Skillv1.0.1

ClawScan security

Openclaw Remote Install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 7:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an SSH-based remote installer that largely matches its stated purpose, but it contains several insecure practices (inline secrets, password-based sshpass support, StrictHostKeyChecking disabled, piping install scripts, and logging remote config output) that could expose sensitive credentials or configuration — review before use.
Guidance: This skill appears to do what it says — remote SSH installation and configuration — but it uses several insecure practices you should weigh before running it on production systems: - Prefer SSH key-based authentication; avoid password-based usage with sshpass (passwords on command lines can leak via shell history and process lists). - The scripts disable SSH host key checking (StrictHostKeyChecking=no); enable host key verification in your environment to avoid MITM risks. - The installer may execute 'curl | sh' (get.docker.com) on the remote host and pulls a Docker image named openclawai/openclaw:latest — verify the image source and content before trusting it. - The Python script and installer print remote command output (including config contents) into local logs under ~/.openclaw/remote-install-logs; that output may contain secrets or API keys. If you must use this tool, ensure logs are stored securely, or clear/rotate secrets after use. - Use the '--secret-mode ref' approach and set required API keys as environment variables on the remote host rather than passing them inline. If the tool forces inline secrets for some workflows, avoid those workflows. - Test on an isolated VM or staging host first. Review the Docker image and any remote install commands manually, and consider running the installer with increased verbosity and a dry-run to inspect what it would do. If you want a stronger assurance, ask the author for: (1) provenance of the Docker image (official repo or signed release), (2) a verified checksum or signed release for any install scripts, and (3) an option to keep host key checking enabled and to suppress logging of remote config contents. If those are provided, my confidence in safety would increase.

Review Dimensions

Purpose & Capability: okName/description align with the delivered artifacts: scripts perform remote SSH installation, OS detection, select Docker/Podman/npm, and run post-install configuration. Nothing requested appears unrelated to a remote installer.
Instruction Scope: concernInstructions and scripts read remote configuration, print remote config contents to stdout (which the installer captures in local logs), accept inline API keys, and recommend/allow password-based auth. They also disable SSH host key checking (StrictHostKeyChecking=no) and UserKnownHostsFile=/dev/null. These behaviors expand scope to collecting and persisting potentially sensitive data and weaken SSH security.
Install Mechanism: noteNo packaged install spec (instruction-only) — the script runs remote package installs and may execute 'curl -fsSL https://get.docker.com | sh' on the remote host and pull Docker image openclawai/openclaw:latest. Using well-known hosts (get.docker.com, npm/pnpm, Docker Hub) is expected, but piping remote curl to sh and pulling an image from an unverified repo are riskier than purely declarative installs.
Credentials: concernThe skill does not demand unrelated credentials, and supports the expected API keys for model providers. However it permits inline API keys and password arguments that can appear in process lists, command output, and the local log directory (~/.openclaw/remote-install-logs), increasing risk of secret leakage. The SKILL.md suggests env-var refs, but the code still supports and documents less-secure modes.
Persistence & Privilege: okalways is false; the skill writes logs under the user's home (~/.openclaw/remote-install-logs) and creates a symlink 'latest' — this is scoped to the skill and consistent with an installer. The skill does not modify other skills' configs nor request platform-wide persistence.