OpenClaw Ops Guardrails
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-ops-guardrails Version: 0.1.1 The skill bundle is designed for operational troubleshooting and includes explicit security-enhancing instructions like `openclaw security audit --deep` and a `Publish Sanitization Checklist`. However, it is classified as 'suspicious' due to the presence of commands that can reduce security controls or leverage powerful tools. Specifically, `references/failure-playbook.md` instructs the agent to set `security=full, ask=off, askFallback=full` to disable approval mechanisms for troubleshooting, which is a significant security control bypass. Additionally, it uses `ssh openclaw-gateway 'hostname; whoami'` for diagnostics, which, while for a stated purpose, involves shell execution via SSH and carries inherent risks if not properly secured or if inputs are compromised. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed on the wrong gateway or node, a device or command runner could gain broad ongoing access without normal approval prompts.
These instructions can lower approval requirements to full/no-prompt mode and approve a device without clearly requiring identity verification, scoping, expiry, or rollback.
需要无审批放行时,设置:`security=full, ask=off, askFallback=full` ... `openclaw devices approve --latest`
Require explicit administrator confirmation before these steps, verify the exact node/device identity, scope any approval bypass to a short maintenance window, and document how to restore approval settings afterward.
The agent may run small commands on a selected node during troubleshooting.
The skill explicitly uses remote command execution as a validation step. This is disclosed and aligned with operations troubleshooting, but it still acts on target devices.
目标设备执行一条最小命令(echo/date/whoami)
Use it only on intended nodes and require confirmation before running anything beyond harmless validation commands.
An active tunnel or related process could be stopped during troubleshooting.
The playbook may terminate an existing tunnel process. This is a normal remediation for port conflicts, but can disrupt active sessions if the PID is wrong.
复用已有 tunnel 或 kill 旧隧道 PID
Confirm the `lsof` result and the process owner before killing any PID.