Comprehensive skill for installing, configuring, and managing the OpenClaw ecosystem (Gateway, Channels, Models, Automation, Nodes, and Deployment)
Security checks across malware telemetry and agentic risk
Overview
This is a coherent OpenClaw wrapper, but its safety gate leaves several powerful admin, messaging, configuration, approval, and persistence commands exposed as low-risk.
Install only if you are comfortable giving the agent a broad OpenClaw administration wrapper. Before use, verify the local `openclaw` CLI, restrict agent access to read-only commands where possible, and require manual approval for configuration, approval-policy, messaging, agent, gateway-service, credential, memory, or other state-changing actions.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked by an agent, the wrapper could change OpenClaw configuration, approval policy, agents, or channel messages without requiring the risky-mode environment variable.
The wrapper treats these whole command families as low-risk pass-through and forwards arbitrary arguments. The provided CLI docs list mutating subcommands under these families, including config set/unset, approvals set/allowlist changes, agent add/delete/bind, and message delete/kick/ban, so high-impact actions can bypass the advertised risky-command gate.
install|setup|doctor|status|reset|version|tui|dashboard|update|uninstall|health|configure|completion|logs|config|docs|qr|system|sessions|directory|acp|approvals|security|memory|skills|agents|agent|message|msg) ... openclaw "$cmd" "$@"
Gate mutating subcommands individually, default to read/list/status-only routes, and require clear user confirmation before config, approval, agent, message, gateway, or security-fix changes.
A user may overtrust the wrapper's safety boundary and allow an agent to run commands that have more authority than the description suggests.
The safety claim implies strong per-action control, but the same skill labels broad command groups as low-risk even though the included references show those groups contain state-changing and account-impacting operations.
Default: least privilege. High-risk ops require explicit per-action approval. ... LOW-RISK (pass-through): ... channel model agent agents message sessions memory skills ... security approvals system directory acp gateway service
Align the documentation with the actual enforcement, or implement the stated per-action approval behavior for every high-impact subcommand.
Installing this skill does not install or verify the actual OpenClaw CLI; a compromised or unexpected local CLI would determine what commands really do.
The skill is a wrapper and documentation bundle, not the OpenClaw runtime. Its behavior depends on whatever `openclaw` binary is installed locally.
Does NOT contain OpenClaw runtime source. ... `openclaw` CLI in `PATH` (required)
Install OpenClaw only from a trusted source, verify the binary in PATH, and keep it updated through trusted channels.
The CLI may operate with access to real gateway, model-provider, browser/session, or channel credentials when configured.
The docs show that OpenClaw can use gateway credentials, provider/session credentials, cookies, and env files. This is expected for the integration, and the artifacts do not show credential logging or exfiltration.
`OPENCLAW_GATEWAY_TOKEN` ... `OPENCLAW_GATEWAY_PASSWORD` ... `CLAUDE_WEB_SESSION_KEY` / `CLAUDE_WEB_COOKIE` ... `.env` from CWD ... `~/.openclaw/.env`
Use least-privilege tokens, avoid storing unnecessary session cookies, review `.env` files, and do not let the agent run auth-changing commands without review.
Information saved into memory files may be reused later, and unwanted or malicious content in those files could affect future agent sessions.
The OpenClaw ecosystem can persist and reuse workspace memory files. This is purpose-aligned, but persistent memory can retain sensitive context or influence future agent behavior.
Memory files: `MEMORY.md` and `memory/*.md` in workspace root. ... `session-memory`: saves context on `/new` → `memory/YYYY-MM-DD-slug.md`
Review memory files regularly, avoid storing secrets in them, and disable or gate memory-writing hooks unless needed.
A gateway service may keep running after the immediate task and may expose OpenClaw functionality according to its configuration.
The skill documents installing and managing a background gateway service. This is central to the stated OpenClaw-management purpose, but it creates persistent local service behavior users should explicitly approve.
`openclaw gateway install [--port <port>] [--runtime <node|bun>] [--token <token>] [--force]` ... `openclaw gateway start|stop|restart|status|uninstall`
Only install or start persistent services intentionally, keep gateway binding on loopback unless needed, and require explicit review before service lifecycle changes.