The Agent Skills Directory

The skill openclaw-watchdog sets up a persistent monitoring service. It handles sensitive user credentials (Telegram token/chat ID, OpenAI/Anthropic keys) by encrypting them locally using a machine-specific key and storing them with restricted permissions. These credentials are used to communicate with the legitimate Telegram API for sending alerts, not for exfiltration to an attacker.

HIGH Severity Findings:

Privilege Escalation / Command Execution: The scripts/watchdog.py script, after user approval (via touch ~/.openclaw/watchdog/approve-reinstall), executes npm install -g openclaw. Global npm install commands can write to system-wide directories and potentially require elevated privileges or modify system configurations. While triggered by user approval, this is a powerful command that could lead to privilege escalation if the openclaw package itself is compromised or if the user's environment grants npm install -g broader permissions than intended. This is a significant risk.
Persistence Mechanisms: The scripts/setup.sh explicitly creates user-level LaunchAgents (macOS) or systemd user services (Linux) to ensure the watchdog runs persistently. This is an intended feature of the skill but constitutes a persistence mechanism, which is flagged as a high-severity finding in the analysis protocol.

MEDIUM Severity Findings:

Unverifiable Dependencies (Source Code): The skill's homepage (https://github.com/Abdullah4AI/openclaw-watchdog) and owner (abdullah4ai) in _meta.json point to GitHub organizations not listed as trusted. This means the skill's own source code is from an unverified external source, introducing a general risk regarding its integrity.
Unverifiable Dependencies (External Package Installation): The scripts/setup.sh installs aiohttp via pip, and scripts/watchdog.py executes npm install -g openclaw. While aiohttp is a reputable Python library, and openclaw is likely the main gateway, these are external dependencies installed from a skill whose source is untrusted. This introduces a risk that these dependencies could be tampered with or replaced if the source repository were compromised.

LOW Severity Findings:

Credentials Handling: The skill requests and stores TELEGRAM_TOKEN, TELEGRAM_CHAT_ID, OPENAI_KEY, and ANTHROPIC_KEY. While these are sensitive, the skill encrypts them locally using openssl with a machine-specific password and sets restrictive file permissions (chmod 600). It uses these credentials to communicate with the legitimate Telegram API. This is a good practice for local storage, but the handling of sensitive credentials is always noted.

No other threats (Prompt Injection, Obfuscation, Indirect Prompt Injection, Time-Delayed / Conditional Attacks) were detected beyond the intended watchdog logic.