Event-Watcher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed Redis/webhook event could try to influence the agent if its contents are included in the wake message.
The skill intentionally places external event payloads into prompts sent to an agent. It includes a prompt-injection mitigation, but disabling it would increase risk.
Event payloads are untrusted. By default, the watcher adds a safety header (source + “do not follow instructions”). You can disable this via `wake.add_source_preamble: false` only if the source is fully trusted.
Keep the source preamble enabled, filter event sources tightly, and avoid including raw untrusted payload fields in powerful agent instructions.
Once running, matching events can cause the agent to act or post without a separate confirmation for each event.
The watcher invokes the OpenClaw CLI to wake an agent and can deliver the resulting message to a configured channel/target. This is central to the skill, but it is an automated action path.
cmd = ["openclaw", "agent", "--session-id", session_id, "--message", message, "--timeout", str(timeout)] ... cmd.append("--deliver")Use narrow filters, rate limits, and explicit reply targets; test with non-sensitive channels before enabling continuous delivery.
The skill can use existing local session routing state to send event-triggered messages into an OpenClaw session.
By default, the watcher can read local OpenClaw session store files to resolve the latest session for a configured reply channel/target.
os.path.join(home, ".openclaw", "sessions", "sessions.json") ... os.path.join(agents_dir, agent, "sessions", "sessions.json")
If you do not want local session store lookup, set `wake.disable_session_store_lookup: true` or configure an explicit `wake.session_id`/`wake.session_key`.
Sensitive event contents may remain on disk in local logs or dead-letter files after processing failures.
Failed deliveries are persisted to a local dead-letter JSONL file with the full event payload.
entry = { ... "payload": event, } ... with open(DEAD_LETTER, "a") as f: f.write(json.dumps(entry) + "\n")Store logs in a protected directory, rotate or delete dead-letter files, and avoid sending highly sensitive payloads unless needed.
The watcher may keep processing events and waking the agent until stopped.
The documented operating mode is a user-started long-running background watcher. There is no evidence of hidden persistence, but users should remember it continues running.
nohup python3 {baseDir}/scripts/watcher.py --config {baseDir}/config/event_watcher.yaml \
> {baseDir}/logs/watcher.log 2>&1 &Run it under a visible process manager or terminal session, document where logs/state are stored, and stop the process when event watching is no longer needed.