Openclaw Defender
WarnAudited by ClawScan on May 10, 2026.
Overview
Openclaw Defender is mostly a disclosed security-monitoring skill, but its runtime integration guide uses unsafe shell command construction around untrusted inputs and should be reviewed before use.
Before installing, inspect the included shell scripts, do not adopt the runtime integration examples as written, and enable cron/kill-switch behavior only if you are comfortable with a defender tool controlling workspace operations. Verify any remote update source before running update-lists.sh.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious skill or crafted input could potentially turn the defender's validation step into arbitrary local command execution if the gateway implements these examples literally.
The integration guide tells implementers to pass variable values such as URLs and skill names into a shell command string. If those values are attacker-controlled or contain shell metacharacters, adopting this pattern could allow command injection.
await exec(`~/.openclaw/workspace/skills/openclaw-defender/scripts/runtime-monitor.sh check-network "${url}" "${skillName}"`);Do not integrate it using shell string interpolation. Use execFile/spawn with an argument array, validate inputs, and pass output to the sanitizer via stdin without shell evaluation.
The defender may continue running checks after setup and can interrupt normal OpenClaw use if the kill switch is activated.
The skill explicitly asks the user to install recurring monitoring and documents a kill switch that can stop operations. This persistence is disclosed and purpose-aligned, but it affects the whole workspace.
Enable automated monitoring: crontab -e ... */10 * * * * ...check-integrity.sh ... Kill Switch ... Blocks all operations until manual review
Enable the cron job only after reviewing the scripts, and keep clear instructions for checking and disabling the kill switch.
If the update source is wrong or compromised, the defender's allow/block decisions could be weakened or disrupted.
The skill can update security policy lists from a GitHub repository. This is user-directed and aligned with a defender tool, but remote list updates can change what is blocked or allowed.
blocklist and allowlist updates are fetched from here by `update-lists.sh` by default
Verify the repository, review diffs/backups after updates, and consider pinning updates to trusted commits or releases.
Security logs and reports may persist in the workspace and could influence later agent context or expose operational details if shared.
The analyzer writes persistent security reports into the OpenClaw memory area. This is consistent with incident response, but persistent memory content may later be read by agents.
REPORT_FILE="$WORKSPACE/memory/security-report-$(date +%Y-%m-%d).md"
Keep security reports local, review their contents, and avoid placing secrets or untrusted instructions in incident notes.