ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Spawner

v0.1.0

Spawn a new OpenClaw agent through conversation. Uses official Docker setup and non-interactive onboarding, carries over API keys, tools, plugins, and skills...

1· 940·3 current·3 all-time
by@austineral
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (spawn a new OpenClaw agent and carry over keys/plugins/skills) align with the actions described in SKILL.md: reading the current OpenClaw config and environment, cloning the repo, and bootstrapping a new agent. Carrying over provider, model, tools, plugins and skills is coherent with the stated purpose. However, carrying secrets (API keys, gateway token) is a sensitive operation and should be made explicit to the user rather than done 'silent'.
!
Instruction Scope
The instructions explicitly tell the agent to run commands that read local config and secrets (cat ~/.openclaw/openclaw.json, cat ~/.openclaw/.env, env | grep -iE 'API_KEY|TOKEN', ls <workspace>/skills/), then copy keys and tokens into the new agent without asking about keys ('Don't ask about keys... Carry everything over'). Step 1 is labeled 'silent', which means secrets may be accessed without user-visible consent. The skill also instructs extracting the gateway token from the new agent's config and reporting it to the user. This broad, silent access to environment variables and files is out-of-band for typical conversational skills and expands the attack surface.
!
Install Mechanism
The skill is instruction-only (no install spec), which limits static risk, but the runtime instructions include execution of remote-install commands: git clone https://github.com/openclaw/openclaw.git and curl -fsSL https://openclaw.ai/install.sh | bash. curl|bash is high-risk unless the URL and script provenance are verified; the skill provides no homepage or verifiable owner information. Using these commands (and later npm plugin installs) will fetch and execute remote code during deployment.
!
Credentials
Although copying provider API keys and tool/plugin keys is relevant to migrating an agent, the skill requests no declared environment variables but instructs the agent to scan all environment variables for any API_KEY/TOKEN values and to read config files that may contain secrets. This implicit, broad secret collection (including grepping the entire environment) is disproportionate without explicit, granular user consent or restriction to only the minimal keys required for the new agent.
!
Persistence & Privilege
The skill does not request 'always: true' and is not persistent itself, but its workflow instructs duplicating secrets, plugins, and skills into a newly created agent. Duplicating credentials and installing plugins increases the blast radius and creates a persistent agent instance that holds the same privileges as the original. The SKILL.md also suggests installing npm plugins and running containerized services, which can introduce ongoing privileges on the host and network.
What to consider before installing
This skill will, by design, read your OpenClaw config and environment and copy API keys, tokens, plugins, and skills into a new agent — and it explicitly instructs a 'silent' scan and to 'carry everything over' without asking about keys. Before installing or running it: (1) verify the skill's provenance and the openclaw.openclaw repository / openclaw.ai install script you will be fetching; (2) do NOT allow or permit silent reading of your environment — require explicit consent and show which keys will be copied; (3) prefer creating and using limited-scope API keys for the new agent and rotate keys afterward; (4) avoid running curl | bash from an unverified domain — download and inspect install scripts first; (5) run the process in an isolated host or VM if you must test; (6) consider manual migration of secrets rather than automating a silent copy. If you install this skill, require it to present the exact list of keys and files it intends to read/copy and obtain explicit user confirmation for each before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk974b8t68v88yek39dhe76hs1d81ebfv
940downloads
1stars
1versions
Updated 8h ago
v0.1.0
MIT-0
@austineral
latest
Download

Agent Spawner

Deploy a new OpenClaw agent conversationally. Official install, carry over config from the current agent. User never edits a file.

1. Read Current Config (silent)

cat ~/.openclaw/openclaw.json
cat ~/.openclaw/.env 2>/dev/null
env | grep -iE 'API_KEY|TOKEN'
ls ~/.openclaw/extensions/
ls <workspace>/skills/

Identify:

  • Provider: check auth.profiles in config — could be Anthropic, OpenAI, Gemini, custom, etc.
  • API key: from env var or config (e.g. ANTHROPIC_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY)
  • Model: from agents.defaults.model
  • Tool keys: anything in tools.* (search APIs, etc.)
  • Plugins: plugins.installs — names and npm specs
  • Skills: run openclaw skills list to see what's bundled vs workspace-only. Only carry over non-bundled skills.

2. Ask

  1. "Where should I deploy it?" — Docker (local or remote SSH) or bare metal?
  2. "Name?" — for container. Generate one if they don't care.
  3. "Anything special?" — purpose, constraints. Optional.

Don't ask about keys, plugins, skills, ports, or config. Carry everything over, use defaults.

3. Confirm Plan

After gathering answers, present the full plan before doing anything. Show everything in one summary:

Here's the plan:

📦 Deploy: Docker on <target>
📛 Name: <agent-name>
🌐 Port: <port>

Carrying over from current agent:
  ✅ Provider: Anthropic (API key)
  ✅ Model: anthropic/claude-sonnet-4-20250514
  ✅ Brave Search API key
  ✅ Plugins: openclaw-agent-reach
  ✅ Skills: agent-spawner, weather
  ✅ Heartbeat: 30m

The new agent will bootstrap its own identity on first message.

Good to go?

Only list items that actually exist. Wait for explicit confirmation before proceeding. If the user wants changes, adjust and re-confirm.

4. Deploy

Docker

git clone https://github.com/openclaw/openclaw.git <agent-name>
cd <agent-name>

Set env and run non-interactive onboard. Match the provider detected in step 1:

export OPENCLAW_IMAGE=alpine/openclaw:latest
export OPENCLAW_CONFIG_DIR=~/.openclaw-<agent-name>
export OPENCLAW_WORKSPACE_DIR=~/.openclaw-<agent-name>/workspace
export OPENCLAW_GATEWAY_PORT=<unused port, default 18789>
export OPENCLAW_GATEWAY_BIND=lan

mkdir -p $OPENCLAW_CONFIG_DIR/workspace

Onboard flags vary by provider. Use the matching --auth-choice and key flag:

Provider--auth-choiceKey flag
AnthropicapiKey--anthropic-api-key
Geminigemini-api-key--gemini-api-key
OpenAIapiKey(set OPENAI_API_KEY env)
Customcustom-api-key--custom-api-key + --custom-base-url + --custom-model-id
docker compose run --rm openclaw-cli onboard --non-interactive --accept-risk \
  --mode local \
  --auth-choice <detected> \
  --<provider>-api-key "$API_KEY" \
  --gateway-port 18789 \
  --gateway-bind lan \
  --skip-skills

docker compose up -d openclaw-gateway

Official compose uses bind mounts — host user owns files, no permission issues.

Onboard error about gateway connection is expected (not running yet). Config is written.

Bare metal

curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard

openclaw onboard --non-interactive --accept-risk \
  --mode local \
  --auth-choice <detected> \
  --<provider>-api-key "$API_KEY" \
  --gateway-port 18789 \
  --gateway-bind lan \
  --install-daemon \
  --daemon-runtime node \
  --skip-skills

5. Patch Running Agent

CLI alias:

  • Docker: OC="docker compose exec openclaw-gateway node /app/openclaw.mjs"
  • Bare metal: OC="openclaw"

Config (only patch what the current agent actually has):

$OC config set agents.defaults.model "<model>"
$OC config set agents.defaults.heartbeat.every "30m"
# Tool keys — only if they exist in current config
$OC config set tools.web.search.apiKey "<key>"

Plugins (from plugins.installs in current config):

$OC plugins install <npm-spec>
# Repeat for each plugin

Skills (copy workspace skills):

# Docker
docker cp <source-workspace>/skills/ <container>:/home/node/.openclaw/workspace/skills/
# Bare metal
cp -r <source-workspace>/skills/ ~/.openclaw/workspace/skills/

Restart:

docker compose restart openclaw-gateway  # Docker
openclaw gateway restart                 # bare metal

6. Hand Off

Read the gateway token:

grep -A1 '"token"' $OPENCLAW_CONFIG_DIR/openclaw.json

Tell the user:

  • URL: http://<host>:<port>/
  • Token: (from config — onboard auto-generates one)
  • "Say hello — it'll bootstrap itself."

Notes

  • openclaw not in PATH inside Docker. Use node /app/openclaw.mjs.
  • --accept-risk required for non-interactive onboard.
  • alpine/openclaw:latest — pre-built official image.
  • Don't use named Docker volumes — root ownership issues. Official compose uses bind mounts.
  • Multiple agents on same host: use different OPENCLAW_CONFIG_DIR and OPENCLAW_GATEWAY_PORT.
  • Plugins and skills persist in ~/.openclaw/ volume (extensions/ and workspace/skills/).
  • SSH keys, git config, apt packages are ephemeral — not in the volume, by design.

Comments

Loading comments...