什么是 网关卫士？

网关卫士是一个专门的技术工具，旨在保持 OpenClaw 网关与其配置文件之间的完美同步。它充当哨兵，坚控认证不匹配（如常见的 device_token_mismatch 错误）并自动解决这些问题，以确保 Agent 操作不间断。作为 Openclaw Skills 生态系统的一部分，它为可靠的多 Agent 委派和稳定的长期运行任务提供了必要的基础架构。

除了简单的认证管理外，该技能还包含一个主动观察器，用于坚控系统日志中的特定故障状态。当检测到“未处理的停止原因”时，网关卫士可以自动向 Agent 发送继续消息，从而显著减少人工干预和停机时间。对于需要为其 AI Agent 提供自修复环境的开发者来说，这是一个至关重要的组件。

下载入口:https://github.com/openclaw/skills/tree/main/skills/runeweaverstudios/gateway-guard

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

2. 手动安装

将技能文件夹复制到以下位置之一

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

网关卫士 应用场景

• 实时修复网关认证问题或未经授权的访问错误。
• 当网关日志中出现“未处理的停止原因：错误”时，自动执行继续命令。
• 在启动子 Agent 或委派任务之前同步网关令牌和密码。
• 在启动 OpenClaw TUI 或 CLI 工具之前，确保网关处于活动状态并已正确配置。

1. 该技能解析本地 openclaw.json 文件，提取所需的 gateway.auth 模式和端口设置。
2. 它通过比较在端口上的活动网关进程与预期配置来执行状态检查。
3. 如果检测到不匹配，ensure 命令可以自动使用正确的凭据重启网关，并将缺失的令牌写入配置。
4. 后台观察器跟踪 gateway.log 文件，寻找特定的错误签名，如“未处理的停止原因：错误”。
5. 检测到错误后，该技能会触发自动 Agent 消息投递，在短冷却时间后恢复会话。
6. 可选的 LaunchAgent 集成允许每 30 秒进行一次持久、定期的坚控和自动恢复。

网关卫士 配置指南

首先，在不进行更改的情况下验证当前的网关状态：

python3 scripts/gateway_guard.py status --json

要应用配置修复并在必要时重启网关，请使用 apply 标志：

python3 scripts/gateway_guard.py ensure --apply --wait

要在 macOS 上安装用于持久错误恢复的后台观察器：

bash scripts/install_watcher.sh

网关卫士 数据架构与分类体系

name: gateway-guard
displayName: Gateway Guard
description: Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents.

Gateway Guard

Description

Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents.

Ensures OpenClaw gateway auth consistency and can auto-prompt "continue" when a run error (Unhandled stop reason: error) appears in gateway logs. Use when checking or fixing gateway token/password mismatch, device_token_mismatch errors, or before delegating to sub-agents.

Gateway Guard

Keeps OpenClaw gateway authentication in sync with openclaw.json. Use when the user or agent sees gateway auth issues, device_token_mismatch, or needs to ensure the gateway is running with the correct token/password before spawning sub-agents.

Metadata: This skill uses always: false in _meta.json. It is not forced into every agent run; the orchestrator invokes it when needed (e.g. before delegating to sub-agents). Optional persistence (LaunchAgent) is installed only when you run the install scripts; see "Before installing" below.

Before installing

• Backup openclaw.json — The script may add or correct gateway.auth (token/password) when missing or wrong. Make a copy before running ensure --apply.
• Test read-only first — Run python3 scripts/gateway_guard.py status --json and python3 scripts/gateway_guard.py ensure --json (without --apply) to see what it would do before allowing restarts or config writes.
• Understand continue delivery — The watcher can run openclaw agent --message continue --deliver when a run error appears in gateway.log. Confirm that automatically sending that message is acceptable in your environment.
• LaunchAgent is optional — Persistence (watcher every 30s) is installed only if you run install_watcher.sh. The installer copies the plist from the skill directory into ~/Library/LaunchAgents and runs launchctl load; only run it if you accept that. The plist is included in this package: scripts/com.openclaw.gateway-guard.watcher.plist (and scripts/com.openclaw.gateway-guard.continue-on-error.plist). Ensure OPENCLAW_HOME and OPENCLAW_BIN resolve to your intended paths before installing the watcher.
• Try in a non-production environment first if you are unsure.

Package contents (file manifest)

Included in this skill so installers do not error:

• scripts/gateway_guard.py — Main script (status, ensure, continue-on-error, watch).
• scripts/install_watcher.sh — Installs the single combined LaunchAgent (token sync + continue-on-error).
• scripts/install_continue_on_error.sh — Redirects to install_watcher.sh.
• scripts/com.openclaw.gateway-guard.watcher.plist — LaunchAgent plist template (install_watcher.sh copies and substitutes paths).
• scripts/com.openclaw.gateway-guard.continue-on-error.plist — Legacy plist (optional; install_watcher.sh replaces with the combined watcher).

Usage

• User or logs report "Gateway auth issue", "device_token_mismatch", or "unauthorized"
• Before running the router and sessions_spawn (orchestrator flow): check gateway status first
• After installing or updating OpenClaw: verify gateway and config match
• When the TUI disconnects or won't connect: fix auth and restart gateway
• Run error (Unhandled stop reason: error): run continue-on-error --loop (e.g. via LaunchAgent or cron) so the guard auto-sends "continue" to the agent when this appears in gateway.log

python3 /scripts/gateway_guard.py status [--json]
python3 /scripts/gateway_guard.py ensure [--apply] [--wait] [--json]
python3 /scripts/ensure_gateway_then.sh [command ...]
python3 /scripts/gateway_guard.py continue-on-error [--once] [--loop] [--interval 30] [--json]

• status — Report whether the running gateway's auth matches openclaw.json. Exit 0 if ok, 1 if mismatch.
• ensure — Same check; if mismatch and --apply, restart the gateway with credentials from config. Writes gateway.auth to openclaw.json only when it is missing or wrong (never overwrites correct config). Use --wait after --apply to block until the gateway port is open (up to 30s), so clients can connect immediately after.
• ensure_gateway_then.sh — Detect and connect automatically: ensures the gateway is running (starts it if needed, waits for port), then runs your command. Example: ensure_gateway_then.sh openclaw tui or ensure_gateway_then.sh (just ensure and wait).
• continue-on-error — When gateway.log contains Unhandled stop reason: error (run error), send continue to the agent via openclaw agent --message continue --deliver. Use --once to check once and exit, or --loop to run every --interval seconds. Cooldown 90s between triggers. State: logs/gateway-guard.continue-state.json.
• watch — Single combined daemon (one LaunchAgent). Each run: (0) token sync — ensure --apply so gateway auth matches config (prevents device_token_mismatch); (1) gateway back → what-just-happened summary; (2) continue-on-error check. Install one daemon: bash /scripts/install_watcher.sh (or install_continue_on_error.sh). This unloads the old separate what-just-happened and continue-on-error LaunchAgents and loads com.openclaw.gateway-guard.watcher so users only need one. For periodic gateway recovery (check every 10s, restart if not ok), use the separate gateway-watchdog skill.

Behavior

• Reads openclaw.json → gateway.auth (token or password) and gateway.port.
• Compares with the process listening on that port (and optional guard state file).
• If ensure --apply: restarts gateway via openclaw gateway stop then openclaw gateway --port N --auth token|password --token|--password SECRET.
• If token is missing in config (token mode only): generates a token, writes it to config once, then proceeds. Does not overwrite config when it is already correct.
• continue-on-error: Tails OPENCLAW_HOME/logs/gateway.log for the string Unhandled stop reason: error. When found (and not in cooldown), runs openclaw agent --message continue --deliver so the agent receives "continue" and can resume. Run install_continue_on_error.sh to install a LaunchAgent that checks every 30s. If the error appears in the TUI but the watcher never triggers, the gateway may not be writing run errors to gateway.log — ensure run/stream errors are logged there.

JSON output (for orchestration)

• status --json / ensure --json: ok, secretMatchesConfig, running, pid, reason, recommendedAction, configPath, authMode, gatewayPort. When not ok, recommendedAction is "run gateway_guard.py ensure --apply and restart client session".

Requirements

• OpenClaw openclaw.json with gateway.auth (mode token or password) and gateway.port.
• CLI / system: openclaw CLI on PATH (for ensure --apply and continue-on-error); lsof and ps (macOS/Unix); launchctl on macOS when using the LaunchAgent install scripts.
• Environment (optional): OPENCLAW_HOME — OpenClaw home directory (default: ~/.openclaw). OPENCLAW_BIN — Path or name of openclaw binary (default: openclaw).

Privileged actions (what you accept)

This skill may: read and modify openclaw.json (including writing gateway.auth when missing or wrong); write state and log files under OPENCLAW_HOME/logs/; restart the gateway via the OpenClaw CLI; and, if the watcher is installed, invoke openclaw agent --message continue --deliver automatically when a run error is detected. These are privileged local actions; run only if you accept them.