Setup claw.tech
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This setup skill is coherent, but it asks the agent to run unpinned remote installers/downloaded skills and enables broad persistent logging of AI interactions.
Install only if you are comfortable running remote setup code from the listed sources and keeping a local database of all AI requests and responses. Review or pin the downloaded installer, clawtel release, and openclaw-in-a-box skill before handoff, and avoid using this on conversations that may contain secrets unless you have a cleanup and retention plan.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised remote installer could run code on the user's machine during setup.
The setup flow executes a remote installer script directly from the network without pinning, checksum verification, or reviewed installer contents.
curl -fsSL https://download.tapes.dev/install | bash
Prefer pinned versions, checksums/signatures, package-manager installs, or clear manual review steps before executing downloaded installers.
The installed orchestrator instructions could change after this review and affect future agent behavior.
The skill downloads another agent skill from a mutable main branch and then instructs handoff to it, but that remote skill content is not part of the reviewed artifact set.
curl -fsSL https://raw.githubusercontent.com/papercomputeco/openclaw-in-a-box/main/SKILL.md -o skills/openclaw-in-a-box/SKILL.md
Pin the downloaded skill to a specific commit or release and ask the user to review it before invoking or handing off to it.
The user's system PATH may receive a new executable from a latest-release download.
The skill installs a downloaded executable into a system binary path. This is aligned with setup, but it is high-impact local environment modification.
curl -fsSL "https://github.com/bdougie/clawtel/releases/latest/download/clawtel_${OS}_${ARCH}.tar.gz" | tar xz
mv clawtel /usr/local/bin/Confirm the source and version before installing, and consider using a user-local bin directory or checksum verification.
Sensitive conversations may be saved on disk and later searchable or replayable.
The telemetry component persistently stores all AI prompts and responses locally, which can include sensitive user, project, or credential information; the artifact does not describe retention, exclusions, or scoping controls.
records every AI request/response into a local SQLite store for search, audit, and replay
Use only if broad local conversation logging is acceptable, and add clear retention, deletion, and exclusion guidance.
The reporting tool can submit telemetry associated with the user's claw identity when the key is present.
The skill uses a leaderboard ingest key. This is expected for the stated claw.tech reporting purpose, and the artifact tells users to keep tokens in environment variables.
export CLAW_ID="your-claw-uuid" export CLAW_INGEST_KEY="ik_your_key_here"
Set the key only in trusted shells or keychains, rotate it if exposed, and verify what data is sent before running clawtel.