ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VPS Bootstrap

v1.0.0

Bootstrap a fresh VPS from zero to a fully operational OpenClaw deployment, with backup/restore and post-recovery verification. Use when setting up OpenClaw...

1· 342·0 current·0 all-time
by@lolaopenclaw

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lolaopenclaw/vps-bootstrap.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "VPS Bootstrap" (lolaopenclaw/vps-bootstrap) from ClawHub.
Skill page: https://clawhub.ai/lolaopenclaw/vps-bootstrap
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install lolaopenclaw/vps-bootstrap

ClawHub CLI

Package manager switcher

npx clawhub@latest install vps-bootstrap
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match what the files do: install system packages, Node.js, Chrome, OpenClaw, configure firewall/fail2ban/SSH, enable gateway services, and provide backup/restore and verification. Required privileges (root/sudo) and target paths (~/.openclaw, /etc/ssh, /etc/fail2ban, /usr/local/bin) are consistent with a bootstrap/restore tool.
!
Instruction Scope
SKILL.md accurately describes the scripts, but the scripts perform broad system changes and handle secrets. Notable issues: bootstrap.sh generates a GPG key using %no-protection (creates an unencrypted private key), which weakens secret protection and contradicts the SKILL.md security claim. restore.sh will overwrite ~/.gnupg, ~/.password-store, rclone config, keyrings, and other credential files from the backup tarball — expected for a restore, but potentially destructive and sensitive. The scripts modify system SSH configuration and enable system services without finer-grained prompts. These behaviors expand the scope beyond a simple installer and require explicit user consent and backups of existing keys/configs.
Install Mechanism
There is no packaged install spec; the scripts perform network installs from recognizable hosts (nodesource setup script piped to bash, dl.google.com for Chrome, npm install -g openclaw). These are common for bootstrappers but piping a remote script into sudo bash is a moderate risk pattern — the NodeSource script is from an expected host, but running it without inspection can execute arbitrary code on the machine.
Credentials
The skill declares no required env vars or credentials, which matches the bundle. It requires sudo/root to perform system changes — appropriate for the task. However the scripts create and restore sensitive artifacts (GPG keys, password store, rclone config, keyrings, OAuth credentials) and will copy them into the user's home (potentially overwriting existing secrets). That handling of credentials is proportionate to backup/restore, but it's high sensitivity and should be treated with caution.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It does enable user linger and installs/enables an OpenClaw gateway service and hooks, and edits system services/configs (sshd_config, fail2ban, UFW), which are appropriate for a bootstrapper but are high‑privilege operations — ensure you run this only on a machine where those changes are acceptable.
What to consider before installing
This script bundle appears to do what it says (system installs, OpenClaw install, backup/restore), but it will modify system configs and manage sensitive secrets. Before running: (1) review the scripts line-by-line — especially the curl | bash NodeSource step and the npm install -g openclaw; (2) back up existing ~/.gnupg, ~/.password-store, ~/.config/rclone and any keyrings because restore.sh can overwrite them; (3) remove or change the %no-protection flag in the GPG key params if you want a passphrase‑protected key; (4) run the bootstrap on a disposable/test VM first; (5) consider manually running the networked install commands after inspecting them rather than via the automated script; and (6) confirm you trust the source before allowing these high‑privilege operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d7jek2g0j5zs8b81cpf7zc5827trn
342downloads
1stars
1versions
Updated 3d ago
v1.0.0
MIT-0
@lolaopenclaw
latest
Download

VPS Bootstrap

Full deployment and disaster recovery framework for OpenClaw on Ubuntu VPS.

Overview

Three scripts handle the complete lifecycle:

  1. bootstrap.sh — Fresh VPS → fully operational OpenClaw (15-20 min)
  2. restore.sh — Restore workspace, config, secrets, and crons from backup
  3. verify.sh — Post-deployment verification (all-green = ready)

Quick Start

New VPS setup

# On fresh Ubuntu 24.04 VPS
bash scripts/bootstrap.sh

Restore from backup

bash scripts/restore.sh ~/openclaw-backup-*.tar.gz

Verify everything works

bash scripts/verify.sh

What bootstrap.sh does

Sequential installation with error handling at each step:

  1. System packages — build-essential, curl, git, jq, unzip, etc.
  2. Node.js — Latest LTS via NodeSource
  3. Google Chrome — Stable channel + headless shim for browser tools
  4. OpenClaw — Global npm install + gateway service setup
  5. Security baseline — UFW firewall, fail2ban, SSH key-only auth
  6. Service setup — systemd user service with auto-restart + linger

Each step is idempotent — safe to re-run if interrupted.

What restore.sh does

Extracts a backup tarball and restores:

  • Workspace files (SOUL.md, MEMORY.md, AGENTS.md, memory/, scripts/)
  • OpenClaw config (openclaw.json, .env)
  • Cron database
  • GPG keys + password store (encrypted secrets)
  • OAuth credentials (GOG, rclone)
  • System config snapshot

What verify.sh does

Runs 10+ checks and reports pass/fail:

  • OpenClaw gateway running and healthy
  • Telegram/Discord providers connected
  • Browser tools functional
  • Backup system operational
  • Cron jobs loaded
  • SSH security baseline
  • Disk space and memory

Backup Script (Optional)

For automated daily backups, see references/backup-guide.md.

Customization

Edit scripts/bootstrap.sh variables at the top:

OPENCLAW_PORT=18789        # Gateway port
ENABLE_FIREWALL=true       # UFW setup
ENABLE_FAIL2BAN=true       # SSH protection
INSTALL_CHROME=true        # Browser tools support

Requirements

  • Ubuntu 22.04+ or Debian 12+
  • Root or sudo access
  • 2GB+ RAM recommended
  • SSH key access configured

Security Notes

  • Scripts never store secrets in plaintext in the skill itself
  • GPG keys are backed up encrypted
  • SSH is hardened to key-only authentication
  • Gateway binds to localhost by default

Comments

Loading comments...