openclaw-mobile-gateway-installer Security Report — Low Risk | ClawSafe

25 /100

openclaw-mobile-gateway-installer

Installs and manages OpenClaw mobile gateway as a systemd service. Provides a mobile-friendly HTTP API for managing models, channels, agents, skills, routing, healing policies, and chat sessions.

A legitimate gateway installer that performs standard deployment operations (systemd service management, npm install, Express HTTP server) but fails to declare its shell and filesystem WRITE capabilities in SKILL.md, creating a doc-to-code mismatch. The pre-scan's critical IOC flag on uninstall.sh line 11 is a false positive — the actual command is `sudo rm -rf "${INSTALL_DIR}"` with INSTALL_DIR defaulted to a scoped path, not a root-destroying `rm -rf /`.

Skill Nameopenclaw-mobile-gateway-installer

Duration92.6s

Enginepi

✓

Safe to install

Add explicit capability declarations to SKILL.md: declare shell:WRITE for systemctl/journalctl/openclaw CLI invocations, filesystem:WRITE for service/unit file creation, and network:READ for health probing. Consider narrowing the uninstall script's rm -rf scope to individual subdirectories instead of the top-level install directory to prevent accidental data loss.

Findings 7 items

Severity	Finding	Location
Medium	Shell execution capability not declared in SKILL.md Doc Mismatch SKILL.md provides zero capability declarations. The skill executes shell commands via execFileSync (systemctl start/stop/restart, journalctl, openclaw CLI) and install.sh calls systemctl/npm directly, but filesystem:WRITE and shell:WRITE are not listed in SKILL.md. A user reviewing the documentation would have no indication of the elevated permissions required. `execFileSync('systemctl', [...]) in execSystemctl/getGatewayServiceStatus/controlGatewayService; execFileSync('journalctl', [...]) in getGatewayLogs; execFileSync('openclaw', [...]) in applyQuickAction/getTokenStats` → Add to SKILL.md: '## Required Capabilities: shell:WRITE (for systemd service management via systemctl/journalctl), filesystem:WRITE (for service file installation), environment:READ (for OPENCLAW_* env vars)'	`services.ts:1`
Medium	Network access not declared in SKILL.md Doc Mismatch The skill probes external OpenClaw targets via HTTP fetch() and has pre-configured target domains (alpha.openclaw.local, beta.openclaw.local, prod.openclaw.local, openclaws.gdcp.edu.cn) in store.ts. While network:READ is a reasonable inference, it is not explicitly declared. `apiBaseUrl: 'https://alpha.openclaw.local/api' at store.ts:12 and 'https://openclaws.gdcp.edu.cn' at store.ts:36` → Add network:READ declaration in SKILL.md listing the expected external endpoints	`store.ts:12`
Medium	Install script writes to system directories without declaration Priv Escalation install.sh uses sudo to write systemd unit files to /etc/systemd/system/ and env files to /etc/openclaw-mobile-gateway. These filesystem:WRITE operations to privileged system directories are not declared in SKILL.md. The install script also runs npm install which executes arbitrary third-party install scripts. `sudo tee /etc/systemd/system/${SERVICE_NAME}.service >/dev/null <<EOF [...]` → Document that the install script requires sudo privileges and writes to /etc/systemd and /etc/openclaw-mobile-gateway	`install.sh:40`
Medium	Sensitive configuration file access without declaration Sensitive Access services.ts reads the user's OpenClaw config file (default: ~/.openclaw/openclaw.json) which may contain provider API keys, channel credentials (e.g., Feishu appId/appSecret), and agent configurations. This sensitive data is merged into the gateway's runtime state. SKILL.md does not mention reading from the user's .openclaw configuration directory. `const homeDir = process.env.HOME ?? process.env.USERPROFILE ?? os.homedir(); return path.join(homeDir, '.openclaw', 'openclaw.json')` → Document that the skill reads and merges configuration from ~/.openclaw/openclaw.json. Clarify that API keys from provider configs are loaded for model routing but are not exfiltrated.	`services.ts:19`
Low	Installs a systemd service for persistence Persistence install.sh registers openclaw-mobile-gateway as a systemd service with Restart=always, creating a persistent background service. This is appropriate for a gateway but represents persistence behavior that is not declared. `Restart=always RestartSec=3` → Declare in SKILL.md that the skill installs a systemd service for persistence as part of its installation lifecycle	`install.sh:62`
Low	npm install without lockfile enforcement Supply Chain install.sh runs 'npm install --omit=optional' in the target directory, installing dependencies from package.json without checking for a package-lock.json. While dependencies are pinned with caret ranges (^2.8.5, ^4.19.2, ^3.23.8), the lack of lockfile enforcement means different versions could be installed across runs. `npm install --omit=optional` → Add package-lock.json to the backend/ directory or pin exact versions in package.json to ensure reproducible builds	`install.sh:35`
Low	Uninstall script rm -rf scoped but lacks per-file safety Doc Mismatch uninstall.sh uses 'sudo rm -rf "${INSTALL_DIR}"' to remove the entire install tree. While this is correctly scoped to /opt/openclaw-mobile-gateway (not /), a more defensive approach would iterate through and delete individual files/directories rather than the top-level tree, preventing accidental complete removal of data stored under the install path. `sudo rm -rf "${INSTALL_DIR}"` → Replace the blanket rm -rf with targeted removals: rm -rf "${INSTALL_DIR}/apps", "${INSTALL_DIR}/data", etc., to prevent unintended data loss if INSTALL_DIR is ever misconfigured	`uninstall.sh:11`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	services.ts:execFileSync systemctl/journalctl; install.sh:systemctl/nm; check.sh…
Filesystem	`NONE`	`WRITE`	✗ Violation	install.sh:mkdir/tee to /etc/systemd and /etc/openclaw-mobile-gateway
Network	`READ`	`READ`	✓ Aligned	services.ts:fetch() probing OpenClaw targets; read-only probing documented
Environment	`NONE`	`READ`	✗ Violation	services.ts:process.env.OPENCLAW_* reads; install.sh env propagation
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke detected
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser access detected
Database	`NONE`	`NONE`	—	No database access detected

1 Critical 8 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

uninstall.sh:11

🔗

Medium External URL 外部 URL

https://openclaw.example.com

README.md:15

🔗

Medium External URL 外部 URL

https://openclaws.example.com

SKILL.md:29

🔗

Medium External URL 外部 URL

http://127.0.0.1:4800/health

SKILL.md:47

🔗

Medium External URL 外部 URL

https://alpha.openclaw.local/api

backend/src/store.ts:12

🔗

Medium External URL 外部 URL

https://beta.openclaw.local/api

backend/src/store.ts:20

🔗

Medium External URL 外部 URL

https://prod.openclaw.local/api

backend/src/store.ts:28

🔗

Medium External URL 外部 URL

https://openclaws.gdcp.edu.cn

backend/src/store.ts:36

File Tree

14 files · 93.4 KB · 3230 lines

TypeScript 7f · 2954L Shell 3f · 131L Markdown 2f · 95L JSON 2f · 50L

├─ ▾ 📁 backend

│ ├─ ▾ 📁 src

│ │ ├─ 📜 app.ts TypeScript 576L · 15.6 KB

│ │ ├─ 📜 index.ts TypeScript 8L · 209 B

│ │ ├─ 📜 schemas.ts TypeScript 252L · 6.6 KB

│ │ ├─ 📜 services.ts TypeScript 1643L · 53.1 KB

│ │ ├─ 📜 store.ts TypeScript 231L · 6.2 KB

│ │ ├─ 📜 types.ts TypeScript 240L · 4.4 KB

│ │ └─ 📜 utils.ts TypeScript 4L · 156 B

│ ├─ 📋 package.json JSON 29L · 670 B

│ └─ 📋 tsconfig.json JSON 21L · 368 B

├─ 🔧 check.sh Shell 29L · 735 B

├─ 🔧 install.sh Shell 88L · 2.8 KB

├─ 📝 README.md Markdown 43L · 882 B

├─ 📝 SKILL.md Markdown 52L · 1.3 KB

└─ 🔧 uninstall.sh Shell 14L · 450 B

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`express`	`^4.19.2`	npm	No	Caret range; last stable minor version
`cors`	`^2.8.5`	npm	No	Well-maintained middleware
`zod`	`^3.23.8`	npm	No	Schema validation library; pinned
`tsx`	`^4.16.2`	npm	No	devDependency only; unpinned major version

Security Positives

✓ No credential harvesting or exfiltration detected — API keys from config are loaded for model routing only and remain local

✓ No obfuscation or base64-encoded payloads found in the codebase

✓ No reverse shell, C2 communication, or data theft patterns observed

✓ All shell executions (systemctl, journalctl, openclaw CLI) are for legitimate deployment and service management

✓ Input validation via Zod schemas prevents injection attacks on all HTTP API endpoints

✓ Token generation uses crypto.randomBytes for secure random token values

✓ Dependency versions are reasonably pinned (express ^4.19.2, zod ^3.23.8, cors ^2.8.5)

✓ No curl|bash or wget|sh remote script execution patterns

✓ uninstall.sh does NOT contain 'rm -rf /' — the pre-scan IOC was a false positive; actual command is scoped to ${INSTALL_DIR}

✓ The skill's actual functionality matches its described purpose as a gateway installer

Scan Report

Findings 7 items

File Tree

Dependencies 4 items

Security Positives