OpenServ Agent Sdk

What to consider before installing: - Trust & provenance: The skill metadata has no homepage and an unknown owner; verify the upstream @openserv-labs packages (npm repo, GitHub repo, checksums, and publisher) before using in production. - Sensitive keys written to disk: The docs explain that provision() will create a wallet and write WALLET_PRIVATE_KEY into .env. That stores a private key on disk in plaintext by default — accept only if you control the machine and storage. Prefer a dedicated wallet with minimal funds for provisioning and do not reuse a high-value key. - Auto-tunneling: run() auto-opens a tunnel to agents-proxy.openserv.ai for dev convenience. This exposes a local service endpoint to a remote host. Use DISABLE_TUNNEL=true in production or when you cannot accept an external tunnel. - Data flow and privacy: Runless capabilities and generate() delegate LLM calls to the OpenServ platform; user inputs and workspace files may be transmitted to the platform. If you process sensitive data, review platform privacy/security policies and consider local LLMs or direct provider calls instead. - Management & least privilege: Use separate credentials for agent vs. user management (the docs note OPENSERV_API_KEY vs OPENSERV_USER_API_KEY). Fund any on-chain registration wallet minimally and wrap on-chain registration in try/catch as recommended. - Verify code/packages: Before running npm installs, inspect the actual @openserv-labs/sdk and @openserv-labs/client packages (source, recent changes, dependency tree). The examples here are coherent for an SDK, but you should validate package authenticity and integrity. If you need more assurance, provide the npm package URLs or the upstream repository so I can check for mismatches between the documentation and actual published package contents.