🦞 OpenClaw Starter Guide
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-starter-guide Version: 1.2.0 The skill bundle is a comprehensive guide for setting up and managing OpenClaw AI agents. It provides instructions for users on model selection, fallback chains, cost management, and troubleshooting, including commands for installing the `clawhub` CLI and other OpenClaw provider skills. The `SKILL.md` contains diagnostic `curl` commands and system management commands, but these are clearly presented as instructions for the user to execute in their terminal, not for the AI agent to execute. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection against the agent, or obfuscation. The referral links to SiliconFlow and NewCLI are for legitimate services and are part of the guide's purpose to help users set up providers.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the guide may add software or provider integrations to the user's OpenClaw environment.
The guide instructs users to install a global CLI and additional provider skills that are not included in this artifact. This is purpose-aligned setup guidance, but those external packages/skills should be reviewed before installation.
npm i -g clawhub ... clawhub install add-minimax-provider ... clawhub install add-siliconflow-provider ... clawhub install add-newcli-provider
Install only provider skills you intend to use, and review each referenced skill/package and its permissions before installing it.
A copied API key could allow model usage against the user's provider account and may incur cost or expose prompts sent through that provider.
The guide shows users how to configure and test provider API keys. This is expected for model-provider setup and there is no artifact evidence of credential leakage, but API keys grant account access and billing authority.
"apiKey": "<YOUR_KEY>" ... -H "Authorization: Bearer <API_KEY>"
Use provider-scoped keys where possible, store them in the intended OpenClaw configuration or secret store, avoid sharing logs containing keys, and rotate keys if exposed.
Private conversation or task data may be sent to third-party model providers selected in the configuration.
The guide routes OpenClaw model requests through external AI providers. This is central to the skill's purpose, but user prompts and task context may be transmitted to those providers depending on configuration.
"baseUrl": "https://api.siliconflow.cn/v1" ... Claude/GPT/Gemini ... NewCLI
Review each provider's privacy and retention policies, avoid sending sensitive data to providers you do not trust, and configure provider access according to your data-handling requirements.
Scheduled agents could consume model quota, access project files, or make changes while the user is not actively supervising them.
The guide recommends cron-scheduled automated tasks. This is disclosed and aligned with 24/7 assistant operation, but persistent automation can act without real-time user oversight if configured too broadly.
用 cron 安排夜间自动任务:01:00 代码质量扫描 ... 03:00 TODO 整理 ... 04:00 系统健康巡检
Keep scheduled tasks read-only unless explicitly intended, set budgets/rate limits, log actions, and require approval for file edits, deployments, or account changes.
Users may sign up through referral or affiliate links while following provider recommendations.
The guide includes registration links, including an explicit affiliate-style parameter for NewCLI and a referral-style SiliconFlow path. This is visible in the artifact and not malicious, but it may influence provider recommendations.
SiliconFlow 注册:https://cloud.siliconflow.cn/i/ihj5inat ... NewCLI 注册:https://foxcode.rjj.cc/auth/register?aff=7WTAV8R
Consider whether the recommended providers fit your own cost, privacy, and reliability needs, and use direct registration links if you do not want referral attribution.