Security Audit

restart-guard

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

restart-guard received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 30 findings: 14 critical, 14 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

4 findings

Shell Execution

27 findings

Dynamic Code

4 findings

Security Findings30

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/guardian.py:92
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/guardian.py:110
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/guardian.py:128
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/notify.py:108
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/notify.py:128
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/notify.py:144
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/notify.py:158
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/notify.py:181
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/postcheck.py:77
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/restart.py:98
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/restart.py:119
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zjianru/restart-guard/scripts/restart.py:143
CRITICAL	Command Injection via 'verify' commands in postcheck.py The `scripts/postcheck.py` script executes commands specified in the `verify` section of the restart context file using `subprocess.run(..., shell=True)`. The `verify` commands are directly populated from user input provided to `scripts/write_context.py` via the `--verify` arguments. An attacker who can control the `--verify` arguments can inject and execute arbitrary shell commands on the host system. Avoid using `shell=True` with user-controlled input. If shell execution is strictly necessary, sanitize or validate the input rigorously. Prefer passing commands and arguments as a list to `subprocess.run()` without `shell=True`.	LLM	scripts/postcheck.py:70
CRITICAL	Command Injection via 'diagnostics' commands in guardian.py The `scripts/guardian.py` script executes diagnostic commands specified in the `guardian.diagnostics` section of the `restart-guard.yaml` configuration file using `subprocess.run(..., shell=True)`. If an attacker can modify the `restart-guard.yaml` configuration, they can inject and execute arbitrary shell commands on the host system. Avoid using `shell=True` with user-controlled input. If shell execution is strictly necessary, sanitize or validate the input rigorously. Prefer passing commands and arguments as a list to `subprocess.run()` without `shell=True`. Restrict write access to `restart-guard.yaml`.	LLM	scripts/guardian.py:120
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_health'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/guardian.py:92
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_health_curl'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/guardian.py:110
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_diagnostics'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/guardian.py:128
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_notify_telegram'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/notify.py:128
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_notify_discord'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/notify.py:144
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_notify_slack'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/notify.py:158
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_notify_webhook'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/notify.py:181
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_notify_openclaw'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/notify.py:108
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/postcheck.py:77
HIGH	Dangerous call: subprocess.call() Call to 'subprocess.call()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/restart.py:98
HIGH	Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/restart.py:119
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/zjianru/restart-guard/scripts/restart.py:143
HIGH	Data Exfiltration of Diagnostic Logs via External Notifications The `scripts/guardian.py` script captures diagnostic output, including `openclaw logs --tail 30`, and sends it via the `notify` function to various external services (Telegram, Discord, Slack, generic webhooks) as configured in `restart-guard.yaml`. If the `openclaw` logs contain sensitive information (e.g., API keys, PII, internal system details), this mechanism could lead to the exfiltration of such data to third-party services. Review the content of diagnostic logs to ensure no sensitive information is present. Implement redaction or filtering of sensitive data before sending logs to external notification services. Consider limiting the verbosity or specific commands used for diagnostics when sending to external channels.	LLM	scripts/guardian.py:84
HIGH	Prompt Injection via User-Controlled Context File Content The `scripts/write_context.py` script generates a Markdown context file that includes user-provided `reason` and `note` fields directly into its body. If this context file is later consumed by an LLM agent, these fields can be used to inject malicious instructions or manipulate the LLM's behavior, potentially leading to unintended actions or information disclosure. Implement robust input sanitization and validation for all user-provided text that will be stored in the context file and potentially consumed by an LLM. Consider using a structured data format for LLM input instead of raw Markdown, or explicitly delimit user input within the Markdown to prevent it from being interpreted as instructions.	LLM	scripts/write_context.py:64
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/zjianru/restart-guard/scripts/postcheck.py:9
MEDIUM	Credential Harvesting via External Notification Services The `scripts/notify.py` module reads various sensitive credentials (e.g., `TELEGRAM_BOT_TOKEN`, `DISCORD_WEBHOOK_URL`, `SLACK_WEBHOOK_URL`, `RESTART_GUARD_WEBHOOK_URL`, `GATEWAY_AUTH_TOKEN`) from environment variables or `~/.openclaw/.env` files. These credentials are then used to authenticate and send messages to external third-party services. While used in headers or URLs, the script's direct handling and transmission of these secrets to external endpoints increases the risk of exposure, especially if the notification content or configuration could be manipulated. Ensure that all external notification services are trusted and configured securely. Implement strict access controls on the `.env` file and environment variables. Consider using a secrets management system instead of `.env` files for production environments. Regularly rotate API keys and tokens.	LLM	scripts/notify.py:20

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f84ea8ac18c3328c.svg)](https://skillshield.io/report/f84ea8ac18c3328c)