OpenClaw Launcher
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review this before use: it creates a real Windows/WSL launcher, but it also reads an OpenClaw token, changes a local network rule, and runs hidden scripts/background processes.
Use this only if you specifically want a Windows/WSL desktop launcher for OpenClaw. Before creating the shortcut, review the generated .bat and .ps1 files, confirm the WSL distro/user and paths, understand that it reads your OpenClaw token, and approve any elevated port-proxy change. Remove the scripts and shortcut if you no longer need the launcher.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The shortcut could expose or misuse the OpenClaw session token if the generated script, browser URL, or logs are copied or handled insecurely.
The generated launcher reads a local OpenClaw config file, extracts a token, and places it in a dashboard URL. That is high-impact credential/session handling and is not reflected by the declared lack of credentials or required config paths.
$wslConfig = cmd /c "wsl.exe --distribution Ubuntu --user <WSL_USER> -- cat ~/.openclaw/openclaw.json 2>&1" ... $DASHBOARD_URL = "http://localhost:18789/#token=$TOKEN"
Clearly disclose the token use, require user approval before reading the config, avoid printing or logging the token URL, and document exactly which config file is read and why.
Running this may require elevation and can change how localhost traffic on port 18789 is routed.
The skill modifies Windows port proxy settings with netsh. It is scoped to localhost port 18789 and fits the WSL launcher purpose, but it is still an admin-level network configuration change.
# Setup port proxy (requires admin) ... netsh interface portproxy add v4tov4 listenport=18789 listenaddress=127.0.0.1 connectport=18789 connectaddress=$wslIp protocol=tcp
Ask for explicit user confirmation before running elevated netsh commands and document how to remove the port proxy rule.
If the generated script is later modified, clicking the shortcut may run it hidden and with fewer PowerShell warnings.
The launcher intentionally runs a generated PowerShell script with execution policy bypass and a hidden window. This is expected for a one-click launcher, but it reduces visibility and prompt-based safeguards.
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "%~dp0start-openclaw.ps1" ... The .bat must use `-ExecutionPolicy Bypass` to allow the script to run without prompts.
Review the generated scripts before use, keep the scripts directory writable only by the user, and avoid hidden/bypass mode unless needed.
WSL may stay running after the visible launcher exits, and repeated launches could create multiple hidden keep-alive processes.
The skill starts a hidden WSL sleep process for 24 hours to keep the gateway alive. This is disclosed and bounded, but it is background behavior users should understand.
start "" /b cmd /c wsl.exe --distribution Ubuntu --user <WSL_USER> -- bash -c "sleep 86400" ... Start-Process ... -WindowStyle Hidden
Document how to stop the keep-alive process and consider checking for an existing one before starting another.
Users cannot easily compare the skill against an upstream project or audited release.
There is no external source repository or install package to verify. The risk is limited because the visible SKILL.md contains the setup commands, but provenance is still weak.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Manually review the generated script contents and prefer a skill release with a clear source or homepage when available.