Openclaw Iflow Doctor

AI-powered auto-repair system for OpenClaw with iflow integration. Automatically diagnose and fix crashes, config errors, model issues. Falls back to iflow-h...

Key things to check before installing or enabling auto-heal: 1) Review high-risk source files locally (openclaw_memory.py, watchdog.py, install-systemd.sh, install.py, and any code that composes/executes shell commands). Search for network calls (requests, urllib, sockets), hard-coded endpoints (iflow.cn or other URLs), and any use of subprocess/exec that constructs shell strings from user data. 2) Confirm what is sent externally: find functions that call iflow or POST logs/reports. Ensure uploads are to legitimate endpoints and inspect exactly what fields are transmitted (do not send API keys or full config files unless necessary). 3) Audit BAT/script generation: generated .bat/.sh files are executable payloads. Inspect the templates to ensure they contain only the repair steps you expect and do not exfiltrate data or run arbitrary remote code. Prefer manual review before executing generated repair scripts. 4) Avoid installing as root until reviewed: systemd/task-scheduler installation requires elevated privileges; run the skill first in a safe, non-production environment or inside a VM/container to observe behavior. 5) Protect credentials: if you enable iflow integration, use a dedicated least-privilege IFLOW_API_KEY and avoid reusing high-privilege keys. Prefer temporary/limited keys and do not store long-lived secrets in global shell profiles unless you understand the implications. 6) Test auto-heal in conservative mode: disable fully automatic destructive actions (set auto_heal=false) and run diagnosic/check commands manually to confirm suggested fixes before allowing the skill to autonomously run pkill, reinstall, chown, or other high-impact operations. 7) If you lack the ability to audit the omitted large files thoroughly (openclaw_memory.py, watchdog.py), treat this package as higher risk. Consider requesting the author publish the repository for review or provide a minimal-scope variant that only performs read-only diagnostics. If you want, I can help by listing specific grep patterns to search for (e.g., "requests.post", "subprocess.run", "open\(", "IFLOW_API_KEY", "http://", "https://", "pkill", "chown", "chmod", "cp ") and explain what to look for in each hit.

Type: OpenClaw Skill Name: openclaw-iflow-doctor Version: 1.1.0 The skill is classified as suspicious due to a critical prompt injection vulnerability identified in `SKILL.md` and `integration_plan.md`. The `on_error` trigger explicitly passes `context: "{{error_description}}"` to the `iflow-helper` skill, allowing an attacker to inject arbitrary instructions or commands if they can control the `error_description` input. Additionally, the `openclaw_memory.py` script generates executable `.bat` or `.sh` files with powerful system commands (e.g., `taskkill`, `chmod`, `npm install`) on the user's desktop, and the `watchdog.py` runs as a persistent daemon with high privileges, calling `openclaw_memory.py` with user-controlled `error_msg` and `error_logs` as arguments. While these capabilities are intended for system repair, the prompt injection vulnerability and the broad system access without clear input sanitization create significant risk for arbitrary code execution or unauthorized system modifications, even if no direct malicious intent (like data exfiltration to an attacker-controlled domain) is explicitly observed.