OpenClaw Guard
OpenClaw security monitoring, diagnostics, and knowledge management plugin
Community code plugin. Review compatibility and verification before install.
openclaw-guard · runtime id openclaw-guard
Install
openclaw plugins install clawhub:openclaw-guardLatest Release
Version 1.0.3
Compatibility
{
"builtWithOpenClawVersion": "1.0.3",
"pluginApiRange": ">=2026.0.0"
}Capabilities
{
"bundledSkills": [],
"capabilityTags": [
"executes-code",
"kind:security"
],
"channels": [],
"commandNames": [],
"configSchema": true,
"configUiHints": false,
"executesCode": true,
"hooks": [],
"httpRouteCount": 0,
"materializesDependencies": false,
"pluginKind": "security",
"providers": [],
"runtimeId": "openclaw-guard",
"serviceNames": [],
"setupEntry": false,
"toolNames": []
}Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included code and SKILL.md: this is a CLI security/monitoring tool that performs diagnostics, monitoring, knowledge-base sync, backups, and can run as a daemon. The codebase (src/ and dist/) implements the described features (agent management, monitor, knowledge, backup, auto-fixer). Required capabilities (file I/O, process inspection, outbound network) are consistent with the stated purpose.
Instruction Scope
The SKILL.md instructs cloning the repo, running npm install/build, and using commands that read and write user files (~/.openclaw, ~/.openclaw-guard), start a daemon, run system diagnostic commands, perform automatic fixes (diagnose --fix) and push/pull knowledge to remote endpoints. These are within the tool's purpose but are high‑risk: auto‑fix can execute dangerous operations, knowledge sync/push can send user data to remote endpoints, and the doc explicitly states configs (including credentials) are stored in plaintext JSON. Additionally, automated detection flagged prompt‑injection patterns inside SKILL.md (see scan findings) — that may indicate hidden or manipulative content in the runtime instructions and should be inspected before use.
Install Mechanism
The registry lists no install spec (instruction‑only), yet the package contains a full Node.js project (package.json, package-lock.json, src/, dist/). Installation is manual (git clone, npm install, npm run build). That lowers supply‑chain opacity compared with arbitrary remote downloads, but you must run npm install/build locally which will execute arbitrary postinstall scripts if present. Review package.json / package-lock.json and avoid running as root.
Credentials
The skill declares no required env vars, which is appropriate, but the product stores configuration and (potentially) credentials in plaintext under ~/.openclaw-guard and supports pushing/pulling to remote knowledge stores and webhooks. Storing secrets in plain JSON and enabling outbound network sync is proportional to the feature set but increases risk; there is no declared primary credential or secure secret storage mechanism. Confirm which tokens/endpoints get stored before enabling sync.
Persistence & Privilege
always:false (no forced inclusion) and model invocation is allowed (default). The tool can run as a background daemon (monitor daemon) and registers agent management features — this fits its purpose. However, autonomous invocation combined with network sync and auto‑fix raises blast radius; prefer manual invocation or restrict network endpoints until audited.
Scan Findings in Context
[prompt-injection/ignore-previous-instructions] unexpected: The pre-scan flagged an 'ignore-previous-instructions' pattern inside SKILL.md. I didn't see the literal phrase in visible content, which suggests there may be hidden unicode control characters or obfuscated text intended to manipulate agents or evaluators. This is not expected for a benign CLI README and should be investigated.
[prompt-injection/unicode-control-chars] unexpected: Scanner detected Unicode control character patterns in SKILL.md. These are sometimes used to hide or alter instruction semantics and are unexpected in plain documentation. Inspect the SKILL.md raw bytes for control characters before trusting automated execution or pasting content into an LLM.
What to consider before installing
What to check and do before installing/use:
1) Inspect the repository locally (do not run install/build as root): review package.json scripts (postinstall), package-lock.json, and any network/curl/http code paths for hardcoded endpoints. Run npm audit and npm ls.
2) Search SKILL.md and all files for hidden unicode control characters or suspicious prompt-instruction strings (the pre-scan found them). Use a hex-aware editor or cat -v to reveal control chars.
3) Review code paths that perform 'fix' actions or execute shell commands. Prefer to run diagnose without --fix first and review suggested commands before applying.
4) Treat remote sync/webhook features as opt-in: do not configure remote endpoints or push data until you trust the code. When testing, use a local or internal test endpoint.
5) Protect configuration: after creating ~/.openclaw-guard, set strict permissions (chmod 700 dir, chmod 600 files). Consider using an encrypted secrets store instead of plaintext JSON.
6) Sandbox first: run the tool inside a container or VM for initial evaluation to observe behavior (network calls, file modifications, spawned processes).
7) If you need the skill for production, consider performing a security code review focusing on network exfiltration, command execution, and any autoupdate or remote code fetch logic. If you are not comfortable auditing, do not enable daemon/autofix or network sync.
Low confidence factors: presence of many source files indicates functionality but also increases audit surface; the prompt-injection detections lower trust and raise the need for manual review.dist/commands/monitor.js:278
Shell command execution detected (child_process).
src/commands/monitor.ts:256
Shell command execution detected (child_process).
src/lib/daemon.ts:153
Shell command execution detected (child_process).
dist/lib/fixer.js:194
Environment variable access combined with network send.
src/lib/fixer.ts:241
Environment variable access combined with network send.
dist/lib/fixer.js:622
File read combined with network send (possible exfiltration).
dist/lib/knowledge.js:598
File read combined with network send (possible exfiltration).
src/lib/fixer.ts:714
File read combined with network send (possible exfiltration).
src/lib/knowledge.ts:711
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Verification
{
"hasProvenance": false,
"scanStatus": "pending",
"scope": "artifact-only",
"sourceCommit": "2c1f8a9694f9bdb0721b333ab857bf5a50d73937",
"sourceRepo": "SylvanXiao/openclaw-guard",
"sourceTag": "2c1f8a9694f9bdb0721b333ab857bf5a50d73937",
"summary": "Validated package structure and linked the release to source metadata.",
"tier": "source-linked"
}Tags
{
"latest": "1.0.3"
}OpenClaw Guard
<p align="center"> <strong>OpenClaw 安全监控、运维管理 CLI 工具</strong> </p> <p align="center"> <a href="#功能特性">功能特性</a> • <a href="#安装">安装</a> • <a href="#使用指南">使用指南</a> • <a href="#知识库系统">知识库系统</a> • <a href="#安全检测">安全检测</a> </p>功能特性
🔍 诊断与修复
- 智能诊断 - 自动检测 OpenClaw 运行环境、配置、服务状态
- 自动修复 - 一键修复常见问题,支持 AI 辅助诊断
- 知识库驱动 - 基于经验库的智能问题匹配与修复
🛡️ 安全监控
- 实时监控 - 危险命令检测、文件变更监控
- 网络监控 - Gateway 连接监控、异常访问告警
- 设备监控 - 设备配对监控、授权管理
- 多渠道告警 - 支持 Webhook、钉钉、企业微信、飞书
📚 知识库系统
- 云端同步 - 与远程知识库双向同步
- 自动学习 - 修复成功后自动学习到本地库
- 智能合并 - 相同问题模式累加验证次数
- 安全检测 - 30+ 危险命令模式检测
📊 运维管理
- 配置管理 - 查看、修改、验证配置
- Agent 管理 - 创建、删除、切换 Agent
- 备份恢复 - 配置备份与一键恢复
- 性能监控 - 实时性能指标展示
安装
# 克隆仓库
git clone https://github.com/SylvanXiao/openclaw-guard.git
cd openclaw-guard
# 安装依赖
npm install
# 编译
npm run build
# 全局安装(可选)
npm link
系统要求
- Node.js >= 18.0.0(推荐 >= 22.16.0)
- npm >= 9.0.0
使用指南
常用命令
# 安装 OpenClaw(引导式安装)
openclaw-guard install
# 运行诊断
openclaw-guard diagnose
# 诊断并自动修复
openclaw-guard diagnose --fix
# 启动安全监控
openclaw-guard monitor start
# 后台守护进程模式
openclaw-guard monitor daemon
# 启动 TUI 仪表盘
openclaw-guard tui
配置管理
# 查看配置
openclaw-guard config show
# 设置配置项
openclaw-guard config set <path> <value>
# 验证配置
openclaw-guard config validate
安全审计
# 运行安全审计
openclaw-guard security audit
# 加固安全配置
openclaw-guard security harden
知识库系统
基本操作
# 查看知识库统计
openclaw-guard knowledge stats
# 列出所有解决方案
openclaw-guard knowledge list
# 搜索解决方案
openclaw-guard knowledge search <query>
# 查看解决方案详情
openclaw-guard knowledge show <id>
# 手动添加解决方案
openclaw-guard knowledge add
远程同步
# 设置远程知识库地址
openclaw-guard knowledge remote <url> --interval 24
# 从远程拉取(只拉取验证 3+ 次的方案)
openclaw-guard knowledge sync --url <url>
# 推送到远程(推送验证 1+ 次且安全的方案)
openclaw-guard knowledge sync --push --url <url>
# 双向同步
openclaw-guard knowledge sync --bidirectional --url <url>
导入导出
# 导出知识库
openclaw-guard knowledge export output.json
# 只导出已验证的方案
openclaw-guard knowledge export --verified output.json
# 导入知识库
openclaw-guard knowledge import input.json
同步规则
| 方向 | 条件 | 说明 |
|---|---|---|
| 推送 → 云端 | verified ≥ 1 + 安全检测通过 | 智能合并:相同累加次数,不同新建 |
| 云端 → 拉取 | verified ≥ 3 + 安全检测通过 | 高质量方案保障 |
安全检测
检测范围
知识库安全检测覆盖 30+ 种危险命令模式:
| 类别 | 示例 |
|---|---|
| 文件破坏 | rm -rf /, rm -rf ~, dd of=/dev/ |
| 权限风险 | chmod 777, chown |
| 网络风险 | curl | bash, 反向 shell |
| 系统配置 | > /etc/passwd, > ~/.ssh/ |
| 特权提升 | sudo su, pkexec |
| 环境篡改 | export LD_PRELOAD |
使用方式
# 验证本地知识库
openclaw-guard knowledge validate
# 验证文件
openclaw-guard knowledge validate <file>
# 验证远程知识库
openclaw-guard knowledge validate --remote
AI 二次检测
当 AI 配置可用时,修复建议入库前会进行 AI 二次检测:
- 安全风险分析
- 副作用评估
- 可逆性检查
监控功能
实时监控
# 启动终端监控
openclaw-guard monitor start
# 后台守护进程
openclaw-guard monitor daemon \
--webhook <url> \
--network \
--devices
# 查看监控状态
openclaw-guard monitor status
# 查看告警历史
openclaw-guard monitor history
授权管理
# 授权危险操作
openclaw-guard monitor authorize <ruleId> <pattern>
# 撤销授权
openclaw-guard monitor revoke <authId>
# 查看授权列表
openclaw-guard monitor authorizations
TUI 仪表盘
启动交互式终端仪表盘:
openclaw-guard tui
功能包括:
- 系统状态概览
- 实时日志监控
- 性能指标展示
- 快捷操作面板
项目结构
openclaw-guard/
├── src/
│ ├── index.ts # 入口文件
│ ├── commands/ # CLI 命令
│ │ ├── diagnose.ts # 诊断命令
│ │ ├── monitor.ts # 监控命令
│ │ ├── knowledge.ts # 知识库命令
│ │ └── ...
│ ├── lib/ # 核心库
│ │ ├── config.ts # 配置管理
│ │ ├── daemon.ts # 守护进程
│ │ ├── fixer.ts # 自动修复
│ │ └── knowledge.ts # 知识库管理
│ ├── monitor/ # 监控模块
│ │ ├── detector.ts # 危险检测
│ │ ├── alert.ts # 告警系统
│ │ └── ...
│ └── types/ # 类型定义
├── dist/ # 编译输出
└── package.json
开发
# 开发模式
npm run dev
# 编译
npm run build
# 运行
npm start
安全说明
权限范围
本插件需要以下权限:
| 权限 | 用途 | 风险等级 |
|---|---|---|
| 文件读写 | 读写 ~/.openclaw 和 ~/.openclaw-guard 目录 | 低 |
| 网络出站 | 告警推送、知识库同步、AI 诊断(需用户配置) | 中 |
| 进程执行 | 系统诊断命令(ps、ss、pgrep 等) | 中 |
数据流向
本地文件 → 本地分析 → 用户确认 → 执行操作
↓
用户配置的外部端点(可选)
不会自动向任何第三方发送数据。
安全最佳实践
- 不要以 root 运行:使用普通用户权限运行
- 验证远程端点:配置 Webhook 或知识库 URL 前,确认目标服务器可信
- 保护配置文件:
~/.openclaw-guard/目录包含敏感配置,设置适当权限 - 审查依赖:安装前检查
package-lock.json中的依赖 - 沙箱测试:首次使用建议在容器或虚拟机中测试
凭据存储
配置文件存储在 ~/.openclaw-guard/ 目录,以 JSON 格式明文存储。建议:
chmod 700 ~/.openclaw-guard
chmod 600 ~/.openclaw-guard/*.json
依赖安全
所有依赖均为知名 npm 包,无冷门或可疑依赖。安装前可审查:
npm audit
npm ls
许可证
MIT License