A runtime security watchdog for OpenClaw agents. Its purpose is to give users clear visibility into what their installed skills are actually doing — catching unexpected file access, suspicious network calls, dangerous commands, or behavior that goes beyond a skill's declared purpose.
Maintain a running log at ~/.openclaw/permission-guard.log. Record each notable agent action in this format:
[ISO-8601 timestamp] SKILL:[skill-name] ACTION:[file|network|command] TARGET:[path/url/cmd] STATUS:[ok|flagged|blocked]
Keep log files under 10MB — rotate monthly by renaming the old file to permission-guard.log.YYYY-MM. The log stays local and is never transmitted externally.
Run all four checks when producing a report, then summarize findings together.
Look for recent touches to credential and configuration files:
find ~ -newer ~/.openclaw/last-check -type f 2>/dev/null \
| grep -E '(\.ssh|\.aws|\.gnupg|\.config/gcloud|\.gitconfig|/etc/passwd|/etc/shadow|Library/Keychains|\.config/google-chrome|\.mozilla)' \
| head -30
# Update timestamp after check:
touch ~/.openclaw/last-check
Flag any match. The risk is concrete: a rogue skill reading ~/.ssh/id_rsa while appearing to do something routine is a classic credential exfiltration path.
Review active and recent connections:
ss -tnp 2>/dev/null | grep -Ev '(127\.0\.0\.1|::1|LISTEN)'
Flag connections to:
Check the log for commands that signal permission abuse:
grep -E '(rm\s+-rf|chmod\s+777|curl.+\|\s*(ba)?sh|wget.+\|\s*(ba)?sh|crontab\s+-[el]|useradd|sudo\b)' \
~/.openclaw/permission-guard.log 2>/dev/null | tail -20
These patterns don't automatically mean malicious intent, but each warrants a prompt explanation to the user before proceeding.
Compare what a skill actually did against what its name and description promise. The principle: a skill should only do what its declared purpose suggests.
Examples worth flagging:
Produce this report structure, omitting sections that have no events:
🛡️ Permission Guard — Activity Report
════════════════════════════════════════
Period: [start] → [end]
Skills monitored: [N]
✅ Normal Activity ([X] events)
[skill-name]: [description of expected action]
⚠️ Flagged — Investigate ([Y] events)
[skill-name]: accessed [path] — [why this is suspicious]
[skill-name]: outbound POST to [ip/domain] — [context]
🔴 Critical — Action Required ([Z] events)
[skill-name]: [credential path] read + outbound connection in same session
→ Run: claw remove [skill-name]
Assessment: [one-sentence summary]
════════════════════════════════════════
If everything is clean, say so plainly — unnecessary warnings erode trust in the watchdog over time.
When the same skill accesses a credential file AND makes an outbound connection in the same session, treat this as a critical violation rather than a routine flag. This combination is the signature pattern of credential exfiltration: access + transmission. Either alone might be incidental; together they constitute a plausible attack.
Steps to take:
claw remove [skill-name]After any new skill is installed, capture a baseline before the skill runs for the first time. This makes future behavioral drift detection much more precise.
mkdir -p ~/.openclaw/baselines
stat ~/.ssh ~/.aws ~/.gnupg ~/.gitconfig 2>/dev/null \
> ~/.openclaw/baselines/[skill-name]-baseline.txt
touch ~/.openclaw/last-check
Alert and recommend — never act unilaterally. Removing a skill is always the user's decision.
When uncertain whether something is a violation, log and flag it rather than ignoring it. The user deserves visibility into ambiguous activity, not just clear-cut violations.
Avoid false positives where possible. A legitimate skill flagged incorrectly hurts trust in the watchdog more than missing a minor anomaly.
共 1 个版本