ClawHub

Claw Health

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw health and repair tool, but its repair features can change local system state without enough safeguards.

Install only if you are comfortable with a local repair tool that can restart OpenClaw services, terminate matching processes, change OpenClaw config, and remove large logs. Prefer running status and scan commands first, review backups before using --fix, and avoid leaving the dashboard server running unless you trust local browser pages and processes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if issue == "gateway_start_failed":
                try:
                    # 尝试重启 Gateway
                    subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False)
                    time.sleep(2)
                    subprocess.run(
                        ["launchctl", "bootstrap", "gui/$UID",
Confidence
88% confidence
Finding
subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 尝试重启 Gateway
                    subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False)
                    time.sleep(2)
                    subprocess.run(
                        ["launchctl", "bootstrap", "gui/$UID", 
                         "~/Library/LaunchAgents/ai.openclaw.gateway.plist"],
                        check=False, shell=True
Confidence
98% confidence
Finding
subprocess.run( ["launchctl", "bootstrap", "gui/$UID", "~/Library/LaunchAgents/ai.openclaw.gateway.plist"],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def restart_gateway(self):
        try:
            print("       🔧 正在自动修复: 重启 Gateway...")
            subprocess.run(["pkill", "-f", "openclaw-gateway"], capture_output=True, check=False)
            time.sleep(2)
            subprocess.run(["launchctl", "start", "ai.openclaw.gateway"], capture_output=True)
            time.sleep(3)
Confidence
87% confidence
Finding
subprocess.run(["pkill", "-f", "openclaw-gateway"], capture_output=True, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("       🔧 正在自动修复: 重启 Gateway...")
            subprocess.run(["pkill", "-f", "openclaw-gateway"], capture_output=True, check=False)
            time.sleep(2)
            subprocess.run(["launchctl", "start", "ai.openclaw.gateway"], capture_output=True)
            time.sleep(3)
            
            # 验证
Confidence
78% confidence
Finding
subprocess.run(["launchctl", "start", "ai.openclaw.gateway"], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 1. 停止现有 Gateway
            subprocess.run(["openclaw", "gateway", "stop"], capture_output=True)
            time.sleep(2)
            fixes.append("停止现有 Gateway")
Confidence
93% confidence
Finding
subprocess.run(["openclaw", "gateway", "stop"], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
time.sleep(1)
            
            # 3. 重新启动 Gateway
            result = subprocess.run(
                ["openclaw", "gateway", "start"],
                capture_output=True, text=True
            )
Confidence
90% confidence
Finding
result = subprocess.run( ["openclaw", "gateway", "start"], capture_output=True, text=True )

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README prominently advertises a 'one-click fix' capability but does not warn that it may change system state, configuration, or running services. In a system-management skill, this can mislead users into running potentially disruptive actions without informed consent, increasing the chance of accidental damage or unsafe use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage section directly instructs users to run `python3 clawdoctor_simple.py --fix` without any warning about side effects. Because this is an operational repair command in a health-monitoring/fixer tool, omission of safety guidance makes unintended system modifications more likely and could normalize running repair actions blindly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises a 'one-click fix' that can automatically modify the local system, but it does not disclose what changes may be made, what permissions are required, whether changes are reversible, or what safeguards exist. In an agent-skill context, this can mislead users into executing repair actions with elevated trust and insufficient review, increasing the chance of unintended system modification or abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly promotes a 'one-click repair' capability but provides no warning about what files, services, or system settings may be modified. In an agent skill context, this can normalize unsafe execution of broad remediation actions, increasing the risk of unintended system changes or abuse if the repair routine is overly privileged or poorly scoped.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic process termination and restart without prior user consent is risky because routine monitoring can escalate directly into destructive system changes. In this skill, benign monitoring errors or crafted local conditions could trigger repeated restart behavior, causing instability or service disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs automatic process termination and service restart without explicit confirmation, creating an unsafe autonomous control path over local services. In agent environments, this increases the risk of accidental denial of service, unexpected state changes, and harder-to-audit host modifications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The monitoring loop automatically invokes repair when the gateway is not marked running, which can terminate and restart processes without any human approval at the moment of action. In a privileged environment, a false health signal or repeated trigger can cause persistent service disruption and unintended process control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The one-click repair routine performs service stop/start operations and iterates over processes to terminate those whose names match 'openclaw', all without warning, confirmation, or narrow targeting. This creates a denial-of-service and operational safety risk, especially if the script is run with elevated privileges or exposed through automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The one-click fix path triggers destructive actions including terminating processes and restarting a service without any confirmation, dry-run mode, or explicit disclosure at the action boundary. In a maintenance skill, that makes accidental denial of service and disruption more likely, especially if invoked by an agent or user who expects a non-destructive health check.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code silently modifies the user's OpenClaw configuration file after parsing it, adding keys and rewriting the file without any interactive confirmation or opt-in. In an agent skill context, hidden configuration mutation can break deployments, change behavior unexpectedly, and create difficult-to-audit state changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The log cleanup routine deletes files over a size threshold without prior warning, confirmation, or quarantine behavior. In operational environments this can destroy forensic evidence or unexpectedly remove logs needed for troubleshooting, which is especially risky in a tool presented as a health and security assistant.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The one-click fix button directly issues a POST request to /api/fix with no user confirmation, preview of changes, or visible warning that system state may be modified. In a health-monitoring and repair dashboard, this increases the risk of accidental or unintended repair actions that could restart services, alter configuration, or otherwise affect availability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer appends PATH modifications to both ~/.zshrc and ~/.bashrc without checking for duplicates, informing the user of a persistent shell change, or asking for consent. This creates lasting environment changes that affect future shells and can unexpectedly alter command resolution behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The POST endpoints invoke potentially destructive remediation actions with no authentication, authorization, CSRF protection, or confirmation step. Because the server allows any origin via CORS and exposes localhost HTTP endpoints, local web pages or other local processes may be able to trigger repair actions unexpectedly, leading to unwanted configuration or system changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The POST /api/fix* endpoints invoke state-changing repair actions with no authentication, authorization, CSRF protection, or confirmation gate. Although the server binds to 127.0.0.1, any local process—or potentially a malicious website via permissive CORS in a browser-accessible local service—could trigger repair actions and alter system state unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal