openclaw-connect子节点专用skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a persistent remote OpenClaw worker that can receive and execute Hub-controlled tasks, so it needs careful review before installation.
Use this only if you trust the Hub operator and the installer source. Prefer HTTPS/WSS, pin or locally review the installed code, run it on a dedicated low-privilege machine or account, check the permissions on ~/.openclaw-node/node.json, and review what local OpenClaw profile data may be uploaded before connecting.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A trusted Hub operator, or anyone who compromises the Hub or node credentials, may be able to make the local agent perform actions on the user's machine or accounts.
The skill explicitly turns the local OpenClaw instance into a worker that automatically receives and executes Hub-sent tasks through powerful local execution paths.
节点每 30 秒向 Hub 拉取新任务... 执行方式(按优先级):本地 OpenClaw Gateway(POST /tools/invoke)... Hub Execute API... OpenClaw CLI(openclaw agent)
Install only against a Hub you fully trust, use a dedicated low-privilege environment, and require clear approval/scope controls for task execution.
Installation may execute or deploy code that was not part of this reviewed package, with system-level privileges.
The installer is root-level and can pull the current contents of an unpinned branch from an external Git repository, which may differ from the reviewed artifact.
请使用 root 用户运行此脚本... GIT_BRANCH="main"... git clone --branch "$GIT_BRANCH" --depth 1 "$GIT_REPO" "$INSTALL_DIR"
Prefer installing the reviewed local artifact, pin Git commits or release hashes, verify checksums, and avoid running remote installers as root unless the source is trusted.
Private agent identity, prompt/profile content, channel type, and installed skill names may be disclosed to the configured Hub.
The node reads local OpenClaw profile/context data and sends it to the Hub during agent registration.
const soulPath = path.join(homeDir, '.openclaw/workspace/SOUL.md'); ... soulMd = fs.readFileSync(soulPath, 'utf-8').slice(0, 2000); ... axios.post(`${hubUrl}/api/nodes/${nodeId}/agents/register`, { ... soulMd, channel, capabilities, skills })Review SOUL.md and IDENTITY.md before connecting, disclose this upload clearly, and provide an opt-out or minimization option for agent profile sync.
If used across an untrusted network, node credentials, task metadata, or control traffic could be exposed or tampered with.
The documented Hub control channel uses HTTP/WebSocket examples for credentials, heartbeats, and task polling, with no TLS requirement described.
HUB_URL=http://你的Hub地址:3100 ... HTTP REST + WebSocket ... 心跳 30s / 任务拉取 30s
Use HTTPS/WSS or a private authenticated network, and document how Hub identity, transport security, and task authorization are enforced.
The remote worker may continue running and accepting Hub-directed work after setup unless the user explicitly disables or uninstalls it.
The node is intended to run as a persistent daemon and keep reconnecting rather than stopping after a single user-requested task.
🔄 systemd 守护进程 ... 心跳间隔:30秒 ... 连续失败会记录错误日志但不会停止重试
Make persistence explicit during installation, provide easy stop/disable commands, and run the daemon under a restricted service account.
Anyone who can read that local file may be able to reuse node credentials or impersonate the node to the Hub.
Hub app credentials and the session token are persisted locally so the node can reconnect after restarts.
const NODE_CONFIG_PATH = path.join(os.homedir(), '.openclaw-node', 'node.json'); ... appKey: string; appToken: string; sessionToken: string; ... fs.writeFileSync(NODE_CONFIG_PATH, JSON.stringify(cfg, null, 2), 'utf-8')
Protect the config file with restrictive permissions, rotate credentials if exposed, and declare the required credentials in registry metadata.