← Back to Skills Marketplace
220
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install qclaw-watchdog
Description
QClaw Watchdog - Monitors and auto-restarts QClaw when issues are detected. Works independently of QClaw, communicates via Feishu for alerts and commands. QC...
Usage Guidance
Do not install or run this skill blindly. Key points to check before proceeding:
- Treat the shipped config.json as sensitive: it contains a Feishu app_id and app_secret in plaintext. Assume those credentials are valid and compromised; rotate or remove them and replace with your own credentials stored securely (do not keep secrets in repo files).
- The registry lists no required env vars or OS restriction, but the code requires FEISHU_* credentials and uses macOS-specific commands (open, osascript, pkill, pgrep). Only run on a controlled macOS host and only if you accept that the watchdog will be able to start/stop QClaw.
- The SKILL.md references update.sh/publish.sh which are missing — ask the author for the missing files and verify the update mechanism before enabling automatic updates.
- The package does not include dependency installation (no package.json shown). The code requires '@larksuiteoapi/node-sdk' — verify how that dependency will be provided (npm install or existing QClaw-provided node_modules). The start.sh attempts to point NODE_PATH into /Applications/QClaw.app — this is unusual and fragile.
- Review the code paths that run shell commands (pgrep, open, pkill, osascript, child_process.exec) and ensure you run the watchdog with least privilege and that logs and command files are stored where you expect.
- If you decide to test it, run in an isolated environment (non-production machine or VM), replace credentials with test values, and audit network traffic and the Feishu app to ensure no unexpected behavior. If you cannot verify the origin and author of this package, prefer not to run it with real credentials or on a production host.
Capability Analysis
Type: OpenClaw Skill
Name: qclaw-watchdog
Version: 1.0.0
The bundle provides a remote monitoring and control service for a macOS application via the Feishu (Lark) platform. It is classified as suspicious primarily due to the inclusion of hardcoded Feishu API credentials (app_id: cli_a9333bca0c78dceb) and a specific controller User ID (ou_2be571a62a2decc279990e6096775556) in `config.json`, which grants the credential owner remote control over the host. The `watchdog.js` script implements a WebSocket listener that executes shell commands (`pkill`, `osascript`, `open`) based on remote messages, and `SKILL.md` provides instructions for establishing persistence via macOS LaunchAgents. While the commands are currently limited to a specific application, the pre-configured remote access and the mention of an external 'auto-update' feature pose a significant security risk.
Capability Assessment
Purpose & Capability
The code implements a monitor that polls a local QClaw health URL, uses system commands to detect and restart QClaw, and communicates via Feishu — which aligns with the stated watchdog purpose. However, the skill manifests no declared required env vars or OS restriction while the code is clearly macOS/Unix-specific (uses open, osascript, pkill, pgrep) and expects Feishu credentials (either in config.json or environment). That mismatch between metadata and implementation is concerning.
Instruction Scope
SKILL.md instructs running init-config.sh and start.sh (expected) and references update.sh and publish.sh for updates/publishing, but those scripts are not present in the distributed file list. SKILL.md also suggests creating a LaunchAgents plist for macOS autostart. The runtime instructions expect editing/creating configuration containing Feishu credentials and potentially setting env vars (FEISHU_APP_ID/SECRET/USER_ID), but the package metadata declared no required env variables — an inconsistency. The instructions also instruct adding a NODE_PATH that points into a QClaw app installation, which assumes a specific host setup not documented in registry metadata.
Install Mechanism
There is no external installer or remote download — this is instruction-only with bundled scripts and code. That reduces supply-chain download risk. However, the package does not include dependency installation guidance (no npm install step or package.json provided), yet it requires the '@larksuiteoapi/node-sdk' module; start.sh relies on a NODE_PATH pointing into another app to satisfy dependencies, which is brittle and unusual.
Credentials
The repo ships a config.json containing Feishu app_id, app_secret, and a user_id (plaintext). The code also reads FEISHU_* env vars if set. The registry metadata declared no required credentials, but the skill clearly needs Feishu credentials to function; embedding what appear to be real credentials in the repo is a major red flag — either these are leaked/placeholder sensitive values or the package will operate using those credentials if left unchanged. Requesting QClaw control via local system commands is proportionate for a watchdog, but the undisclosed credential requirement and included secret are disproportionate and risky.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It suggests user actions to enable autostart (launchctl plist), which is a normal instruction for a watchdog service. It runs system commands to manage another application (open, osascript, pkill), which is expected for a restart-capable monitor but grants it the ability to control local processes — an expected but high-impact capability. Combine this with the embedded Feishu credentials and autonomous invocation could increase blast radius; be cautious.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qclaw-watchdog - After installation, invoke the skill by name or use
/qclaw-watchdog - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of qclaw-watchdog:
- Monitors and auto-restarts QClaw when issues are detected.
- Sends status alerts and receives commands via Feishu.
- Runs independently from QClaw, with status checks, automatic restarts, and remote control.
- Supports configurable settings, separated config files, and environment variable overrides.
- Includes one-click update, easy installation scripts, and GitHub publishing tools.
Metadata
Frequently Asked Questions
What is qclaw-watchdog?
QClaw Watchdog - Monitors and auto-restarts QClaw when issues are detected. Works independently of QClaw, communicates via Feishu for alerts and commands. QC... It is an AI Agent Skill for Claude Code / OpenClaw, with 220 downloads so far.
How do I install qclaw-watchdog?
Run "/install qclaw-watchdog" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is qclaw-watchdog free?
Yes, qclaw-watchdog is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does qclaw-watchdog support?
qclaw-watchdog is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created qclaw-watchdog?
It is built and maintained by kf-liu (@kf-liu); the current version is v1.0.0.
More Skills