Create New Openclaw Instance on GCP VM
Security checks across malware telemetry and agentic risk
Overview
This is a coherent cloud setup guide, but it asks you to run powerful deployment commands, install software from the internet, and configure persistent credentials on a new VM.
Before using this skill, review each command, use a dedicated GCP project if possible, confirm expected cloud costs, inspect any missing quick-setup script before running it, and be comfortable with installing persistent OpenClaw and Tailscale services on the VM.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or following this skill can create cloud resources and place provider API keys on the VM.
The skill requires cloud account context and API credentials. These are expected for the stated deployment, but they are sensitive and the registry metadata lists no required credentials or environment variables.
export OPENCLAW_PROJECT_ID="your-gcp-project" ... export ANTHROPIC_TOKEN="sk-ant-oat01-..." ... export BRAVE_API_KEY="..."
Use a dedicated GCP project and scoped API keys where possible, confirm expected costs, and rotate credentials if they are exposed.
The VM will execute code fetched from the internet, and the exact OpenClaw package version may change over time.
The manual setup installs software from remote scripts and installs the latest OpenClaw package. This is common for setup automation, but it relies on external sources at execution time.
curl -fsSL https://tailscale.com/install.sh | sh ... curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash ... npm install -g openclaw@latest
Review the install sources, pin package versions where practical, and run the commands only in a VM/project you are comfortable modifying.
A user might look for or run a setup script that was not included in the reviewed artifacts.
The Quick Start references a helper script, but the provided manifest contains only SKILL.md. This is an incomplete review context rather than evidence of malicious behavior.
chmod +x openclaw-quick-setup.sh ./openclaw-quick-setup.sh
Do not run any separately obtained quick-setup script unless you inspect it first or obtain it from a trusted source.
If copied blindly, the commands may accept a wrong SSH host key or skip prompts that would otherwise explain risk before configuration.
The setup disables SSH host key checking for the first connection and uses a non-interactive risk-accepting onboarding command. These choices streamline setup but reduce interactive safety checks.
ssh -o StrictHostKeyChecking=no "${OPENCLAW_USERNAME}@${IP}" ... openclaw onboard --non-interactive --accept-riskVerify the VM IP and SSH host key when possible, and understand what OpenClaw onboarding will install before using '--accept-risk'.
The VM will continue running OpenClaw-related services and may remain reachable over Tailscale until stopped or removed.
The deployment intentionally creates persistent background services for the OpenClaw gateway and Tailscale serving. This is aligned with hosting OpenClaw, but it keeps running after setup.
openclaw onboard ... --gateway-bind loopback --install-daemon ... sudo tailscale serve --bg 18789
Confirm you want a persistent gateway, monitor the VM and Tailscale serve status, and document how to stop or uninstall the services.