Tophant Clawvault Installer

The skill appears to do what it claims (install and manage a local MITM inspection proxy) and its requests (create a venv, write config, modify an OpenClaw unit file, use network) are coherent with that purpose — but it carries meaningful supply‑chain and local‑MITM risks that you should review before installing.

This skill is coherent with its stated purpose, but it performs actions that materially change how your agent communicates and it installs unpinned code from GitHub. Before installing: 1) Read SECURITY.md and confirm a MITM proxy that will see API keys and prompts is acceptable for your threat model. 2) Prefer installing in a disposable VM/container or on a test machine first. 3) If possible, modify the installer to install from a pinned commit/tag or verify the commit SHA before pip install. 4) Do not expose the dashboard (keep it bound to 127.0.0.1) and avoid using --dashboard-host 0.0.0.0. 5) Back up any openclaw-gateway.service you rely on before allowing the installer to inject proxy env variables (or run with --no-proxy). 6) Consider retention settings for ~/.ClawVault/audit.db (it is stored locally by default and retained indefinitely). If you want a higher assurance posture, request a signed release or run the installation flow with code review of the repository/commit targeted by the installer.