ClawTime Setup

Things to consider before installing: - Review the remote repo before running it: the installer will git clone https://github.com/youngkent/clawtime.git and run npm install and node server.js. Inspect server.js and package.json (and all npm dependencies) for unexpected network calls, credential exfiltration, or privileged actions. - Metadata mismatches: the registry claims no required env vars but SKILL.md requires PUBLIC_URL and GATEWAY_TOKEN; the installer also uses the 'openclaw' CLI but the top-level required binaries list omitted it. Expect to need the OpenClaw CLI and tokens. - Sensitive tokens: the installer will store GATEWAY_TOKEN and SETUP_TOKEN in your macOS Keychain (or ask you to paste them). That is reasonable for this use case, but ensure you trust the code that will read them at runtime. - Persistence: the docs encourage creating launchd agents (auto-start, KeepAlive). If you install, be prepared to remove those plists and start scripts to uninstall. - Supply-chain risk: npm install will fetch third‑party packages. If you cannot audit the repo and dependencies, consider running the service in an isolated environment (VM/container) or reviewing a pinned commit in the repo first. - TTS command injection: the documentation correctly warns that unescaped {{TEXT}} substituted into shell commands is dangerous; verify the server implementation does proper sanitization or uses execFile/argument arrays. - What would increase confidence: a trustworthy homepage or verified upstream repo, an explicit list of file changes the installer makes, and a quick manual review of server.js and package.json confirming no unexpected outbound network endpoints or secret uploads. Given the above inconsistencies and the fact the installer fetches and executes remote code, proceed only after code review or using an isolated environment.