ClawHub
Back to skill
v1.0.3

Gateway Monitor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:15 AM.

Analysis

The skill is mostly consistent with a gateway monitoring dashboard, but it asks users to run external code not included in the package and exposes high-impact restore/restart/service-control actions.

GuidanceBefore installing, verify the GitHub repository and server.js yourself, pin a trusted version, and run the dashboard only on a trusted local machine. Treat its restore, restart, and LiteLLM control features as administrative actions, and only enable launchd/nohup background mode if you want the monitor to keep running continuously.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
git clone https://github.com/yes999zc/gateway-monitor.git
cd gateway-monitor

# 无需依赖,直接运行
node server.js

The packaged skill contains no server.js or install spec, yet the instructions direct the user to clone and run external Node.js code. Because that external code would power service control and config-restore functions, the provenance gap is material.

User impactInstalling this as documented would run code that was not included in the reviewed artifact set and could affect local Gateway-related services.
RecommendationReview the external repository and server.js before running it, pin a trusted commit or release, and prefer a package that includes the reviewed source and install instructions.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
GET /api/restore-config?confirm=true - 恢复配置
GET /api/gateway-restart?confirm=true - 重启 Gateway
GET /api/litellm-control?action=wake|start|stop|restart&confirm=true - 控制 LiteLLM 容器

The documented API includes state-changing restore, restart, and container control operations exposed as GET endpoints with confirmation represented by a URL parameter. These actions are high-impact and the artifacts do not show stronger authorization or scoping.

User impactA mistaken or unintended request could restore configuration, restart the Gateway, or stop/restart LiteLLM services.
RecommendationOnly run the dashboard on a trusted local interface, verify that the implementation requires explicit user approval and authentication, and avoid exposing the port to other users or networks.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
cp bin/ai.openclaw.gateway-monitor.plist ~/Library/LaunchAgents/
launchctl load ~/Library/LaunchAgents/ai.openclaw.gateway-monitor.plist

# 手动后台运行
nohup node server.js > gateway-monitor.log 2>&1 &

The skill documents launchd and nohup background operation. This is coherent for a monitoring dashboard, but it creates persistent local behavior users should knowingly enable.

User impactThe monitor can continue running in the background and keep access to local service status, logs, and control endpoints.
RecommendationUse background mode only if you want continuous monitoring, and know how to unload the launchd agent or stop the nohup process.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export OMLX_API_KEY=8888               # oMLX API 密钥

The skill documents an optional API key for oMLX access, while registry metadata declares no credentials. This appears purpose-aligned, but it is sensitive authority users should notice.

User impactThe dashboard may use a local oMLX API key to query model capabilities or related endpoints.
RecommendationUse the least-privileged local API key available and avoid placing real secrets in shared shell history or logs.