ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Power Ops

v1.0.0

Operate and maintain OpenClaw installations — CLI commands, config management, channel/agent/model setup, security auditing, troubleshooting, and gateway adm...

0· 973·11 current·11 all-time
by@kapslap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and all commands in SKILL.md and references are consistent with an OpenClaw operations/admin helper: CLI commands, config paths, gateway, agents, channels, security audits, and remediation steps. No unrelated binaries or env vars are requested.
!
Instruction Scope
Instructions tell the agent to read local OpenClaw state (e.g., ~/.openclaw, openclaw.json, credentials directories) and to run potentially state-changing commands (e.g., `openclaw security audit --fix`, `openclaw doctor --fix`, `openclaw gateway restart`). Those are within admin scope, but the SKILL.md also instructs to 'Load the docs before turning it loose' and to run `claude` to 'Audit this workspace' without clarifying whether that LLM runs locally or remotely. If the LLM is remote, this step could leak secrets (bot tokens, credentials, configs) to an external service. The automatic fix commands can also modify sensitive configuration — backup/confirm before running.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal surface area and nothing is written to disk by the skill itself.
Credentials
The skill declares no required env vars or credentials (proportional), but its guidance deals extensively with secrets (bot tokens, tokenFile migration, gateway.auth.token generation, permission changes). Because the skill directs handling of secrets and suggests sending workspace contents to an LLM, the lack of explicit constraints about where the LLM runs or how secrets are handled is notable.
Persistence & Privilege
The skill does not request persistent/always-on privileges and uses normal autonomous-invocation defaults. It does not attempt to modify other skills or system-wide agent settings beyond advising use of the OpenClaw CLI.
What to consider before installing
This skill appears to be a legitimate OpenClaw admin reference, but proceed cautiously because the source is unknown and some instructions can expose or change secrets. Before installing or invoking: 1) Verify the skill content against official OpenClaw docs at https://docs.openclaw.ai; 2) Back up openclaw.json, credentials/, and agent workspaces before running --fix commands; 3) Avoid running any LLM audit that sends your ~/.openclaw or credential files to a remote service — if you must use an LLM, ensure it's configured to run locally or redact secrets first; 4) Prefer running audit/doctor commands in read-only or dry-run mode first and review proposed fixes manually; 5) Confirm any generated tokens/permission changes (e.g., gateway.auth.token, chmod changes) are applied intentionally. If you don't trust the unknown owner, treat this as documentation only and perform changes manually after review.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725evmr0znpb2shf51ejc79h81w3kr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Operations

Comprehensive reference for administering OpenClaw via CLI. Covers channels, agents, models, config, gateway, security, and maintenance.

Golden Rules

  1. Never edit openclaw.json directly. Use openclaw config set/get/unset or dedicated subcommands.
  2. Always restart gateway after config changes: openclaw gateway restart
  3. Telegram accounts: NO agent field inside account config. Route via bindings array instead.
  4. Telegram streaming: must be string "off", not boolean false.
  5. JSON values in config set need --strict-json.
  6. Verify after every change. Run openclaw status or the relevant status command.

Quick Diagnostics

openclaw status              # overview
openclaw status --deep       # detailed
openclaw doctor              # find problems
openclaw doctor --fix        # auto-fix what it can
openclaw gateway health      # gateway health check
openclaw security audit      # security scan
openclaw security audit --deep --fix  # deep scan + auto-fix

Deep Audit with Claude Code

Load the docs before turning it loose — the difference is night and day.

cd ~/.openclaw
claude
# "Read https://docs.openclaw.ai/cli — the full CLI reference.
#  Now read the config and architecture pages too."
# Then: "Audit this workspace for security issues."

CLI Reference

For the full CLI cheatsheet covering all commands, config paths, and examples: → Read references/cli-cheatsheet.md

Security Audit Reference

For security findings, applied fixes, and remaining remediation items: → Read references/security-audit.md

Common Pitfalls

MistakeFix
Put agent field in Telegram account configUse bindings array at top level
Set streaming: false (boolean)Must be streaming: "off" (string)
Edited openclaw.json directlyUse CLI commands; openclaw config set
Forgot gateway restart after configAlways openclaw gateway restart
Used jared@ for VPS SSHMust use root@clawdbot
Set dmPolicy: "open" with allowFrom: ["*"]Use "pairing" or explicit user IDs
Set controlUi.allowedOrigins: ["*"]Restrict to ["http://localhost:PORT"]

Online Docs

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…