Openclaw Onboarding

This onboarding skill is mostly what it says (setup steps, teaching local "memory", installing a local skill-finder), but it has a few risky or unclear behaviors you should consider before installing: - Persistent writes: it will create ~/.openclaw and write user.md and MEMORY.md automatically when you tell it to "记住" something. If you care about sensitive data, avoid saving secrets and consider where those files will be stored/backed up. - Auto-install behavior: the guide installs a 'find-skills' tool and demonstrates running commands that can auto-install other skills (clawhub install, npx skills add) with '-y' or '--yes' flags that skip confirmation. Any skill pulled from the network can run code on your machine — review or sandbox installs, and prefer not to allow automatic global installs without inspection. - External service access not declared: the guide uses commands that create Feishu docs and summarize group chats, but it doesn't list required credentials. Verify which connectors (Feishu, chat platform) are configured and who has access before using those features. - Supply-chain and privilege mitigation: if you proceed, consider (a) running initial installs in a sandbox or VM, (b) inspecting any skill package before allowing network installs, (c) disabling or limiting auto-write of memory files, and (d) removing/asking to remove automatic '-y'/'-g' flags so installations require explicit consent. If you want higher assurance, ask the author for an explicit list of required credentials and which external services are used, or request that installs prompt for confirmation rather than proceeding automatically.