v2.2.0

Restart Guard

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

This skill appears purpose-aligned, but it can automatically restart your OpenClaw gateway, use local tokens, and send restart failure reports through discovered external channels.

GuidanceReview this skill before installing. It is not showing clear malicious behavior, but it is designed to restart the OpenClaw gateway automatically, use local auth/notification tokens, spawn a temporary detached guardian, and potentially broadcast failure reports to external channels. Install it only if those behaviors match your operational expectations.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Natural-language triggers (must auto-run, do not ask user for script commands) ... Run full flow automatically via `scripts/auto_restart.py`.

The skill directs the agent to automatically execute a gateway restart workflow from simple restart phrases, which is a high-impact operation with limited extra confirmation.

User impactA recognized phrase such as “restart now” can cause the agent to run scripts that restart the OpenClaw gateway, potentially interrupting service.

RecommendationInstall only if you want the agent to restart the gateway on direct restart intent; consider requiring explicit confirmation or restricting autonomous invocation.

Rogue Agents

SeverityLowConfidenceHighStatusNote

references/troubleshooting.md

The guardian is spawned as a fully detached process (nohup + setsid) so it survives the gateway restart.

A detached process continues operating after the main restart command exits, although the docs also describe bounded exit behavior.

User impactA helper process may keep running briefly after the gateway restart to verify recovery and deliver the result.

RecommendationConfirm that the configured retry budget and lock paths are acceptable, and monitor the guardian log if restarts fail.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide a source or homepage for a skill that includes executable scripts and high-impact restart authority.

User impactIt may be harder to verify that the installed package matches an intended upstream source.

RecommendationVerify the publisher and source code provenance before installing, especially because the skill controls gateway restart behavior.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/notify.py

env_path = os.path.expanduser("~/.openclaw/.env") ... auth_token = _resolve_env(auth_env) ... f"Authorization: Bearer {auth_token}"

The skill can read local OpenClaw environment secrets and use the gateway bearer token for notification/tool-invoke paths.

User impactThe skill needs access to local gateway and notification credentials to perform its restart/reporting workflow.

RecommendationUse narrowly scoped tokens where possible and verify which environment variables are present in `~/.openclaw/.env` before running the skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Auto-discover external channels and persist `effective_notify_plan` ... Fixed disaster route: `origin session -> agent:main:main -> all discovered external channels`.

The failure path can automatically send restart results or diagnostic summaries to every discovered external notification channel, not only a user-selected one.

User impactRestart status and failure details may be broadcast to Telegram, Discord, Slack, webhooks, Feishu, or other configured channels if origin-session delivery fails.

RecommendationReview configured external channels and webhook destinations before use; prefer selected/origin-only notification modes if broad broadcast is not desired.