LuLu CLI
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: lulu-cli Version: 0.2.0 The skill provides an AI agent with high-privilege access to modify macOS firewall rules via sudo, including the ability to add, delete, and toggle rules for any application. It includes a 'reload' command that kills the LuLu system extension, which the documentation notes creates an 8-second gap in network filtering. While the skill's instructions in SKILL.md include security advice for managing agent network access, the combination of sudo-level system modification and the requirement for a third-party binary from an unverified Homebrew tap (woop/tap/lulu-cli) constitutes a high-risk capability that could be exploited to facilitate data exfiltration or bypass security boundaries.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly or too broadly, the agent could weaken your firewall, allow unwanted outbound traffic, delete protections, or briefly interrupt filtering during reload.
The skill grants the agent access to both normal and sudo lulu-cli commands. The documented workflows include adding, deleting, enabling, disabling, and reloading firewall rules, so this is high-impact local system mutation rather than read-only diagnostics.
allowed-tools: Bash(lulu-cli:*), Bash(sudo lulu-cli:*)
Require explicit user approval before any sudo lulu-cli command, prefer specific app/domain/port rules over global wildcards, and review the current rules before making changes.
The skill can make system-wide security changes, not just changes inside the agent or a project folder.
The skill directly manages a root-owned firewall configuration file and states that sudo is required for write operations. This privilege is expected for firewall management, but users should understand the system-level authority involved.
Rules live in `/Library/Objective-See/LuLu/rules.plist` ... owned by root
Install and use only if you trust the lulu-cli binary and are comfortable granting sudo-level firewall administration.
Your trust decision depends on the external lulu-cli package and its Homebrew tap, not just this instruction file.
The skill depends on an external Homebrew tap for the actual executable, while the supplied artifacts contain no code files for static review. This is disclosed and normal for a CLI wrapper, but provenance matters because the binary is used with sudo.
brew | formula: woop/tap/lulu-cli | creates binaries: lulu-cli
Verify the Homebrew formula, repository, maintainer, and release integrity before installing, especially because the tool modifies firewall rules with elevated privileges.
A mistaken rule or reload can affect the whole machine’s outbound network filtering, not just one blocked connection.
The reload operation is disclosed, but restarting the firewall extension creates a temporary filtering gap, and global rules can affect all applications.
Kills the extension process... There is a brief gap in filtering during the restart.
Apply changes in small steps, avoid unnecessary reloads, and confirm that each rule is scoped as narrowly as possible.