OpenClaw Growth Pack
v1.1.0Bootstraps a new OpenClaw instance with aligned model routing, consistent gateway tokens, anti-stall contracts, autonomy loop, and verification gates for sta...
⭐ 0· 299·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description promise (model routing, gateway tokens, anti-stall, autonomy loop, verification gates) aligns with the SKILL.md actions: editing ~/.openclaw/openclaw.json, updating AGENTS.md and HEARTBEAT.md, creating simple cron/manual jobs, and performing verification. Actions requested are relevant to operating and stabilizing an OpenClaw instance.
Instruction Scope
Instructions explicitly tell the operator to modify local OpenClaw config files (~/.openclaw/openclaw.json, agents/ files), documentation (AGENTS.md, HEARTBEAT.md, memory files), and to restart the gateway. That scope is confined to OpenClaw runtime/operation, but the skill also instructs you to place provider apiKey/token values into config and to paste tokens into a dashboard UI. These are legitimate operational tasks but involve storing/handling secrets and performing restarts that could disrupt service if done without backups or testing.
Install Mechanism
This is instruction-only (no install spec, no code files). No downloads or archive extraction are requested, so there is no installer footprint or arbitrary code fetch performed by the skill itself.
Credentials
The skill does not declare or require environment variables or credentials, but it instructs operators to populate local config with provider API keys and gateway tokens. That is proportionate to its purpose (model routing and gatekeeping), but you should confirm the legitimacy of the referenced provider/baseUrl (https://coding.dashscope.aliyuncs.com/v1) before inserting secrets. The guidance to synchronize tokens across surfaces is reasonable operational advice.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills or system-wide settings beyond OpenClaw config and documentation, and does not require persistent installation. It instructs file edits and gateway restarts which are standard admin actions and limited in scope.
Assessment
This skill appears to be what it says — an operations checklist for stabilizing an OpenClaw instance — but the package source is unknown and it directs you to insert API keys and tokens and to point a provider to https://coding.dashscope.aliyuncs.com/v1 (an external endpoint). Before applying it: 1) verify the origin of the guidance and confirm that the 'bailian' provider and the dashscope.aliyuncs.com endpoint are legitimate for your deployment; 2) make full backups of ~/.openclaw/openclaw.json and any agents/ files (the skill itself recommends this); 3) test changes in a staging environment if possible to avoid disrupting production; 4) treat API keys/tokens as secrets — use least-privilege keys and rotate them if you suspect exposure; 5) review and audit any dashboard/UI where you paste tokens to ensure it’s trusted; 6) run the restart and verification steps during a maintenance window. If you cannot verify the external provider endpoint or the skill author, be conservative: do not paste secrets, and perform the steps manually with logging and backups.Like a lobster shell, security has layers — review code before you run it.
latestvk97dmbhcwrbhjpeacb48rem439820msn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.