OpenClaw Bootstrap
v1.0.0One-command bootstrap for new OpenClaw installations. Sets up workspace files, self-evolution system (.learnings + hooks + crons), and community skills. Use...
⭐ 0· 227·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included files and the bootstrap script: it creates workspace files, .learnings, hooks, and schedules crons and attempts to install a 'self-improving-agent'. However the skill does not declare required CLIs (openclaw, clawhub, python3, npm) even though the script uses them. This omission is unexpected but explainable for a bootstrapper.
Instruction Scope
SKILL.md and assets instruct the agent to populate and read workspace files (memory, learnings, soul, user), which is consistent with a local bootstrapper. The runtime script copies files into ~/.openclaw/workspace, creates hooks under ~/.openclaw/hooks, and uses openclaw to add crons. These actions read/write local user files (intimate data) but do not themselves exfiltrate data. The instructions do, however, enable automated behavior (crons/hooks) that will run later—users should expect ongoing local activity.
Install Mechanism
There is no registry-level install spec, but the included scripts run npm i -g clawhub and use clawhub to install 'self-improving-agent' at runtime. Those commands will fetch code from external registries/hosts during execution (network downloads, unpinned). This is proportional to installing a CLI but raises risk because the sources aren't pinned/verified and will execute third-party code on the machine.
Credentials
The skill declares no required env vars; the script respects an optional OPENCLAW_WORKSPACE environment variable. It does not request credentials itself, but installing/using clawhub and running 'clawhub install' may require the user to authenticate to remote services. No unrelated secrets are requested by the skill.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills' configs beyond copying a hook into ~/.openclaw/hooks. It creates persistent files under ~/.openclaw/workspace, installs a global npm CLI (clawhub) if absent, and registers crons via the openclaw CLI. These are expected for a bootstrapper but are persistent changes the user should accept consciously.
What to consider before installing
This package is plausibly a normal bootstrapper but has a few things to check before running: 1) Inspect scripts/bootstrap.sh yourself (it will copy files to ~/.openclaw/workspace, create hooks in ~/.openclaw/hooks, and call openclaw to add crons). 2) Be aware it runs `npm i -g clawhub` and `clawhub install self-improving-agent` which will download and install third-party code from the network; verify the clawhub package and the self-improving-agent source first. 3) Backup any existing ~/.openclaw/workspace files if you have them. 4) If you want lower risk, run the script in a sandbox/VM or run it step-by-step instead of one-shot, and avoid running global npm installs as root. 5) Expect the resulting system to perform scheduled/automated actions (crons/hooks); review and disable any you do not want. If you need more assurance, ask the publisher for source/homepage or a signed release/lockfile for the CLI and the 'self-improving-agent'.Like a lobster shell, security has layers — review code before you run it.
latestvk97br13ebr03b6qk1dzevc15xd82frw2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.