Restart Guard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-built restart tool rather than malware, but it gives an agent broad restart, diagnostic-command, and external-notification authority that needs careful review.

Install only if you want an agent to restart the OpenClaw gateway from natural-language requests. Before enabling it, require an explicit confirmation step, restrict who can edit the restart config and context files, keep external notification channels minimal, avoid generic webhooks unless necessary, and review what diagnostics may be collected and sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: exec_args = shlex.split(actual) if not exec_args: raise ValueError("empty command after parsing") result = subprocess.run( exec_args, shell=False, capture_output=True,
Confidence: 89% confidence
Finding: result = subprocess.run( exec_args, shell=False, capture_output=True, text=True, timeout=30, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not exec_args: raise ValueError("empty command after parsing") proc = subprocess.run( exec_args, shell=False, capture_output=True, text=True, timeout=30, ) output = proc.stdout.strip()
Confidence: 92% confidence
Finding: proc = subprocess.run( exec_args, shell=False, capture_output=True, text=True, timeout=30, )

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The spec explicitly requires synchronizing the skill into an external mirror directory under `/Users/codez/.openclaw/custom/open-source/restart-guard/*`, which expands the skill's write scope beyond what is needed for restart orchestration. In an agent setting, unnecessary file replication increases the blast radius for accidental overwrite, propagation of unsafe changes, or persistence into a secondary location that may later be trusted or redistributed.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The required `rsync -a --delete` mirror command introduces a destructive replication capability unrelated to safely restarting a gateway. The `--delete` flag can remove files in the destination tree, so if paths are misconfigured or influenced indirectly, the skill could propagate changes or erase content in a separate repository-like location.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as a deterministic restart guard, but on delivery failure it broadens behavior to send results to the main session and external notification channels. That scope expansion is security-relevant because restart context, failure details, and diagnostics may be broadcast outside the originating session, increasing the chance of unintended disclosure and violating least surprise for an operational restart tool.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The guardian accepts configurable diagnostics commands unrelated to core restart-state verification, enabling execution of local inspection commands during failure handling. In this context, that makes the skill more dangerous because a restart utility now doubles as a configurable command runner whose outputs are persisted and potentially shared.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: This helper reads arbitrary secrets from both process environment variables and a user-scoped ~/.openclaw/.env file, giving the skill credential-access capability beyond a narrowly scoped restart action. In the context of a restart-focused skill, that broader secret-harvesting surface increases the chance of unintended credential use or data exfiltration through notification channels.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The module implements general-purpose multi-channel messaging and webhook delivery, which exceeds the stated restart-guard purpose. Capability mismatch is dangerous because users may grant trust based on the manifest while the code can transmit arbitrary messages to external channels.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This code contacts third-party messaging services and arbitrary webhooks using credentials, enabling external transmission outside the narrow restart-control function. In skill context, that makes the behavior more concerning because it broadens the trust boundary and creates a channel for sending operational data off-host.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: `trigger_restart_http()` returns immediately after host/port validation and never executes the HTTP restart request code below, leaving the documented primary restart path dead. In a restart orchestrator, this can silently disable the authenticated restart method and force fallback behaviors such as signaling or CLI restart, which may target the wrong process or behave less safely than intended.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The spec authorizes execution of a full restart workflow based on broad natural-language phrases like `可以重启了`, `现在重启吧`, and `restart now`, without requiring a structured confirmation or disambiguation step. Because restarting infrastructure is a high-impact action, loose trigger matching increases the risk of accidental invocation from ordinary conversation, quoted text, logs, tests, or adversarial prompt content.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The README explicitly states that the user only needs to express generic restart intent such as 'restart now' and that the agent will run the restart flow automatically. For a high-impact action like restarting a gateway and initiating follow-up notification behavior, this broad trigger language increases the risk of accidental or contextually ambiguous activation from ordinary conversation, leading to unintended service disruption.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation promotes automatic gateway restart and proactive result delivery, including fallback to external and broadcast channels, but the quick-start and behavior description do not prominently warn users that service interruption and possible disclosure to external channels may occur. In this skill context, the combination of infrastructure restart plus multi-channel fallback makes missing consent and disclosure warnings materially dangerous.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are broad conversational commands like 'restart now' and are marked 'must auto-run,' which can cause unintended activation from ambiguous user text, quoted examples, or discussion rather than consent to execute. In this context, unintended activation directly initiates a gateway restart, making service disruption and accidental operational impact plausible.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow defaults to automatically running the full restart flow, inferring the origin session, discovering external channels, and persisting notification plans and context, but it does not clearly warn the user up front that these actions will happen automatically. That lack of explicit notice undermines informed consent and can lead to unexpected data persistence or outbound notifications during a sensitive operational task.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Diagnostic command outputs are bundled, written to disk, summarized, and later used in notifications, but this file only performs limited regex-based redaction. Command output can easily contain credentials, internal topology, tokens in unexpected formats, or sensitive logs, so persisting and forwarding it materially increases exposure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When agent delivery fails, the code falls back to external notifications containing restart status, error details, diagnostics file paths, and optionally diagnostics summaries. In a restart-guard skill, this is especially risky because users may not expect operational failure data and context metadata to be broadcast to other channels, creating a confidentiality leak surface.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Credential-backed network notifications occur without any evident user-facing disclosure or consent mechanism in this module. Silent outbound communications are risky in an agent skill because they can leak operational context or sensitive message contents to external services without the operator realizing it.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script sends restart context, session identifiers, and routing details to agent sessions and possibly external notification channels without any apparent minimization or consent gate. In this operational context, that can leak sensitive internal topology, identifiers, or incident context to broader audiences than necessary, especially when `notify_mode` is `all` or fallback broadcasting is triggered.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal