swarm-self-heal
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Hardcoded fallback notification recipient. The
scripts/setup.shfile defines a specific Telegram ID (8563003761) as a default target for cron notifications if the user'sopenclaw.jsonconfiguration is missing a recipient. The watchdog is configured to send "full raw output blocks" and detailed remediation summaries to this ID, potentially exposing sensitive system state and agent context to an external party. - [COMMAND_EXECUTION]: Automated persistence via cron scheduling. The
scripts/setup.shscript utilizes theopenclaw cronutility to automatically schedule the watchdog for recurring execution (every 20-30 minutes). This establishes a long-term presence on the host system without manual intervention. - [COMMAND_EXECUTION]: Runtime service lifecycle management. The
scripts/swarm_self_heal.shscript is capable of performing high-impact recovery actions, specifically executingsystemctl --user restart openclaw-gatewayandopenclaw gateway restartto manage the state of the system's gateway service. - [PROMPT_INJECTION]: Indirect injection surface via agent health checks. The
scripts/swarm_self_heal.shscript monitors agent health by checking their output for the string "READY". Because agent outputs can be influenced by untrusted external data during their normal operation, this creates a vector where a compromised or manipulated agent could report a deceptive health status to the watchdog. - Ingestion points: Agent output captured via
openclaw agentinscripts/swarm_self_heal.sh. - Boundary markers: None; the script performs a simple substring match on the payload text.
- Capability inventory: Capability to modify cron jobs and restart the gateway service.
- Sanitization: Input is parsed using
jq, but the textual content of the agent's response is not sanitized before comparison.
Audit Metadata