← 返回 Skills 市场
dios-man

Gateway Guardian

作者 Dios-Man · GitHub ↗ · v1.6.3 · MIT-0
cross-platform ⚠ suspicious
487
总下载
0
收藏
0
当前安装
15
版本数
在 OpenClaw 中安装
/install gateway-config-guardian
功能描述
Three-layer protection for the OpenClaw gateway: real-time config monitoring with auto-rollback, systemd crash recovery, and tiered notifications via Feishu/...
使用说明 (SKILL.md)

Gateway Guardian — Skill Instructions

Triggers

Activate this skill when the user:

  • Shares https://github.com/Dios-Man/gateway-guardian and asks to install it
  • Says "install gateway-guardian", "帮我安装", "install this skill", or similar
  • Says "gateway-guardian status", "guardian status", "guardian 运行正常吗", or similar
  • Says "uninstall gateway-guardian", "卸载 gateway-guardian", or similar
  • Sends a message matching 设置通知群: \x3Cid> or set guardian group: \x3Cid>

Installation (AI-executed)

Pre-flight checks

  1. Confirm the system is Linux with systemd --user available: 
    systemctl --user status 2>&1 | head -3
  2. Check and install inotify-tools if missing: 
    if ! which inotifywait > /dev/null 2>&1; then
    sudo apt-get install -y inotify-tools 2>/dev/null || apt-get install -y inotify-tools 2>/dev/null || true
fi
    If apt-get fails (no sudo), ask the user to run: sudo apt-get install -y inotify-tools
  3. Confirm OpenClaw is installed and the gateway is running.

Determine notification fallback

Before writing guardian.conf, resolve the following values from the current conversation context:

Variable How to resolve
FALLBACK_CHANNEL The channel name from inbound metadata (e.g. feishu, telegram, discord)
FALLBACK_TARGET See rules below

FALLBACK_TARGET rules:

  • Feishu: always user:{sender_id} (DM to installer, even if installed from a group)
  • Telegram: use {chat_id} for direct chats; for groups, ask: "What is your personal Telegram numeric ID? (needed for DM notifications)"
  • Discord: ask: "What is your Discord DM channel ID? (needed for direct notifications)"

These resolved values replace {detected channel} and {determined fallback target} in Step 4.

Determine notification language (LOCALE)

Detect the language the user is communicating in during this conversation:

  • User is writing in Chinese → LOCALE=zh
  • User is writing in English → LOCALE=en
  • Language is unclear or mixed → ask the user: "Should notifications be sent in Chinese or English?"

Installation steps

Step 1 — Back up current config

TIMESTAMP_DIR="$HOME/.openclaw/config-backups"
mkdir -p "$TIMESTAMP_DIR"
cp "$HOME/.openclaw/openclaw.json" \
   "$TIMESTAMP_DIR/openclaw.json.$(date +%Y%m%d-%H%M%S).preinstall"
echo "Backup created: $(ls -t $TIMESTAMP_DIR | head -1)"

Step 2 — Download skill files

SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
mkdir -p "$SKILL_DIR"
BASE_URL="https://raw.githubusercontent.com/Dios-Man/gateway-guardian/main"
for f in config-lib.sh config-watcher.sh gateway-recovery.sh pre-stop.sh; do
    # Skip if file already present (e.g. installed via clawhub install)
    [ -f "$SKILL_DIR/$f" ] && continue
    curl -fsSL "$BASE_URL/$f" -o "$SKILL_DIR/$f"
done

Step 3 — Ask bot name (optional)

Ask the user: "What name should I use for myself in team notifications? (e.g. Claw, MyBot, OpenClaw — press Enter to skip and use the default 'OpenClaw')"

Record as BOT_NAME. If the user skips, use OpenClaw.

Step 4 — Write guardian.conf

Substitute resolved values before running. Replace:

  • {FALLBACK_CHANNEL} → resolved channel name (e.g. feishu)
  • {FALLBACK_TARGET} → resolved target (e.g. user:ou_xxx for Feishu)
  • {LOCALE}zh or en
  • {BOT_NAME} → bot display name from Step 3
SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
cat > "$SKILL_DIR/guardian.conf" \x3C\x3C GUARDIANCONF
# Auto-generated by gateway-guardian installer. Do not upload to GitHub.

# Fallback notification target (used when dynamic session detection fails)
FALLBACK_CHANNEL={FALLBACK_CHANNEL}
FALLBACK_TARGET={FALLBACK_TARGET}

# Notification language: zh (Chinese) | en (English)
LOCALE={LOCALE}

# Bot display name used in staff/team notifications
BOT_NAME={BOT_NAME}

# Team group/channel notification (optional)
# Leave empty to disable. Supported formats:
#   Feishu:   oc_xxx
#   Telegram: -100xxxxxxxxxx  (supergroup/channel numeric id)
#   Discord:  123456789012345678  (channel id, digits only)
# Only effective if the channel is configured and running in OpenClaw.
STAFF_GROUP_CHAT_ID=
GUARDIANCONF

Step 5 — Set execute permissions

SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
chmod +x "$SKILL_DIR/config-watcher.sh"
chmod +x "$SKILL_DIR/gateway-recovery.sh"
chmod +x "$SKILL_DIR/pre-stop.sh"

Step 6 — Register config-watcher service

SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
cat > ~/.config/systemd/user/openclaw-config-watcher.service \x3C\x3C EOF
[Unit]
Description=OpenClaw Gateway Guardian - File Watcher
After=openclaw-gateway.service

[Service]
Type=simple
ExecStart=/bin/bash $SKILL_DIR/config-watcher.sh
Restart=always
RestartSec=3

[Install]
WantedBy=default.target
EOF

Step 7 — Register gateway-recovery service

SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
cat > ~/.config/systemd/user/openclaw-recovery.service \x3C\x3C EOF
[Unit]
Description=OpenClaw Gateway Guardian - Crash Recovery
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash $SKILL_DIR/gateway-recovery.sh
EOF

Step 8 — Register OnFailure drop-in and ExecStopPost hook

SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d/
cat > ~/.config/systemd/user/openclaw-gateway.service.d/recovery.conf \x3C\x3C EOF
[Unit]
OnFailure=openclaw-recovery.service

[Service]
StartLimitBurst=3
StartLimitIntervalSec=60
ExecStopPost=/bin/bash $SKILL_DIR/pre-stop.sh
EOF

Step 9 — Start services

systemctl --user daemon-reload
systemctl --user enable openclaw-config-watcher.service
systemctl --user start openclaw-config-watcher.service

Step 10 — Verify installation

systemctl --user is-active openclaw-config-watcher.service
cat ~/.config/systemd/user/openclaw-gateway.service.d/recovery.conf
tail -5 /tmp/config-watcher.log

Step 11 — Report result to user

Reply with a summary in the user's language (match LOCALE):

Gateway Guardian installed

🔔 Notification channel: {channel} (fallback target: {FALLBACK_TARGET}) 🌐 Notification language: {zh | en} 🤖 Bot name: {BOT_NAME} 📋 Service status: {Active line from systemctl output} 📝 Log: /tmp/config-watcher.log

To uninstall, tell me: "uninstall gateway-guardian" / "卸载 gateway-guardian"

Optional — Team group notification

If OpenClaw is used by multiple people, you can configure a group to receive recovery notifications.

zh prompt:

如果团队有多人使用,可以配置一个通知群,网关恢复后自动通知大家。 请发送以下消息完成配置(支持飞书 / Telegram / Discord): 设置通知群: oc_xxx

en prompt:

If your team uses OpenClaw together, you can set up a group notification. When the gateway recovers, your team will be notified automatically. Send me this to configure (Feishu / Telegram / Discord supported): set guardian group: oc_xxx

When you receive the config command:

  • Parse the group ID from the message
  • Write it to STAFF_GROUP_CHAT_ID in guardian.conf
  • Confirm back to the user

Status Check (AI-executed)

When the user asks for status:

systemctl --user status openclaw-config-watcher.service
tail -10 /tmp/config-watcher.log
ls -lt ~/.openclaw/config-backups/ | head -5

Report: service active/inactive, recent log lines, number of config backups on hand.

Set Team Group (AI-executed)

When the user sends a message matching 设置通知群: \x3Cid> or set guardian group: \x3Cid>:

  1. Extract the group ID from the message
  2. Determine the channel based on ID format:
    • Starts with oc_ → feishu
    • Starts with -100 → telegram
    • Pure digits → discord
  3. Update guardian.conf:
SKILL_DIR="$HOME/.openclaw/workspace/skills/gateway-guardian"
sed -i "s|^STAFF_GROUP_CHAT_ID=.*|STAFF_GROUP_CHAT_ID={extracted_id}|" "$SKILL_DIR/guardian.conf"
  1. Confirm to the user (zh/en based on LOCALE):
    • zh: ✅ 已配置团队通知群,网关恢复后会自动通知群里的成员。
    • en: ✅ Team group configured. Members will be notified automatically when the gateway recovers.

Uninstall (AI-executed)

When the user asks to uninstall:

systemctl --user stop openclaw-config-watcher.service
systemctl --user disable openclaw-config-watcher.service
rm -f ~/.config/systemd/user/openclaw-config-watcher.service
rm -f ~/.config/systemd/user/openclaw-recovery.service
rm -f ~/.config/systemd/user/openclaw-gateway.service.d/recovery.conf
systemctl --user daemon-reload
systemctl --user reset-failed openclaw-gateway.service 2>/dev/null

Ask the user whether to also delete config backups:

# Only run if user confirms
rm -rf ~/.openclaw/config-backups/

Confirm removal is complete.

Notes

  • This skill must be installed via an OpenClaw AI agent — no manual install script is provided.
  • Installation requires an active message context (in-conversation metadata is used for notification setup).
  • guardian.conf contains private notification config and is never uploaded to GitHub.
  • Config backups in ~/.openclaw/config-backups/ are retained across uninstalls unless the user explicitly requests deletion.
  • 群通知(_MSG_STAFF_RECOVERY):配置了 STAFF_GROUP_CHAT_ID 则只发该固定群,未配置则动态检测最活跃 session 发送。
  • 技术通知(urgent/status):始终通过动态 session 检测发送,优先私聊,无私聊 session 时发最活跃群。guardian.confFALLBACK_CHANNEL/FALLBACK_TARGET 作为兜底。
安全使用建议
This skill appears internally consistent with its purpose, but it will: (1) download script files from a GitHub raw URL and execute them on your machine, (2) create/modify user systemd unit files and a drop-in for your gateway service, (3) read OpenClaw session metadata and journalctl logs, and (4) send notifications using the openclaw CLI. Before installing, review the scripts (config-lib.sh, config-watcher.sh, gateway-recovery.sh, pre-stop.sh) yourself or on a trusted machine, verify the GitHub repository/author, and ensure you are comfortable with the service files being added to your user systemd. If you do not trust the source, do not run the installer; alternatively, run the install steps manually after inspecting the code and backing up your system/service files.
功能分析
Type: OpenClaw Skill Name: gateway-config-guardian Version: 1.6.3 The skill implements a gateway monitoring and recovery system that requires high-privilege actions, including downloading and executing scripts from a remote GitHub repository (raw.githubusercontent.com/Dios-Man/gateway-guardian/main), installing system packages via sudo, and modifying systemd user services. While these behaviors are consistent with the stated purpose of 'Gateway Guardian' (config validation, auto-rollback, and crash recovery), the combination of remote code execution and system-level persistence represents a significant attack surface and supply chain risk. No evidence of intentional malice, such as credential theft or unauthorized data exfiltration, was found in the provided logic.
能力评估
Purpose & Capability
The name/description (config watcher, auto-rollback, systemd recovery, notifications) match the actual actions: validating openclaw.json, keeping timestamp backups, restarting gateway, registering user systemd services, and sending messages via the openclaw CLI. Required binaries (inotifywait, nc, python3, journalctl, systemctl, openclaw) are appropriate and necessary for the stated functionality.
Instruction Scope
SKILL.md instructs the agent to back up ~/.openclaw/openclaw.json, curl scripts from the project's raw GitHub URL, write systemd user unit files and a drop-in for the gateway service, set ExecStopPost hook, and create guardian.conf that stores fallback channel/target and LOCALE. All of these actions are within the scope of installing a persistent guardian. Note: the skill reads OpenClaw sessions via `openclaw sessions --json` and journalctl logs to determine notification targets and to construct alert text — this is required for dynamic notification behavior but does access session metadata and system logs (normal for a notifier).
Install Mechanism
There is no packaged install spec; the installer downloads individual script files from https://raw.githubusercontent.com/Dios-Man/gateway-guardian/main using curl and then executes them (chmod + systemd registration). Raw GitHub content is a common release host and matches the project flow, but downloading/executing remote scripts carries the usual risk: review the fetched scripts and trust the repository before running.
Credentials
The skill does not request environment variables, API keys, or unrelated credentials. It uses the OpenClaw CLI for messaging and session discovery (so it relies on the agent's existing OpenClaw auth), which is justified by the notification feature. Stored config (guardian.conf) only contains fallback channel/target, LOCALE, BOT_NAME, and optional STAFF_GROUP_CHAT_ID — no secrets.
Persistence & Privilege
The skill registers persistent user services under ~/.config/systemd/user and writes a drop-in for the openclaw-gateway.service (modifies another service's configuration), which is expected for a guardian that integrates with the gateway lifecycle. always:false and default autonomous invocation mean the service can run persistently but is not force-installed globally. Because it registers persistent services, you should review and approve these changes before installation.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install gateway-config-guardian
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /gateway-config-guardian 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.6.3
fix: 群通知发错群的 bug — 配置了固定群 (STAFF_GROUP_CHAT_ID) 时,群通知只发固定群,不再同时发到动态检测到的活跃群;更新 SKILL.md 通知策略说明
v1.6.2
fix: clarify guardian.conf value resolution in SKILL.md; add inotify-tools non-sudo fallback
v1.6.1
fix: remove hardcoded bot name from SKILL.md, all prompts now use generic terms
v1.6.0
Team group notifications + BOT_NAME support: optional staff group notify on recovery, configurable bot display name, graceful no-op when unconfigured
v1.5.1
docs: remove maintenance mode residue from SKILL.md
v1.5.0
revert: remove maintenance mode — cosmetic feature with breaking risk Maintenance mode made upgrade notifications prettier but introduced a silent failure path. Old behavior was imperfect, not broken. Reverted to keep guardian simple and reliable.
v1.4.3
feat: upgrade-openclaw.sh — automatic maintenance mode during upgrades - New script wraps npm upgrade with maintenance mode on/off - trap EXIT guarantees flag cleanup even on failure - No more forgetting maintenance mode; no more race conditions - Usage: bash upgrade-openclaw.sh [version]
v1.4.2
fix: guarantee upgrade notification delivery after process restart - check_maintenance() now sends deferred upgrade notification when maintenance turns OFF and upgrade flag exists - Fixes notification lost when systemd restarts config-watcher during gateway upgrade - Upgrade now reliably sends exactly 2 notifications: 維護模式開啟 → 升級完成
v1.4.1
fix: upgrade notification now triggers via maintenance mode - No more manual flag writing before upgrades - pre-stop.sh detects maintenance mode → sets upgrade flag automatically - New workflow: touch maintenance flag → upgrade → rm flag → done - Tested live on 2026-03-15
v1.4.0
feat: maintenance mode + upgrade-aware notifications - File-based maintenance switch: touch ~/.openclaw/.guardian-maintenance to pause monitoring during upgrades/edits - Guardian sends Feishu/Telegram/Discord notification when maintenance turns on/off - New 'upgrade' restart flag type: distinguishes upgrade restarts from crash/manual restarts - Add CHANGELOG.md with full version history
v1.0.4
Upload all files to ClawHub; skip redundant curl when files already present from clawhub install
v1.0.3
Only publish SKILL.md to ClawHub; scripts fetched from GitHub at install time
v1.0.2
Rename display name to Gateway Guardian
v1.0.1
Add runtime dependency declarations to metadata (inotifywait, nc, python3, journalctl, systemctl, openclaw)
v1.0.0
First release: bilingual support (zh/en), English SKILL.md, bilingual README
元数据
Slug gateway-config-guardian
版本 1.6.3
许可证 MIT-0
累计安装 1
当前安装数 0
历史版本数 15
常见问题

Gateway Guardian 是什么?

Three-layer protection for the OpenClaw gateway: real-time config monitoring with auto-rollback, systemd crash recovery, and tiered notifications via Feishu/... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 487 次。

如何安装 Gateway Guardian?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install gateway-config-guardian」即可一键安装,无需额外配置。

Gateway Guardian 是免费的吗?

是的,Gateway Guardian 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Gateway Guardian 支持哪些平台?

Gateway Guardian 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Gateway Guardian?

由 Dios-Man(@dios-man)开发并维护,当前版本 v1.6.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论