KWDB Install
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: kwdb-install-deploy Version: 1.0.0 The skill bundle provides a legitimate and highly controlled workflow for deploying KaiwuDB. It includes explicit safety instructions in SKILL.md that prevent the AI agent from guessing installation parameters or performing autonomous retries, requiring user confirmation at every critical step. The operations, such as extracting packages to /opt/kaiwudb and managing services via systemctl, are standard for database administration and show no signs of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved on the wrong host or with the wrong configuration, the agent could change system state, start services, or affect cluster nodes.
The skill documents commands that create protected directories, extract an installer, run deployment scripts, and optionally enable a boot-time service. This is purpose-aligned for installing a database, but it is high-impact system tooling.
sudo mkdir -p /opt/kaiwudb ... tar -xzf "$INSTALL_PACKAGE_PATH" -C /opt/kaiwudb ... ./deploy.sh install --single ... systemctl enable kaiwudb
Run it only on intended KaiwuDB servers, review the generated deploy.cfg, and confirm each privileged command before execution.
A misconfigured or unintended run could affect not only the local machine but also reachable cluster nodes.
The deployment requires administrative host permissions and may rely on passwordless SSH and Docker group membership, all of which are powerful privileges.
SSH passwordless login is configured between the current node and other nodes in the cluster. The installation user is the `root` user or a regular user with `sudo` privileges. ... add the user to the `docker` group
Use only authorized admin accounts, limit passwordless SSH to intended hosts, and remove or restrict elevated access after deployment if it is no longer needed.
A tampered or unofficial package with a matching filename could be installed if the user supplies it.
The install flow depends on an external local tar.gz package and validates only existence and filename format, not authenticity or integrity.
The installation package path must be explicitly provided by the user and must not be guessed ... if [[ "$(basename $INSTALL_PACKAGE_PATH)" != KaiwuDB*.tar.gz ]]; then
Obtain KaiwuDB packages from an official trusted source and verify checksums or signatures before running the deployment script.