v1.0.0

OpenClaw Deploy Guide

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:41 AM.

Analysis

This deployment guide is mostly coherent, but it asks users to run unverified remote installers/scripts and bypass operating-system safety warnings while setting up a persistent network-facing bot.

GuidanceBefore installing, verify the GitHub repository and release assets, avoid running curl|bash or iwr|iex commands unless you have inspected and pinned them, do not bypass OS warnings without checking signatures or checksums, restrict port 3000/webhook access, and protect any API keys or platform tokens placed in the config file.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

README.md

curl -fsSL https://raw.githubusercontent.com/Markovmodcn/openclaw-china/main/scripts/install.sh | bash ... iwr -useb https://raw.githubusercontent.com/Markovmodcn/openclaw-china/main/scripts/install.ps1 | iex

The recommended setup fetches scripts from remote moving branches and executes them immediately; the artifacts do not show pinning, checksum verification, or signature verification.

User impactA changed or compromised remote script could run installation commands on the user's machine, potentially with administrator privileges.

RecommendationAvoid pipe-to-shell/iex installation where possible; pin versions or commits, publish checksums/signatures, and have users inspect scripts before running them.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

如果提示"无法验证开发者" ... 绕过安全检查 ... Windows 已保护你的电脑 ... 点击"仍要运行"

The guide explicitly instructs users how to bypass macOS and Windows safety prompts for the installer.

User impactUsers may ignore platform protections that are designed to warn about unsigned or untrusted software.

RecommendationTell users to verify the publisher, release signature, and checksum first, and only bypass OS warnings when they have independently trusted the installer.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusNote

templates/config.yaml

webhook_port: 3000 ... security:\n  allowed_users: []       # 允许的用户列表，空数组表示允许所有

The template supports a webhook/API service and documents that an empty allowed_users list permits all users.

User impactIf the bot is exposed on a network without tightening this configuration, more people than intended may be able to interact with it.

RecommendationSet explicit allowed users, strong webhook secrets, and network/firewall restrictions before exposing port 3000 or enabling external webhooks.

Rogue Agents

SeverityLowConfidenceHighStatusNote

scripts/docker-deploy.sh

restart: unless-stopped ... echo "  更新镜像: docker-compose pull && docker-compose up -d"

The Docker deployment is designed to keep the bot running persistently and provides an update path for replacing images.

User impactThe bot may continue running in the background after setup and may be updated later, so users need to remember it remains active.

RecommendationReview the service after installation, disable autostart if not needed, and only update images from trusted, verified sources.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

templates/config.yaml

app_secret: your_app_secret ... github:\n    token: your_github_token ... jira:\n    token: your_api_token

The configuration template asks for multiple third-party secrets and access tokens for AI, messaging, GitHub, and Jira integrations.

User impactThese credentials can grant account or workspace access if copied into the config and later leaked or over-permissioned.

RecommendationUse least-privilege tokens, restrict file permissions on the config file, avoid committing it, and rotate any token that may have been exposed.