← 返回 Skills 市场
kf-liu

qclaw-watchdog

作者 kf-liu · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
220
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install qclaw-watchdog
功能描述
QClaw Watchdog - Monitors and auto-restarts QClaw when issues are detected. Works independently of QClaw, communicates via Feishu for alerts and commands. QC...
安全使用建议
Do not install or run this skill blindly. Key points to check before proceeding: - Treat the shipped config.json as sensitive: it contains a Feishu app_id and app_secret in plaintext. Assume those credentials are valid and compromised; rotate or remove them and replace with your own credentials stored securely (do not keep secrets in repo files). - The registry lists no required env vars or OS restriction, but the code requires FEISHU_* credentials and uses macOS-specific commands (open, osascript, pkill, pgrep). Only run on a controlled macOS host and only if you accept that the watchdog will be able to start/stop QClaw. - The SKILL.md references update.sh/publish.sh which are missing — ask the author for the missing files and verify the update mechanism before enabling automatic updates. - The package does not include dependency installation (no package.json shown). The code requires '@larksuiteoapi/node-sdk' — verify how that dependency will be provided (npm install or existing QClaw-provided node_modules). The start.sh attempts to point NODE_PATH into /Applications/QClaw.app — this is unusual and fragile. - Review the code paths that run shell commands (pgrep, open, pkill, osascript, child_process.exec) and ensure you run the watchdog with least privilege and that logs and command files are stored where you expect. - If you decide to test it, run in an isolated environment (non-production machine or VM), replace credentials with test values, and audit network traffic and the Feishu app to ensure no unexpected behavior. If you cannot verify the origin and author of this package, prefer not to run it with real credentials or on a production host.
功能分析
Type: OpenClaw Skill Name: qclaw-watchdog Version: 1.0.0 The bundle provides a remote monitoring and control service for a macOS application via the Feishu (Lark) platform. It is classified as suspicious primarily due to the inclusion of hardcoded Feishu API credentials (app_id: cli_a9333bca0c78dceb) and a specific controller User ID (ou_2be571a62a2decc279990e6096775556) in `config.json`, which grants the credential owner remote control over the host. The `watchdog.js` script implements a WebSocket listener that executes shell commands (`pkill`, `osascript`, `open`) based on remote messages, and `SKILL.md` provides instructions for establishing persistence via macOS LaunchAgents. While the commands are currently limited to a specific application, the pre-configured remote access and the mention of an external 'auto-update' feature pose a significant security risk.
能力评估
Purpose & Capability
The code implements a monitor that polls a local QClaw health URL, uses system commands to detect and restart QClaw, and communicates via Feishu — which aligns with the stated watchdog purpose. However, the skill manifests no declared required env vars or OS restriction while the code is clearly macOS/Unix-specific (uses open, osascript, pkill, pgrep) and expects Feishu credentials (either in config.json or environment). That mismatch between metadata and implementation is concerning.
Instruction Scope
SKILL.md instructs running init-config.sh and start.sh (expected) and references update.sh and publish.sh for updates/publishing, but those scripts are not present in the distributed file list. SKILL.md also suggests creating a LaunchAgents plist for macOS autostart. The runtime instructions expect editing/creating configuration containing Feishu credentials and potentially setting env vars (FEISHU_APP_ID/SECRET/USER_ID), but the package metadata declared no required env variables — an inconsistency. The instructions also instruct adding a NODE_PATH that points into a QClaw app installation, which assumes a specific host setup not documented in registry metadata.
Install Mechanism
There is no external installer or remote download — this is instruction-only with bundled scripts and code. That reduces supply-chain download risk. However, the package does not include dependency installation guidance (no npm install step or package.json provided), yet it requires the '@larksuiteoapi/node-sdk' module; start.sh relies on a NODE_PATH pointing into another app to satisfy dependencies, which is brittle and unusual.
Credentials
The repo ships a config.json containing Feishu app_id, app_secret, and a user_id (plaintext). The code also reads FEISHU_* env vars if set. The registry metadata declared no required credentials, but the skill clearly needs Feishu credentials to function; embedding what appear to be real credentials in the repo is a major red flag — either these are leaked/placeholder sensitive values or the package will operate using those credentials if left unchanged. Requesting QClaw control via local system commands is proportionate for a watchdog, but the undisclosed credential requirement and included secret are disproportionate and risky.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It suggests user actions to enable autostart (launchctl plist), which is a normal instruction for a watchdog service. It runs system commands to manage another application (open, osascript, pkill), which is expected for a restart-capable monitor but grants it the ability to control local processes — an expected but high-impact capability. Combine this with the embedded Feishu credentials and autonomous invocation could increase blast radius; be cautious.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install qclaw-watchdog
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /qclaw-watchdog 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of qclaw-watchdog: - Monitors and auto-restarts QClaw when issues are detected. - Sends status alerts and receives commands via Feishu. - Runs independently from QClaw, with status checks, automatic restarts, and remote control. - Supports configurable settings, separated config files, and environment variable overrides. - Includes one-click update, easy installation scripts, and GitHub publishing tools.
元数据
Slug qclaw-watchdog
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

qclaw-watchdog 是什么?

QClaw Watchdog - Monitors and auto-restarts QClaw when issues are detected. Works independently of QClaw, communicates via Feishu for alerts and commands. QC... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 220 次。

如何安装 qclaw-watchdog?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install qclaw-watchdog」即可一键安装,无需额外配置。

qclaw-watchdog 是免费的吗?

是的,qclaw-watchdog 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

qclaw-watchdog 支持哪些平台?

qclaw-watchdog 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 qclaw-watchdog?

由 kf-liu(@kf-liu)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论