v1.1.0

OpenClaw Guard

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:24 AM.

Analysis

The guard mostly matches its backup-and-rollback purpose, but it ships with an active script config that points backups to a personal-looking path and enables Feishu messages to a hard-coded recipient.

GuidanceReview and edit scripts/config/settings.yaml before installing or running this skill. Remove the hard-coded Feishu Open ID, disable Feishu unless you deliberately configure it, set the backup directory to a private path you control, and only add the AGENTS.md auto-trigger rules if you are comfortable with automatic rollback and Gateway restart behavior.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/config/settings.yaml

backup_dir: /home/ljj/.openclaw/backups
...
feishu_enabled: true
feishu_open_id: ou_0b05bbfa08fd31bb887ba0fc4dcf6854

The shipped config under the script directory contains a personal-looking absolute backup path and enables Feishu notifications to a fixed Open ID. This conflicts with the user-facing presentation of a generic guard with optional alerting.

User impactA user may think they are using local, optional backup/alert settings while the active defaults can use a hard-coded local path and notification target.

RecommendationBefore use, inspect scripts/config/settings.yaml, change the backup directory to your own path, set feishu_enabled to false unless you intentionally use it, and remove the hard-coded Open ID.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

守护脚本 (独立进程) ... 时间到，直接回滚！
cp 备份 → 配置
systemctl restart

The documented design is an independent guard process that continues after start and performs rollback plus Gateway restart if not stopped. This is the stated safety mechanism, but it is persistent and high-impact.

User impactIf the guard is started and not stopped in time, it can automatically overwrite configuration files and restart the Gateway.

RecommendationUse a short, intentional timeout, confirm the PID/status after starting, and stop the guard promptly after successful changes.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

scripts/guard.sh

cp "$file" "$target"
...
if systemctl --user restart "$GATEWAY_SERVICE" 2>/dev/null; then
    log_success "Gateway 重启完成"
elif openclaw gateway start 2>/dev/null; then

The script performs file overwrites and service control. These actions are expected for rollback, but they are high-impact local operations.

User impactA misconfigured backup path, target path, or timeout could restore the wrong files or restart the Gateway unexpectedly.

RecommendationTest with non-critical files first, verify the configured file list and service name, and keep a separate manual recovery option.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/guard.sh

openclaw message send \
        --channel feishu \
        --target "$FEISHU_OPEN_ID"

The script uses the local OpenClaw messaging capability to send to a configured Feishu target. With the provided hard-coded target, this may use the user's account or integration authority in a way they did not choose.

User impactYour OpenClaw/Feishu integration could be used to contact someone else's fixed recipient ID.

RecommendationRequire the user to configure the recipient explicitly and declare the OpenClaw/Feishu messaging dependency in the skill metadata.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

scripts/guard.sh

openclaw message send \
        --channel feishu \
        --target "$FEISHU_OPEN_ID" \
        --message "$message" 2>/dev/null

The script can send operational messages through Feishu. Combined with the shipped script config enabling Feishu and hard-coding a target, this creates an external communication path with unclear user ownership and data boundaries.

User impactGuard start, stop, rollback status, timestamps, and backup paths could be sent outside the local environment.

RecommendationDisable Feishu by default, require an explicit user-provided recipient, and document exactly what messages are sent.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/guard.sh

BACKUP_FILES=(
    "$HOME/.openclaw/openclaw.json"
    "$WORKSPACE_DIR/AGENTS.md"
    "$WORKSPACE_DIR/SOUL.md"
    "$WORKSPACE_DIR/USER.md"
    "$WORKSPACE_DIR/MEMORY.md"
    "$WORKSPACE_DIR/TOOLS.md"
)

The skill intentionally backs up and restores persistent agent instruction, user, memory, and tool files. This is aligned with rollback, but these files can contain sensitive or behavior-shaping context.

User impactOld or sensitive agent context may be preserved and restored later, including instructions that affect future agent behavior.

RecommendationKeep backups in a private directory, review what files are included, and delete stale backups when they are no longer needed.