OpenClaw Agent Compute
v0.1.7Public HTTP client skill exposing compute.* tools by calling a private Compute Gateway over HTTPS. Includes a starter kit to run OpenClaw preconfigured.
⭐ 0· 525·0 current·0 all-time
byAleksandr Krivolap@aleksandrkrivolap
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (compute client for a private gateway) matches the code and SKILL.md. However, registry metadata claims no required env vars while SKILL.md, .env.example, and the client code clearly require MCP_COMPUTE_URL and MCP_COMPUTE_API_KEY — this metadata mismatch should be corrected but does not indicate malicious behavior.
Instruction Scope
SKILL.md and README limit runtime actions to configuring env vars, running npm and the provided example, and using the defined compute HTTP endpoints (sessions, exec, artifacts). The instructions do not ask the agent to read unrelated files or secrets; the code only reads the two declared env vars.
Install Mechanism
There is no install spec in the registry (instruction-only), but the package includes code and a package.json with standard dependencies (dotenv, undici). Running the example requires npm install — this is low-to-moderate risk and expected for a JS client, but users should review dependencies and run in an isolated environment if concerned.
Credentials
The skill only requires a base URL and a bearer API key for the private compute gateway, which are proportionate to its purpose. Reminder: the API key grants whatever privileges the gateway exposes, so treat it as sensitive.
Persistence & Privilege
The skill does not request always: true or other elevated platform privileges. It does include a starter-kit that passes env vars into a Docker container (expected for this use case). Autonomous invocation is allowed by default but is not combined with any unusual privileges here.
Assessment
This skill appears to do what it says: act as an HTTP client for a private Compute Gateway. Before installing: 1) verify the MCP_COMPUTE_URL points to a gateway you control/trust (the API key will be sent there), 2) keep MCP_COMPUTE_API_KEY secret and scoped to minimal permissions on the gateway, 3) note the registry metadata omitted required env vars — ensure you set MCP_COMPUTE_URL and MCP_COMPUTE_API_KEY as shown in .env.example, 4) review the GitHub repo (README references one) and the two JS files to confirm no changes, 5) run npm install and the starter-kit in an isolated or development environment first and pin dependency versions or use audit tools if you plan production use.Like a lobster shell, security has layers — review code before you run it.
latest
Aleksandr Krivolap@aleksandrkrivolap
Downloadopenclaw-agent-compute
Public, agent-friendly skill that exposes compute.* tools by calling a private Compute Gateway over HTTPS.
Environment
MCP_COMPUTE_URL(e.g.https://compute.example.com)MCP_COMPUTE_API_KEY
Copy skills/openclaw-agent-compute/.env.example.
Tools / API expectation
This client expects the private gateway to implement:
POST /v1/sessions(create)GET /v1/sessions/{session_id}(get status)POST /v1/exec(run command)GET /v1/usage/{session_id}(usage/cost)- Artifacts:
GET /v1/artifacts/{session_id}(list)PUT /v1/artifacts/{session_id}/{path}(upload bytes;{path}must be URL-encoded and may include slashes)GET /v1/artifacts/{session_id}/{path}(download bytes;{path}must be URL-encoded)DELETE /v1/artifacts/{session_id}/{path}(delete;{path}must be URL-encoded)
DELETE /v1/sessions/{session_id}(destroy)
Scripts
- HTTP client:
skills/openclaw-agent-compute/scripts/client.js - Example:
skills/openclaw-agent-compute/scripts/example_exec.js
Local smoke test
cp skills/openclaw-agent-compute/.env.example .env
# edit .env
npm i
npm run example:exec
Starter kit
See skills/openclaw-agent-compute/starter-kit/.
It keeps the OpenClaw image overrideable via OPENCLAW_IMAGE until an official image/tag is confirmed.
Publishing
- Checklist:
PUBLISHING.md - Runbook (local publish + GitHub Actions tag-based publish):
CLAWDHUB_RUNBOOK.md
Comments
Loading comments...