Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Clawdoctor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
ClawDoctor appears purpose-built for OpenClaw monitoring, but it deserves review because it can automatically change OpenClaw state and its Telegram approval flow is not clearly restricted to an authorized user.
Install only if you want a long-running OpenClaw monitor that may take repair actions. Start with dry-run mode, use a private dedicated Telegram bot/chat, review enabled healers and retention settings, and protect the `~/.clawdoctor` directory.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If auto-fix is enabled and the daemon is running, ClawDoctor may change or interrupt OpenClaw activity rather than only observing it.
Why it was flagged
The documented healers can take mutating OpenClaw actions such as killing sessions and refreshing auth. These actions are purpose-aligned, but they are high-impact and the automatic-versus-approved boundaries are not fully bounded.
Skill content
| **SessionHealer** | Session stuck >2h | Kills session; alerts first if cost >$10 | ... | **AuthHealer** | Auth failures detected | Attempts `openclaw auth refresh`; alerts if fails |
Recommendation
Run in `--dry-run` mode first, review `~/.clawdoctor/config.json`, enable only the healers you want, and run it as the least-privileged user that can manage your OpenClaw instance.
What this means
Someone with access to the approval chat or button could potentially approve a pending repair action that changes the local OpenClaw environment.
Why it was flagged
The provided callback handling code executes a stored handler based on Telegram `callback_data`; the visible code parses only callback id/data and does not show a chat/user authorization check before running the handler.
Skill content
const cbq = update.callback_query; ... const pending = this.pendingCallbacks.get(cbq.data); ... pending.handler().catch(err => {Recommendation
Use a private dedicated Telegram bot/chat, avoid enabling callback approvals unless needed, and require callback chat/user validation plus unguessable per-action nonces before executing handlers.
What this means
Telegram bot tokens, chat IDs, and license keys may be stored on the machine and used to contact external services.
Why it was flagged
The skill asks for Telegram and license-related secrets and stores configuration locally. This is expected for alerts and licensing, but users should notice the credential handling.
Skill content
# Interactive setup (Telegram bot token, chat ID, plan key) ... Config stored at `~/.clawdoctor/config.json`
Recommendation
Use a dedicated Telegram bot token, protect `~/.clawdoctor`, and revoke or rotate tokens if the machine or config file is exposed.
What this means
Local event history can contain information about sessions, failures, costs, and host activity.
Why it was flagged
The tool reads OpenClaw session-related data and persists event history locally. This is expected for monitoring but may retain operational details.
Skill content
| **SessionWatcher** | Agent sessions for errors, aborts, stuck sessions | ... Events stored in `~/.clawdoctor/events.db`
Recommendation
Review retention settings, keep the `~/.clawdoctor` directory private, and avoid forwarding sensitive session details through alerts unless acceptable.
What this means
ClawDoctor can continue monitoring and acting after setup until stopped or disabled.
Why it was flagged
The long-running daemon and optional systemd service are disclosed and user-directed, so this is not hidden persistence, but it is persistent background behavior.
Skill content
clawdoctor start # Start monitoring daemon ... clawdoctor install-service # Install as systemd user service
Recommendation
Use `clawdoctor stop` or disable the systemd user service when you no longer want continuous monitoring.
What this means
Installing the package may run dependency installation/build code on the local machine.
Why it was flagged
The npm install includes a dependency with an install script, which is common for native SQLite packages but increases supply-chain exposure during installation.
Skill content
"node_modules/better-sqlite3": { ... "hasInstallScript": trueRecommendation
Install from the expected npm package, verify the repository/package provenance, and avoid installing with elevated privileges unless necessary.