OpenClaw AWS Deploy
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-built for AWS deployment, but its helper IAM policy grants broad AWS account-wide powers that deserve careful review before use.
Install only if you are comfortable letting scripts create and delete AWS infrastructure and run a persistent OpenClaw agent. Prefer a dedicated AWS account or tightly scoped deployer role, verify the AWS account/region before running, keep .env files private, consider pinning package versions, and disable Bedrock or agent-to-agent features if you do not need them.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this role or user is misused or compromised, it could affect unrelated AWS infrastructure, parameters, sessions, or running instances in the same account.
The helper policy can create/terminate EC2 resources and use SSM broadly across the account, rather than being constrained to OpenClaw-tagged resources, specific parameter paths, or a dedicated deployment boundary.
"ec2:RunInstances", "ec2:TerminateInstances" ... "Resource": "*" ... "ssm:PutParameter", "ssm:DeleteParameter", "ssm:SendCommand", "ssm:StartSession" ... "Resource": "*"
Use a dedicated AWS account or sandbox, prefer a tightly scoped role with tag/path conditions, review the dry-run policy, and avoid long-lived IAM user access keys where possible.
The deployed agent may be able to use paid Bedrock models through the AWS role, which can create cost or policy exposure.
The deployed instance receives model-invocation authority even when the user selects a non-Bedrock model. This is disclosed and purpose-related, but broader than some users may expect.
Bedrock IAM permissions (`bedrock:InvokeModel`, `bedrock:InvokeModelWithResponseStream`) are **always added** to the instance role — regardless of which model you choose.
Remove or restrict Bedrock permissions if you do not need Bedrock, and consider model allowlists or IAM conditions.
A mistaken invocation could create billable resources, store secrets, or modify infrastructure in the wrong AWS account or region.
The workflow chains multiple AWS mutations and remote-management actions in one user-run command. That is central to the skill, but mistakes in account, region, or flags can have meaningful impact.
This single command: 1. Creates VPC + subnet + IGW + route table ... 3. Creates IAM role ... 4. Stores secrets in SSM Parameter Store ... 5. Launches t4g.medium ... 7. Runs smoke test via SSM
Run preflight/dry-run steps where available, confirm AWS account and region, and inspect generated outputs before using cleanup or teardown flags.
A later upstream package change could alter what code runs on the deployed instance.
The deployment guidance relies on a moving `@latest` package, and the documentation notes git-based dependencies. This is expected for bootstrapping OpenClaw, but it means future package changes affect deployments.
Solution: Always use version specifier: ```bash npm install -g openclaw@latest ```
Pin known-good OpenClaw and Node versions where possible, verify checksums/signatures, and deploy from a reviewed release for production use.
The agent can continue running, receiving Telegram messages, and consuming cloud/model resources until disabled or torn down.
The deployed OpenClaw gateway is configured as a persistent service that restarts after failures. This is consistent with deploying an always-on agent, but users should notice the persistence.
ExecStart=/usr/local/bin/openclaw-startup.sh Restart=on-failure RestartSec=10
Monitor the service, set budget alerts, and use the teardown script or disable the service when you no longer want the agent running.
Personal information or mistaken instructions saved in memory files may be reused in later sessions.
The default agent behavior uses persistent files as memory across sessions. This is normal for a personal agent but can retain private context and influence future behavior.
Read `memory/YYYY-MM-DD.md` ... **Long-term:** `MEMORY.md` ... "Remember this" → write to `memory/YYYY-MM-DD.md`
Review memory files periodically, avoid storing unnecessary secrets, and protect the EC2 instance and backups that hold the workspace.
If connected to other agents, data or instructions could cross agent boundaries in ways the user has not reviewed.
The template enables an agent-to-agent tool without explaining identity, permission, or data-boundary controls in the provided artifacts.
"tools": {
"agentToAgent": {
"enabled": true
}
}Disable agent-to-agent tooling unless needed, and document which agents may communicate and what data they may share.