🦞 OpenClaw Starter Guide
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the guide may add software or provider integrations to the user's OpenClaw environment.
The guide instructs users to install a global CLI and additional provider skills that are not included in this artifact. This is purpose-aligned setup guidance, but those external packages/skills should be reviewed before installation.
npm i -g clawhub ... clawhub install add-minimax-provider ... clawhub install add-siliconflow-provider ... clawhub install add-newcli-provider
Install only provider skills you intend to use, and review each referenced skill/package and its permissions before installing it.
A copied API key could allow model usage against the user's provider account and may incur cost or expose prompts sent through that provider.
The guide shows users how to configure and test provider API keys. This is expected for model-provider setup and there is no artifact evidence of credential leakage, but API keys grant account access and billing authority.
"apiKey": "<YOUR_KEY>" ... -H "Authorization: Bearer <API_KEY>"
Use provider-scoped keys where possible, store them in the intended OpenClaw configuration or secret store, avoid sharing logs containing keys, and rotate keys if exposed.
Private conversation or task data may be sent to third-party model providers selected in the configuration.
The guide routes OpenClaw model requests through external AI providers. This is central to the skill's purpose, but user prompts and task context may be transmitted to those providers depending on configuration.
"baseUrl": "https://api.siliconflow.cn/v1" ... Claude/GPT/Gemini ... NewCLI
Review each provider's privacy and retention policies, avoid sending sensitive data to providers you do not trust, and configure provider access according to your data-handling requirements.
Scheduled agents could consume model quota, access project files, or make changes while the user is not actively supervising them.
The guide recommends cron-scheduled automated tasks. This is disclosed and aligned with 24/7 assistant operation, but persistent automation can act without real-time user oversight if configured too broadly.
用 cron 安排夜间自动任务:01:00 代码质量扫描 ... 03:00 TODO 整理 ... 04:00 系统健康巡检
Keep scheduled tasks read-only unless explicitly intended, set budgets/rate limits, log actions, and require approval for file edits, deployments, or account changes.
Users may sign up through referral or affiliate links while following provider recommendations.
The guide includes registration links, including an explicit affiliate-style parameter for NewCLI and a referral-style SiliconFlow path. This is visible in the artifact and not malicious, but it may influence provider recommendations.
SiliconFlow 注册:https://cloud.siliconflow.cn/i/ihj5inat ... NewCLI 注册:https://foxcode.rjj.cc/auth/register?aff=7WTAV8R
Consider whether the recommended providers fit your own cost, privacy, and reliability needs, and use direct registration links if you do not want referral attribution.