Skillv1.1.0

ClawScan security

OpenClaw VPS Deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 5:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (deploy OpenClaw to a VPS), but it omits and mishandles sensitive details (API keys, local vault access), and the provided script performs privileged remote operations — review before use.
Guidance: Plain-language considerations before installing or running this skill: - This skill will ask you to provide an SSH private key and will run as root on the remote VPS (apt installs, curl|bash, write systemd services, open firewall ports). Only run it against servers you control and trust. - The SKILL.md and deploy.py expect ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY) but the package metadata does not declare these requirements — assume you must supply these keys. Check where the keys are stored: the script reads ~/.openclaw/secrets.json if present. Confirm you are comfortable with that file being read. - The deploy script may write tokens/config files both on the remote machine and (per the docs) to a local vault; locate and inspect any local secrets file the script creates. If you do not want secrets stored locally, inspect/modify the script before running. - The script will clone and build arbitrary git repos you pass; only deploy code from repositories you trust. A malicious fork would execute code on the VPS as root. - The script runs 'curl https://deb.nodesource.com/setup_22.x | bash' on the remote host. This is a convenience but carries the usual security trade-offs of piping remote scripts into shell. Prefer to review the script or use a curated package source. - Because part of deploy.py was truncated in the provided bundle, review the full file before use to ensure there are no extra operations (e.g., transmitting secrets off-host) in the omitted portion. Recommended safe steps: inspect full deploy.py locally, test on an isolated/staging VPS first, back up any keys or configs, and only supply API keys and SSH keys after you confirm exactly where they will be written and stored.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (deploy OpenClaw to Hostinger VPS) matches the shipped code: the script connects via SSH, installs Node, installs/builds OpenClaw, writes config, configures systemd and UFW. However, the registry metadata declares no required environment variables or primary credential while both the SKILL.md and the script clearly rely on ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). That omission is an incoherence: anyone deploying OpenClaw will legitimately need an API key, so the skill should declare that upfront.
Instruction Scope: concernRuntime instructions and the script read local secrets (~/.openclaw/secrets.json) and environment variables, generate and place an auth token, and run many privileged remote commands as root (apt installs, curl | bash, writing /etc/systemd/system, enabling services, opening firewall ports). Reading a local vault and writing tokens locally (SKILL.md claims saving token to local vault) is outside a minimal deployer's needs unless clearly documented and consented to; the SKILL.md and code are not fully consistent about what is saved locally vs remotely. The script also executes unverified upstream actions (npm install -g, git clone of arbitrary repos) which will be executed on the remote host.
Install Mechanism: noteThere is no install spec for the skill itself (no code installed locally by the platform) — low platform install risk. The script will pip-install paramiko locally if missing and use apt/curl on the remote host, including running the NodeSource setup script via curl | bash and npm/pnpm operations. These are typical for remote provisioning, but curl | bash and cloning arbitrary git repos are higher-risk operations on the target VPS and should be run only against trusted sources.
Credentials: concernThe skill did not declare required environment variables in registry metadata, yet both documentation and the script require an ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). The script will read keys from environment or from a local vault (~/.openclaw/secrets.json). Reading the user's local secrets file is a significant sensitive action and is not reflected in the skill's declared requirements — this mismatch increases the risk of accidental exposure or misuse of credentials.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or platform configuration. It creates and enables a systemd service on the remote VPS (expected for a deploy tool) and opens firewall ports — those are privileged remote actions but coherent with the deploy purpose. Autonomous invocation is allowed by default but not by itself a red flag here.