Openclaw Sys Guardian V4.1 Resurrection
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-sys-guardian-v4-1-resurrection Version: 4.1.7 The skill bundle implements a 'SysGuardian' with high-privilege system management capabilities, including process termination (kill -9), system-wide software re-installation (pnpm uninstall/install -g), and the handling of sensitive credential files (auth-profiles.json) in scripts like lobster-resurrect.sh and lobster-snapshot.sh. While these actions are consistent with the stated purpose of high availability and disaster recovery, the scripts contain hardcoded local paths (/Users/maxleolee/) and perform destructive operations that could lead to data loss or environment instability if triggered improperly. No evidence of remote data exfiltration was found, but the broad system control and access to authentication tokens warrant a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A background process may continue monitoring and changing the local OpenClaw environment after the immediate task is over.
The skill is explicitly designed to keep operating outside a single user request. Persistence is purpose-aligned for a guardian, but the artifacts do not provide a complete install spec or clear containment for the background service.
Once installed, the guardian runs as a persistent service background process (LaunchAgent on macOS).
Require explicit opt-in before enabling persistence, provide a visible status and disable control, and ship a reviewed LaunchAgent/install/uninstall specification.
The skill can interrupt running work, change configuration or permissions, and remove session state automatically.
The guardian can force-kill whichever process owns the gateway port. The same script also automatically runs openclaw doctor --fix, security audit --fix, session cleanup, and gateway restart commands from its maintenance and recovery loop.
lsof -ti:18789 | xargs kill -9 2>/dev/null
Add dry-run modes, explicit user confirmation for disruptive actions, strict process allowlisting, and pre-action backups before any automatic fix, cleanup, or kill operation.
Account or session profile material may be duplicated into backups and later restored, increasing exposure if the backup vault is readable, stale, or moved.
The snapshot script copies a local auth-profile file into the backup vault, while registry metadata declares no primary credential or required credential handling.
[ -f "$HOME/.openclaw/agents/main/agent/auth-profiles.json" ] && cp "$HOME/.openclaw/agents/main/agent/auth-profiles.json" "${BACKUP_ROOT}/${TIMESTAMP}/"Declare credential/profile handling clearly, make auth-profile backup opt-in, encrypt or permission-lock the vault, and exclude credentials by default unless the user explicitly approves.
A stale, incomplete, or wrong mirror could delete or roll back local workspace data and propagate bad state into future OpenClaw runs.
The ultimate restore script overwrites the workspace from a mirror and deletes target files not present in the source. The source and target are hard-coded to a specific user's paths.
rsync -av --delete "$SOURCE" "$TARGET"
Default to dry-run restore, remove --delete unless separately confirmed, let the user choose paths, validate checksums, and create a pre-restore backup.
Recovery could install a changed, incompatible, or compromised package version that was not part of the reviewed artifact set.
The resurrection flow force-removes OpenClaw and then pulls the latest global package at recovery time, without pinning a reviewed version or declaring package provenance.
pnpm install -g openclaw@latest
Pin exact package versions, verify checksums or signatures, document the trusted source, and avoid global reinstall as the default recovery path.
Stale or poisoned workspace instructions could steer future agent behavior, and task memory could be reused beyond the user's immediate intent.
The design describes force-injecting stored AGENTS.md rules into the agent context and reading MEMORY.md during alignment. That makes persistent local instructions and memory influential across tasks.
强制将 T1 (AGENTS.md) 规则注入 Agent 当前 Context 顶端 ... 读取当前的 `MEMORY.md`
Treat AGENTS.md and MEMORY.md as untrusted context, ask the user before reusing them, validate provenance, and avoid forced top-of-context injection.