly and unexpectedly, causing loss of connectivity, policy bypass, or broken developer environments without operator awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.