← Back to Skills Marketplace
austindixson

Gateway Guard

by austindixson · GitHub ↗ · v1.0.7
cross-platform ⚠ suspicious
1052
Downloads
2
Stars
9
Active Installs
8
Versions
Install in OpenClaw
/install gateway-guard
Description
Ensures OpenClaw gateway auth consistency. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to...
README (SKILL.md)

Gateway Guard

Description

Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents.

Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents.

Gateway Guard

Keeps OpenClaw gateway authentication in sync with openclaw.json. Use when the user or agent sees gateway auth issues, device_token_mismatch, or needs to ensure the gateway is running with the correct token/password before spawning sub-agents.

Metadata: This skill uses always: false in _meta.json. It is not forced into every agent run; the orchestrator invokes it when needed (e.g. before delegating to sub-agents). Optional persistence (LaunchAgent) is installed only when you run the install scripts; see "Before installing" below.

Before installing

  • Backup openclaw.json — The script may add or correct gateway.auth (token/password) when missing or wrong. Make a copy before running ensure --apply.
  • Test read-only first — Run python3 scripts/gateway_guard.py status --json and python3 scripts/gateway_guard.py ensure --json (without --apply) to see what it would do before allowing restarts or config writes.
  • Understand continue delivery — The watcher can run openclaw agent --message continue --deliver when a run error appears in gateway.log. Confirm that automatically sending that message is acceptable in your environment.
  • LaunchAgent is optional — Persistence (watcher every 30s) is installed only if you run install_watcher.sh. The installer copies the plist from the skill directory into ~/Library/LaunchAgents and runs launchctl load; only run it if you accept that. The plist is included in this package: scripts/com.openclaw.gateway-guard.watcher.plist (and scripts/com.openclaw.gateway-guard.continue-on-error.plist). Ensure OPENCLAW_HOME and OPENCLAW_BIN resolve to your intended paths before installing the watcher.
  • Try in a non-production environment first if you are unsure.

Package contents (file manifest)

Included in this skill so installers do not error:

  • scripts/gateway_guard.py — Main script (status, ensure, continue-on-error, watch).
  • scripts/install_watcher.sh — Installs the single combined LaunchAgent (token sync + continue-on-error).
  • scripts/install_continue_on_error.sh — Redirects to install_watcher.sh.
  • scripts/com.openclaw.gateway-guard.watcher.plist — LaunchAgent plist template (install_watcher.sh copies and substitutes paths).
  • scripts/com.openclaw.gateway-guard.continue-on-error.plist — Legacy plist (optional; install_watcher.sh replaces with the combined watcher).

Usage

  • User or logs report "Gateway auth issue", "device_token_mismatch", or "unauthorized"
  • Before running the router and sessions_spawn (orchestrator flow): check gateway status first
  • After installing or updating OpenClaw: verify gateway and config match
  • When the TUI disconnects or won't connect: fix auth and restart gateway
  • Run error (Unhandled stop reason: error): run continue-on-error --loop (e.g. via LaunchAgent or cron) so the guard auto-sends "continue" to the agent when this appears in gateway.log
python3 \x3Cskill-dir>/scripts/gateway_guard.py status [--json]
python3 \x3Cskill-dir>/scripts/gateway_guard.py ensure [--apply] [--wait] [--json]
python3 \x3Cskill-dir>/scripts/ensure_gateway_then.sh [command ...]
python3 \x3Cskill-dir>/scripts/gateway_guard.py continue-on-error [--once] [--loop] [--interval 30] [--json]
  • status — Report whether the running gateway's auth matches openclaw.json. Exit 0 if ok, 1 if mismatch.
  • ensure — Same check; if mismatch and --apply, restart the gateway with credentials from config. Writes gateway.auth to openclaw.json only when it is missing or wrong (never overwrites correct config). Use --wait after --apply to block until the gateway port is open (up to 30s), so clients can connect immediately after.
  • ensure_gateway_then.sh — Detect and connect automatically: ensures the gateway is running (starts it if needed, waits for port), then runs your command. Example: ensure_gateway_then.sh openclaw tui or ensure_gateway_then.sh (just ensure and wait).
  • continue-on-error — When gateway.log contains Unhandled stop reason: error (run error), send continue to the agent via openclaw agent --message continue --deliver. Use --once to check once and exit, or --loop to run every --interval seconds. Cooldown 90s between triggers. State: logs/gateway-guard.continue-state.json.
  • watch — Single combined daemon (one LaunchAgent). Each run: (0) token syncensure --apply so gateway auth matches config (prevents device_token_mismatch); (1) gateway back → what-just-happened summary; (2) continue-on-error check. Install one daemon: bash \x3Cskill-dir>/scripts/install_watcher.sh (or install_continue_on_error.sh). This unloads the old separate what-just-happened and continue-on-error LaunchAgents and loads com.openclaw.gateway-guard.watcher so users only need one. For periodic gateway recovery (check every 10s, restart if not ok), use the separate gateway-watchdog skill.

Behavior

  • Reads openclaw.jsongateway.auth (token or password) and gateway.port.
  • Compares with the process listening on that port (and optional guard state file).
  • If ensure --apply: restarts gateway via openclaw gateway stop then openclaw gateway --port N --auth token|password --token|--password SECRET.
  • If token is missing in config (token mode only): generates a token, writes it to config once, then proceeds. Does not overwrite config when it is already correct.
  • continue-on-error: Tails OPENCLAW_HOME/logs/gateway.log for the string Unhandled stop reason: error. When found (and not in cooldown), runs openclaw agent --message continue --deliver so the agent receives "continue" and can resume. Run install_continue_on_error.sh to install a LaunchAgent that checks every 30s. If the error appears in the TUI but the watcher never triggers, the gateway may not be writing run errors to gateway.log — ensure run/stream errors are logged there.

JSON output (for orchestration)

  • status --json / ensure --json: ok, secretMatchesConfig, running, pid, reason, recommendedAction, configPath, authMode, gatewayPort. When not ok, recommendedAction is "run gateway_guard.py ensure --apply and restart client session".

Requirements

  • OpenClaw openclaw.json with gateway.auth (mode token or password) and gateway.port.
  • CLI / system: openclaw CLI on PATH (for ensure --apply and continue-on-error); lsof and ps (macOS/Unix); launchctl on macOS when using the LaunchAgent install scripts.
  • Environment (optional): OPENCLAW_HOME — OpenClaw home directory (default: ~/.openclaw). OPENCLAW_BIN — Path or name of openclaw binary (default: openclaw).

Privileged actions (what you accept)

This skill may: read and modify openclaw.json (including writing gateway.auth when missing or wrong); write state and log files under OPENCLAW_HOME/logs/; restart the gateway via the OpenClaw CLI; and, if the watcher is installed, invoke openclaw agent --message continue --deliver automatically when a run error is detected. These are privileged local actions; run only if you accept them.

Usage Guidance
This package appears to do what it says: compare and (if requested) repair gateway auth and optionally run a watcher that auto-sends a local 'continue' message when a run error appears. Before installing or enabling the watcher: 1) back up your openclaw.json; 2) run the status/ensure commands without --apply to see proposed changes; 3) understand and accept that the watcher will restart the gateway and can run 'openclaw agent --message continue --deliver' (this will send a local command to your agent); 4) the scripts use lsof/ps/kill/launchctl and may reveal secrets in process arguments to other local users (this is a normal risk when passing secrets on command lines); and 5) prefer to test in a non-production environment. If you need further assurance, inspect gateway_guard.py and the plist before installing and verify the LaunchAgent contents and environment substitutions (OPENCLAW_HOME/OPENCLAW_BIN) so the daemon runs with intended paths.
Capability Analysis
Type: OpenClaw Skill Name: gateway-guard Version: 1.0.7 The 'gateway-guard' skill performs high-risk system operations including modifying the 'openclaw.json' configuration file (which contains authentication secrets), inspecting process command lines via 'ps' to extract credentials, and installing persistence on macOS via a LaunchAgent (scripts/install_watcher.sh). While these actions are documented as part of its purpose to maintain gateway authentication consistency and monitor logs for errors, the combination of configuration tampering, process inspection, and persistence mechanisms constitutes a significant security risk and broad permissions beyond typical benign behavior.
Capability Assessment
Purpose & Capability
Name/description match the code and SKILL.md: scripts inspect the running gateway, compare secrets to openclaw.json, can write gateway.auth when missing/incorrect, and can restart the gateway. Tools used (ps, lsof, kill, openclaw CLI) are appropriate for the task.
Instruction Scope
Runtime instructions ask the agent/user to run the included Python script and optional installer. The skill reads and may write the user's openclaw.json, probes processes and ports, and can issue local CLI commands (e.g., 'openclaw agent --message continue --deliver'). These actions are consistent with the stated purpose but are privileged (can restart gateway, change config, and auto-send 'continue'), so the user should explicitly consent and test in a non-production environment first.
Install Mechanism
No network install or arbitrary download. The package is file-based with included scripts and an optional LaunchAgent plist; install is a local copy or running provided install shell scripts. No third-party packages are pulled during install.
Credentials
The skill declares no required env vars but the code uses OPENCLAW_HOME and OPENCLAW_BIN with sensible defaults. It needs read/write access to the user's OpenClaw workspace (openclaw.json, logs) and permission to inspect processes and start/stop the gateway. Those privileges are proportional to its purpose but are sensitive (config writes, process restarts, local CLI invocations).
Persistence & Privilege
Persistence via a macOS LaunchAgent is optional and only installed if the user runs install_watcher.sh. The skill metadata sets always: false. Autonomy to invoke the skill is the platform default; combined with the optional watcher, it can autonomously restart gateway and auto-send 'continue' messages — this is expected for the described use but should be enabled only with informed consent.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install gateway-guard
  3. After installation, invoke the skill by name or use /gateway-guard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.7
gateway-guard 1.0.7 - No file or functionality changes detected in this release. - All documentation, descriptions, and behavior remain unchanged.
v1.0.6
gateway-guard 1.0.6 - No user-facing changes in this release. - No file changes detected; documentation and functionality remain the same as the previous version.
v1.0.5
## gateway-guard 1.0.5 - No file changes detected in this version. - No visible changes to documentation or features. - Behavior and usage remain unchanged from previous version.
v1.0.4
No changes detected in this version. - Version 1.0.4 has no file or documentation updates. No functional or behavioral changes from prior version.
v1.0.3
gateway-guard 1.0.3 - Added scripts/ensure_gateway_then.sh: allows automatic gateway launch and connection before running commands. - SKILL.md and README.md: clarified install behavior, file manifest, and privileged actions; added usage notes for new helper script; emphasized that LaunchAgent persistence is optional. - Extended ensure command with --wait flag to wait for the gateway port after restart. - Updated documentation for more robust guidance before installation or applying changes. - Minor file manifest and metadata corrections for improved clarity and package completeness.
v1.0.2
gateway-guard 1.0.2 - Added _meta.json file for metadata management. - Improved documentation in SKILL.md: clarified requirements, expanded requirements section, and described environment variables. - Enhanced command descriptions and usage instructions for better clarity. - No functional code or command changes in this version.
v1.0.1
- Added auto-prompt feature to send "continue" to the agent when "Unhandled stop reason: error" appears in gateway logs. - Introduced the `continue-on-error` command with options for single-run or looped monitoring. - New scripts: `install_continue_on_error.sh` and `install_watcher.sh` for simplified daemon/LaunchAgent setup. - Added a unified `watch` command for combined auth sync, log monitoring, and error recovery (single LaunchAgent). - Updated documentation for new installation and command usage workflows.
v1.0.0
gateway-guard 1.0.0 — Initial release - Ensures OpenClaw gateway authentication matches the credentials in openclaw.json. - Provides status and correction commands: `status` checks for auth mismatches; `ensure --apply` fixes them and restarts the gateway if needed. - Writes the correct gateway token or password to openclaw.json only if missing or incorrect. - Useful for resolving "device_token_mismatch", unauthorized errors, and after installing/updating OpenClaw. - Outputs detailed JSON status for use in orchestration flows.
Metadata
Slug gateway-guard
Version 1.0.7
License
All-time Installs 10
Active Installs 9
Total Versions 8
Frequently Asked Questions

What is Gateway Guard?

Ensures OpenClaw gateway auth consistency. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to... It is an AI Agent Skill for Claude Code / OpenClaw, with 1052 downloads so far.

How do I install Gateway Guard?

Run "/install gateway-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Gateway Guard free?

Yes, Gateway Guard is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Gateway Guard support?

Gateway Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Gateway Guard?

It is built and maintained by austindixson (@austindixson); the current version is v1.0.7.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments