# Send Gateway Guard to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "gateway-guard", "name": "Gateway Guard", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/RuneweaverStudios/gateway-guard", "canonicalUrl": "https://clawhub.ai/RuneweaverStudios/gateway-guard", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/gateway-guard", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=gateway-guard", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "README.md", "SKILL.md", "_meta.json", "scripts/ensure_gateway_then.sh", "scripts/gateway_guard.py", "scripts/install_continue_on_error.sh" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "gateway-guard", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T07:13:37.275Z", "expiresAt": "2026-05-06T07:13:37.275Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=gateway-guard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=gateway-guard", "contentDisposition": "attachment; filename=\"gateway-guard-1.0.7.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "gateway-guard" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/gateway-guard" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/gateway-guard", "downloadUrl": "https://openagent3.xyz/downloads/gateway-guard", "agentUrl": "https://openagent3.xyz/skills/gateway-guard/agent", "manifestUrl": "https://openagent3.xyz/skills/gateway-guard/agent.json", "briefUrl": "https://openagent3.xyz/skills/gateway-guard/agent.md" } } ``` ## Documentation ### Description Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents. Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents. ### Gateway Guard Keeps OpenClaw gateway authentication in sync with openclaw.json. Use when the user or agent sees gateway auth issues, device_token_mismatch, or needs to ensure the gateway is running with the correct token/password before spawning sub-agents. Metadata: This skill uses always: false in _meta.json. It is not forced into every agent run; the orchestrator invokes it when needed (e.g. before delegating to sub-agents). Optional persistence (LaunchAgent) is installed only when you run the install scripts; see "Before installing" below. ### Before installing Backup openclaw.json — The script may add or correct gateway.auth (token/password) when missing or wrong. Make a copy before running ensure --apply. Test read-only first — Run python3 scripts/gateway_guard.py status --json and python3 scripts/gateway_guard.py ensure --json (without --apply) to see what it would do before allowing restarts or config writes. Understand continue delivery — The watcher can run openclaw agent --message continue --deliver when a run error appears in gateway.log. Confirm that automatically sending that message is acceptable in your environment. LaunchAgent is optional — Persistence (watcher every 30s) is installed only if you run install_watcher.sh. The installer copies the plist from the skill directory into ~/Library/LaunchAgents and runs launchctl load; only run it if you accept that. The plist is included in this package: scripts/com.openclaw.gateway-guard.watcher.plist (and scripts/com.openclaw.gateway-guard.continue-on-error.plist). Ensure OPENCLAW_HOME and OPENCLAW_BIN resolve to your intended paths before installing the watcher. Try in a non-production environment first if you are unsure. ### Package contents (file manifest) Included in this skill so installers do not error: scripts/gateway_guard.py — Main script (status, ensure, continue-on-error, watch). scripts/install_watcher.sh — Installs the single combined LaunchAgent (token sync + continue-on-error). scripts/install_continue_on_error.sh — Redirects to install_watcher.sh. scripts/com.openclaw.gateway-guard.watcher.plist — LaunchAgent plist template (install_watcher.sh copies and substitutes paths). scripts/com.openclaw.gateway-guard.continue-on-error.plist — Legacy plist (optional; install_watcher.sh replaces with the combined watcher). ### Usage User or logs report "Gateway auth issue", "device_token_mismatch", or "unauthorized" Before running the router and sessions_spawn (orchestrator flow): check gateway status first After installing or updating OpenClaw: verify gateway and config match When the TUI disconnects or won't connect: fix auth and restart gateway Run error (Unhandled stop reason: error): run continue-on-error --loop (e.g. via LaunchAgent or cron) so the guard auto-sends "continue" to the agent when this appears in gateway.log python3 /scripts/gateway_guard.py status [--json] python3 /scripts/gateway_guard.py ensure [--apply] [--wait] [--json] python3 /scripts/ensure_gateway_then.sh [command ...] python3 /scripts/gateway_guard.py continue-on-error [--once] [--loop] [--interval 30] [--json] status — Report whether the running gateway's auth matches openclaw.json. Exit 0 if ok, 1 if mismatch. ensure — Same check; if mismatch and --apply, restart the gateway with credentials from config. Writes gateway.auth to openclaw.json only when it is missing or wrong (never overwrites correct config). Use --wait after --apply to block until the gateway port is open (up to 30s), so clients can connect immediately after. ensure_gateway_then.sh — Detect and connect automatically: ensures the gateway is running (starts it if needed, waits for port), then runs your command. Example: ensure_gateway_then.sh openclaw tui or ensure_gateway_then.sh (just ensure and wait). continue-on-error — When gateway.log contains Unhandled stop reason: error (run error), send continue to the agent via openclaw agent --message continue --deliver. Use --once to check once and exit, or --loop to run every --interval seconds. Cooldown 90s between triggers. State: logs/gateway-guard.continue-state.json. watch — Single combined daemon (one LaunchAgent). Each run: (0) token sync — ensure --apply so gateway auth matches config (prevents device_token_mismatch); (1) gateway back → what-just-happened summary; (2) continue-on-error check. Install one daemon: bash /scripts/install_watcher.sh (or install_continue_on_error.sh). This unloads the old separate what-just-happened and continue-on-error LaunchAgents and loads com.openclaw.gateway-guard.watcher so users only need one. For periodic gateway recovery (check every 10s, restart if not ok), use the separate gateway-watchdog skill. ### Behavior Reads openclaw.json → gateway.auth (token or password) and gateway.port. Compares with the process listening on that port (and optional guard state file). If ensure --apply: restarts gateway via openclaw gateway stop then openclaw gateway --port N --auth token|password --token|--password SECRET. If token is missing in config (token mode only): generates a token, writes it to config once, then proceeds. Does not overwrite config when it is already correct. continue-on-error: Tails OPENCLAW_HOME/logs/gateway.log for the string Unhandled stop reason: error. When found (and not in cooldown), runs openclaw agent --message continue --deliver so the agent receives "continue" and can resume. Run install_continue_on_error.sh to install a LaunchAgent that checks every 30s. If the error appears in the TUI but the watcher never triggers, the gateway may not be writing run errors to gateway.log — ensure run/stream errors are logged there. ### JSON output (for orchestration) status --json / ensure --json: ok, secretMatchesConfig, running, pid, reason, recommendedAction, configPath, authMode, gatewayPort. When not ok, recommendedAction is "run gateway_guard.py ensure --apply and restart client session". ### Requirements OpenClaw openclaw.json with gateway.auth (mode token or password) and gateway.port. CLI / system: openclaw CLI on PATH (for ensure --apply and continue-on-error); lsof and ps (macOS/Unix); launchctl on macOS when using the LaunchAgent install scripts. Environment (optional): OPENCLAW_HOME — OpenClaw home directory (default: ~/.openclaw). OPENCLAW_BIN — Path or name of openclaw binary (default: openclaw). ### Privileged actions (what you accept) This skill may: read and modify openclaw.json (including writing gateway.auth when missing or wrong); write state and log files under OPENCLAW_HOME/logs/; restart the gateway via the OpenClaw CLI; and, if the watcher is installed, invoke openclaw agent --message continue --deliver automatically when a run error is detected. These are privileged local actions; run only if you accept them. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: RuneweaverStudios - Version: 1.0.7 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-29T07:13:37.275Z - Expires at: 2026-05-06T07:13:37.275Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/gateway-guard) - [Send to Agent page](https://openagent3.xyz/skills/gateway-guard/agent) - [JSON manifest](https://openagent3.xyz/skills/gateway-guard/agent.json) - [Markdown brief](https://openagent3.xyz/skills/gateway-guard/agent.md) - [Download page](https://openagent3.xyz/downloads/gateway-guard)