Skillv1.0.0

ClawScan security

VPS Bootstrap · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 3:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent for bootstrapping and restoring an OpenClaw VPS, but it performs high‑privilege system changes, restores and installs sensitive credentials, and contains a couple of risky practices (creating an unprotected GPG key; piping a remote NodeSource script to bash) that deserve careful review before use.
Guidance: This script bundle appears to do what it says (system installs, OpenClaw install, backup/restore), but it will modify system configs and manage sensitive secrets. Before running: (1) review the scripts line-by-line — especially the curl | bash NodeSource step and the npm install -g openclaw; (2) back up existing ~/.gnupg, ~/.password-store, ~/.config/rclone and any keyrings because restore.sh can overwrite them; (3) remove or change the %no-protection flag in the GPG key params if you want a passphrase‑protected key; (4) run the bootstrap on a disposable/test VM first; (5) consider manually running the networked install commands after inspecting them rather than via the automated script; and (6) confirm you trust the source before allowing these high‑privilege operations.

Review Dimensions

Purpose & Capability: okThe name/description match what the files do: install system packages, Node.js, Chrome, OpenClaw, configure firewall/fail2ban/SSH, enable gateway services, and provide backup/restore and verification. Required privileges (root/sudo) and target paths (~/.openclaw, /etc/ssh, /etc/fail2ban, /usr/local/bin) are consistent with a bootstrap/restore tool.
Instruction Scope: concernSKILL.md accurately describes the scripts, but the scripts perform broad system changes and handle secrets. Notable issues: bootstrap.sh generates a GPG key using %no-protection (creates an unencrypted private key), which weakens secret protection and contradicts the SKILL.md security claim. restore.sh will overwrite ~/.gnupg, ~/.password-store, rclone config, keyrings, and other credential files from the backup tarball — expected for a restore, but potentially destructive and sensitive. The scripts modify system SSH configuration and enable system services without finer-grained prompts. These behaviors expand the scope beyond a simple installer and require explicit user consent and backups of existing keys/configs.
Install Mechanism: noteThere is no packaged install spec; the scripts perform network installs from recognizable hosts (nodesource setup script piped to bash, dl.google.com for Chrome, npm install -g openclaw). These are common for bootstrappers but piping a remote script into sudo bash is a moderate risk pattern — the NodeSource script is from an expected host, but running it without inspection can execute arbitrary code on the machine.
Credentials: noteThe skill declares no required env vars or credentials, which matches the bundle. It requires sudo/root to perform system changes — appropriate for the task. However the scripts create and restore sensitive artifacts (GPG keys, password store, rclone config, keyrings, OAuth credentials) and will copy them into the user's home (potentially overwriting existing secrets). That handling of credentials is proportionate to backup/restore, but it's high sensitivity and should be treated with caution.
Persistence & Privilege: okThe skill does not request always:true and does not alter other skills. It does enable user linger and installs/enables an OpenClaw gateway service and hooks, and edits system services/configs (sshd_config, fail2ban, UFW), which are appropriate for a bootstrapper but are high‑privilege operations — ensure you run this only on a machine where those changes are acceptable.