金刚罩
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: system-guardian Version: 1.1.0 The 'system-guardian' skill bundle provides legitimate system maintenance, configuration validation, and safe restart utilities for the OpenClaw environment. The scripts (config-guard.sh, health-patrol.sh, and safe-restart.sh) perform standard administrative tasks such as monitoring memory/disk usage, managing backups, and validating JSON syntax. The bundle includes robust error handling and rollback mechanisms for service restarts, and its instructions in SKILL.md correctly guide the AI agent to use these safety-focused scripts instead of raw commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets kept in OpenClaw configuration may be copied into audit/snapshot files, increasing exposure if those files are shared, backed up, or readable by other local processes.
The health patrol stores a full config snapshot and writes raw config diffs to an audit log. Because the skill also supports inline secrets in openclaw.json, this can create unredacted secondary copies of API keys or credentials.
CONFIG="${OPENCLAW_DIR}/openclaw.json" ... DIFF_LINES=$(diff "${GUARDIAN_DATA}/.config-snapshot.json" "$CONFIG" 2>/dev/null | head -20) ... echo "$DIFF_LINES" >> "$AUDIT_LOG" ... cp "$CONFIG" "${GUARDIAN_DATA}/.config-snapshot.json"Redact secret fields before logging diffs, restrict permissions on ~/.openclaw/data/system-guardian, prefer env-based secrets, or provide a clear option to disable config auditing.
The skill may create additional local copies of sensitive environment variables, provider keys, and startup configuration.
The rollback workflow backs up OpenClaw config, .env, and LaunchAgent files. This is purpose-aligned for recovery, but these files may contain credentials or privileged autostart settings.
cp "$CONFIG" "$BACKUP_FILE" ... cp "$ENV_FILE" "$ENV_BACKUP" ... PLIST_SRC="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" ... cp "$PLIST_SRC" "$PLIST_BACKUP"Keep ~/.openclaw/backups protected, verify file permissions, and periodically remove old backups that may contain obsolete secrets.
Old conversations, backups, or logs may be permanently removed when health patrol runs, especially if the recommended cron is enabled.
The health check performs automatic cleanup by deleting old session transcripts, excess backups, and old logs. This is disclosed and scoped to maintenance, but it is still destructive file mutation.
find "$SESSIONS_DIR" -name "*.jsonl" -mtime +${SESSION_MAX_AGE_DAYS} -delete ... ls -1t "$BACKUP_DIR"/$pattern | tail -n "$EXCESS" | xargs rm -f ... find /tmp/openclaw -name "openclaw-*.log" -mtime +7 -deleteRun health-patrol manually first, adjust the retention constants if needed, and do not enable the cron until you are comfortable with the cleanup policy.