v1.0.0

OpenClaw Setup on AWS (Free Tier) - Memory Upgrade

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

The setup guide is coherent, but it asks an agent to control a cloud server, handle multiple secrets, and deploy a persistent assistant with broad account access.

GuidanceReview this carefully before installing. Only proceed if you are comfortable giving an agent privileged access to a cloud server and multiple account tokens. Use least-privilege credentials, confirm each command, pin or verify installers, start Google access as read-only where possible, and make sure you know how to stop the background service and delete stored memory.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Collect what you need from them (API keys, preferences), then SSH into their server and run everything. ... sudo apt update && sudo apt upgrade -y ... echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

The agent is instructed to perform broad privileged server operations, including persistent OS configuration changes, rather than only guiding the user through them.

User impactA mistaken or overbroad command could change the user's cloud server, expose services, incur costs, or make persistent system changes.

RecommendationRequire explicit user approval for each privileged command, review security group changes, and provide rollback steps before running system-level setup.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - ... npm install -g openclaw ... git clone https://github.com/steipete/gogcli.git

The setup relies on unpinned remote scripts, global packages, and source builds without checksum or version verification.

User impactA compromised or changed upstream installer/package could run code on the user's server with elevated privileges.

RecommendationPin versions, verify checksums or signatures, prefer official package repositories where possible, and review remote scripts before execution.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

references/openclaw-installation-human-guide.md

Can access and control your apps and services ... Calendar management (create, modify, conflict resolution) ... Drive integration (search, organize, share) ... Handles repetitive tasks automatically

The assistant may automate changes across connected services, including calendar and Drive sharing, without clear per-action approval or containment boundaries.

User impactA bad instruction or mistaken memory could propagate into calendar changes, email workflows, shared files, or other connected services.

RecommendationRequire explicit approval for mutating or sharing actions, limit OAuth scopes, and start with read-only access until the user has verified behavior.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

references/openclaw-installation-human-guide.md

Anthropic API Key ... Groq API Key ... Google Workspace Integration ... Your data stays on your server. Your AI works for you. Nobody else has access.

The guide makes a broad privacy claim while also describing external AI providers and Google Workspace integrations that may process user data.

User impactUsers may underestimate which third-party services can receive or process their prompts, files, messages, or workspace data.

RecommendationClearly disclose all external data flows, provider privacy policies, OAuth scopes, and what data is sent off-server.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

references/openclaw-installation-human-guide.md

runs 24/7 on your infrastructure ... Sub-Agents: Background task workers for long-running projects ... Auto-restart on crashes (systemd service)

The assistant is designed for persistent autonomous operation, including background workers and auto-restart behavior.

User impactThe deployed assistant may continue operating after setup, using connected accounts and memory even when the user is not actively supervising it.

RecommendationDocument how to stop, disable, audit, and uninstall the service; limit background tasks; and require user approval for high-impact autonomous actions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Ask the user for ... AWS account access ... Anthropic API key ... Groq API key ... OpenAI API key ... Google Workspace account ... "Send me the bot token. I'll configure it now."

The skill requests multiple sensitive account credentials and tokens, including cloud, LLM, bot, and optional Google Workspace access.

User impactIf mishandled, these credentials can affect billing, cloud resources, Telegram bot control, and access to email, calendar, Drive, or other workspace data.

RecommendationUse least-privilege IAM/OAuth scopes, avoid pasting long-lived cloud credentials into chat, store secrets securely, and revoke or rotate tokens after setup.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

references/openclaw-installation-human-guide.md

Persistent conversation history across sessions ... Automatic categorization of important information ... Searchable knowledge base of past interactions ... Daily notes system with automatic summary generation

The assistant is designed to retain and reuse personal context over time, but the artifacts do not clearly define retention limits, exclusions, review controls, or how poisoned/incorrect memories are handled.

User impactPrivate information may be stored long-term and later influence agent decisions, reminders, summaries, or actions.

RecommendationDefine what may be remembered, where memory is stored, how long it is retained, how to delete or correct it, and when memory can be used for actions.