Skillv0.1.2

ClawScan security

Claw Seatbelt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 2:54 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (detects Gateway down, restores the latest backup, restarts), but there are clear inconsistencies and missing declarations (notably no declared dependency on the openclaw CLI, the “10-second” and “only during backups” claims are not enforced), so proceed with caution and review/modify before use.
Guidance: Before installing or running this skill: (1) Review bin/watchdog.sh line-by-line — it will run openclaw CLI commands, copy your active config, overwrite openclaw.json with the latest file in ~/.openclaw/backups, and restart the Gateway. (2) Confirm you have the 'openclaw' CLI on PATH and that backups exist at ~/.openclaw/backups; the package does not declare this dependency. (3) Expect possible service disruption when the script restarts the Gateway; test in a safe environment first. (4) If you need the advertised behavior ('only during backups' and '10-second rollback'), modify the script to enforce those constraints (e.g., accept a flag, check for a lockfile created by your backup script, implement a 10s poll-and-wait loop rather than immediate rollback). (5) Make a separate copy of your backups before first use; the script will create failed-config-*.json but still overwrites openclaw.json. (6) Consider adding logging/notification and stricter error handling, and update skill.json to declare the openclaw binary requirement and correct version metadata. These inconsistencies look like sloppy packaging rather than deliberate malice, but verify behavior in a controlled test before trusting it in production.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (automatic rollback when a config change breaks the Gateway during backups) is broadly consistent with the included watchdog.sh which restores a timestamped backup and restarts the Gateway. However the skill.json and SKILL.md declare no required binaries or credentials while the script assumes the presence of an 'openclaw' CLI on PATH and a backup directory at ~/.openclaw/backups. The manifest should declare the openclaw binary dependency and the expected backup path; omission is an incoherence and could lead to runtime failures or unexpected behavior.
Instruction Scope: concernSKILL.md promises 'activating only during backup scripts' and a '10-second automatic rollback', but the script contains no enforcement of 'only during backup scripts' and does not implement a 10-second probe window (it probes immediately and then sleeps 5 seconds after restart). The script will copy the live config, overwrite it with the latest backup, and restart the Gateway — actions that are in-scope for a rollback helper but are not gated or time-limited as the prose implies. There is also an optional-not-implemented comment about notifications; no network endpoints or exfiltration appear in the code.
Install Mechanism: okNo install spec (instruction-only) — the only shipped code is a local shell script. This is low install risk because nothing is downloaded or extracted. However, running the script will execute commands on the host (openclaw gateway restart), so the user must review the script before running.
Credentials: noteNo environment variables or secrets are requested (appropriate). But the script implicitly relies on $HOME, ~/.openclaw/backups, and the 'openclaw' CLI. The manifest not declaring the required binary is a proportionality/declared-requirement gap. The script writes logs to /tmp and copies config files inside the user's home — these are expected for the stated purpose but you should ensure permissions and backups are acceptable.
Persistence & Privilege: okThe skill does not request persistent always-on inclusion and does not modify other skills or global agent config. It runs only when invoked (user-invocable) or when the agent chooses to run it; that autonomous invocation is normal. The script itself writes to the user's filesystem (backups, /tmp) which is expected for this tool but not a cross-skill privilege escalation.