Openclaw Sys Guardian V4.1 Resurrection
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real OpenClaw recovery guardian, but it can run persistently, force-restart or reinstall OpenClaw, delete or restore workspace data, and copy auth profiles, so it needs careful review before use.
Install only if you intentionally want a local HA daemon that can modify OpenClaw automatically. Before running it, review every script, adjust hard-coded paths, make a separate backup, pin package versions, decide whether auth profiles should be copied, and confirm you can disable the LaunchAgent/guardian safely.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A background process may continue monitoring and changing the local OpenClaw environment after the immediate task is over.
The skill is explicitly designed to keep operating outside a single user request. Persistence is purpose-aligned for a guardian, but the artifacts do not provide a complete install spec or clear containment for the background service.
Once installed, the guardian runs as a persistent service background process (LaunchAgent on macOS).
Require explicit opt-in before enabling persistence, provide a visible status and disable control, and ship a reviewed LaunchAgent/install/uninstall specification.
The skill can interrupt running work, change configuration or permissions, and remove session state automatically.
The guardian can force-kill whichever process owns the gateway port. The same script also automatically runs openclaw doctor --fix, security audit --fix, session cleanup, and gateway restart commands from its maintenance and recovery loop.
lsof -ti:18789 | xargs kill -9 2>/dev/null
Add dry-run modes, explicit user confirmation for disruptive actions, strict process allowlisting, and pre-action backups before any automatic fix, cleanup, or kill operation.
Account or session profile material may be duplicated into backups and later restored, increasing exposure if the backup vault is readable, stale, or moved.
The snapshot script copies a local auth-profile file into the backup vault, while registry metadata declares no primary credential or required credential handling.
[ -f "$HOME/.openclaw/agents/main/agent/auth-profiles.json" ] && cp "$HOME/.openclaw/agents/main/agent/auth-profiles.json" "${BACKUP_ROOT}/${TIMESTAMP}/"Declare credential/profile handling clearly, make auth-profile backup opt-in, encrypt or permission-lock the vault, and exclude credentials by default unless the user explicitly approves.
A stale, incomplete, or wrong mirror could delete or roll back local workspace data and propagate bad state into future OpenClaw runs.
The ultimate restore script overwrites the workspace from a mirror and deletes target files not present in the source. The source and target are hard-coded to a specific user's paths.
rsync -av --delete "$SOURCE" "$TARGET"
Default to dry-run restore, remove --delete unless separately confirmed, let the user choose paths, validate checksums, and create a pre-restore backup.
Recovery could install a changed, incompatible, or compromised package version that was not part of the reviewed artifact set.
The resurrection flow force-removes OpenClaw and then pulls the latest global package at recovery time, without pinning a reviewed version or declaring package provenance.
pnpm install -g openclaw@latest
Pin exact package versions, verify checksums or signatures, document the trusted source, and avoid global reinstall as the default recovery path.
Stale or poisoned workspace instructions could steer future agent behavior, and task memory could be reused beyond the user's immediate intent.
The design describes force-injecting stored AGENTS.md rules into the agent context and reading MEMORY.md during alignment. That makes persistent local instructions and memory influential across tasks.
强制将 T1 (AGENTS.md) 规则注入 Agent 当前 Context 顶端 ... 读取当前的 `MEMORY.md`
Treat AGENTS.md and MEMORY.md as untrusted context, ask the user before reusing them, validate provenance, and avoid forced top-of-context injection.