OpenClaw Guard
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The backup/rollback idea is coherent, but the shipped script has under-disclosed hardcoded Feishu notification and backup settings that could use the user’s account and store sensitive OpenClaw files in an unexpected location.
Review and edit scripts/config/settings.yaml before running this skill. Remove the hardcoded /home/ljj backup path, set Feishu notifications to false unless you explicitly want them, delete the hardcoded Open ID, and confirm which OpenClaw files will be backed up and restored. Only start the guard when you are comfortable with an automatic rollback and gateway restart after the timeout.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing/running the guard could cause messages to be sent from the user's OpenClaw/Feishu-connected account.
The script can use the user's OpenClaw messaging authority to send Feishu messages. The registry declares no credentials or environment requirements, and this delegated account action is not clearly surfaced in the main requirements.
openclaw message send \
--channel feishu \
--target "$FEISHU_OPEN_ID" \
--message "$message"Disable or remove Feishu notification code unless intentionally needed, and require the user to explicitly configure the recipient and approve message-sending behavior.
A user may believe notifications are off or user-configured while the script's actual config enables them for a preset recipient.
The bundled config under scripts/ enables Feishu notifications to a hardcoded Open ID and sets a hardcoded personal backup path. This conflicts with the main documentation's framing of alerts as optional and user-configured.
backup_dir: /home/ljj/.openclaw/backups ... feishu_enabled: true feishu_open_id: ou_0b05bbfa08fd31bb887ba0fc4dcf6854 # 开拓者的 Open ID
Ship defaults with notifications disabled, remove personal IDs/paths, and make the documented config file match the file the script actually reads.
Private agent memory or user configuration could be duplicated into backup files and retained or restored later.
The script backs up persistent agent instruction, user, memory, and tool files. That is consistent with rollback, but these files can contain sensitive context and are copied into persistent backups, with the shipped script config using an unexpected backup directory.
BACKUP_FILES=(
"$HOME/.openclaw/openclaw.json"
"$WORKSPACE_DIR/AGENTS.md"
"$WORKSPACE_DIR/SOUL.md"
"$WORKSPACE_DIR/USER.md"
"$WORKSPACE_DIR/MEMORY.md"
"$WORKSPACE_DIR/TOOLS.md"
)Review exactly which files are backed up, store backups only in a user-approved directory with safe permissions, and document retention and cleanup behavior clearly.
If the guard is started and not stopped in time, it may overwrite recent configuration changes and restart the OpenClaw gateway.
The skill explicitly designs a long-running independent guard process that can roll back configuration and restart the gateway after a timeout. This is purpose-aligned and disclosed, but it is autonomous background behavior.
守护脚本 (独立进程) ... 时间到,直接回滚! ... cp 备份 → 配置 ... systemctl restart
Use the guard only before intended risky changes, choose an appropriate timeout, and confirm it has stopped after successful edits.
The gateway service may be restarted automatically during rollback, interrupting current sessions.
The script performs service restart/start operations as part of rollback. This is expected for a gateway recovery tool, but it is still a high-impact local action.
if systemctl --user restart "$GATEWAY_SERVICE" 2>/dev/null; then
log_success "Gateway 重启完成"
elif openclaw gateway start 2>/dev/null; thenRun it only when gateway restart is acceptable, and ensure the service name is correct for the user's environment.
Users have less external context for who maintains the script or where updates come from.
The skill includes a high-impact shell script but has limited provenance and no install specification. The code is present for review, so this is a provenance note rather than a standalone concern.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Prefer a maintained source repository, clear homepage, and explicit install/runtime requirements before relying on it for recovery.