ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Openclaw Setup

v1.0.0

Use when installing or configuring OpenClaw with DingTalk, Feishu, Discord, and additional channels with Bailian/DashScope models on Linux hosts. Use when pr...

0· 79·0 current·0 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/aliyun-openclaw-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Aliyun Openclaw Setup" (cinience/aliyun-openclaw-setup) from ClawHub.
Skill page: https://clawhub.ai/cinience/aliyun-openclaw-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install aliyun-openclaw-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install aliyun-openclaw-setup
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the actions in SKILL.md: installing OpenClaw, adding DingTalk/Feishu/Discord channels, and configuring Bailian/DashScope models. However, the SKILL.md explicitly expects secrets/keys (DingTalk AppKey/AppSecret, Feishu App ID/Secret, Discord bot token, DashScope API key) while the skill metadata lists no required env vars or primary credential — an inconsistency that reduces transparency.
!
Instruction Scope
Runtime instructions tell the operator/agent to SSH as root and to fetch external docs (docs.openclaw.ai) and then 'apply installation/configuration on host' using exact commands found there. This effectively tells the agent to automatically execute commands scraped from external pages. The workflow also includes 'curl | bash' to install Node.js and global npm installs; following remote docs blindly can lead to arbitrary command execution.
!
Install Mechanism
The skill is instruction-only (no packaged install), which is lower-risk in itself, but the instructions recommend running a remote install script (curl -fsSL https://deb.nodesource.com/setup_20.x | bash -) and installing global npm packages and plugins (including plain GitHub repo installs). Those are common for this task but are moderate risk when executed automatically or without review (supply-chain / remote-execution risk).
!
Credentials
The documentation and examples reference DASHSCOPE_API_KEY and multiple channel credentials and even a systemd import of DASHSCOPE_API_KEY, but the skill metadata does not declare any required env vars or primary credential. Requesting multiple service credentials (DingTalk, Feishu, Discord, DashScope) is plausible for this setup, but their absence from metadata reduces transparency and could cause accidental credential exposure if handled incorrectly.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills. However, its workflow requires host-level changes (global npm install, adding systemd user service, creating ~/.openclaw/openclaw.json), which are legitimate for a deployment task but entail lasting changes and require care (least privilege, test host, secrets management).
What to consider before installing
This skill appears to do what it says, but exercise caution before running it unattended. Key recommendations: - Expect to provide real credentials (DingTalk/Feishu/Discord tokens and DashScope API key); ensure they are stored on the target host or a secret manager, not checked into repos. The skill metadata did not declare these env vars — treat that as a transparency gap. - Do not blindly run curl | bash or install commands pulled directly from external docs without reviewing them first. Prefer to inspect scripts and plugin repos (verify publisher, recent commits, and release tags) before installing. - When following the 'auto-discover and apply' step, avoid automatically executing commands scraped from web pages; instead, review the exact install commands and package sources first. - Use a non-production test VM and least-privilege user (avoid root when possible) to validate the procedure before applying in production. - Pin plugin versions or install from verified releases rather than arbitrary GitHub branches. Audit plugin code if you must install from a repo. - If you will import env vars into systemd (systemctl --user import-environment), confirm the environment variable names and scope so credentials are not leaked to unintended services. If you want, I can: (a) extract the exact set of commands the skill would run, (b) highlight every place it expects a secret, or (c) produce a safer, review-first checklist you can follow before executing these steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7zcazgs8p6ct2e7h2tx9f18433qx
79downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@cinience
latest
Download

OpenClaw Setup

Deploy OpenClaw on Linux, enable DingTalk, Feishu, Discord, or other documented channels, and verify gateway health.

Use This Workflow

Run this sequence in order:

  1. Prepare Linux runtime and install OpenClaw.
  2. Discover channels from official docs (required for new channel requests).
  3. Install and verify channel integrations.
  4. Create/merge ~/.openclaw/openclaw.json.
  5. Configure and start gateway service.
  6. Run health checks and collect logs.

Prerequisites

  • SSH access to target Linux host (Debian/Ubuntu preferred).
  • DingTalk enterprise app credentials (AppKey, AppSecret) for the official connector, or Feishu app credentials (App ID, App Secret), or Discord bot token.
  • DashScope API key.

Step 1: Prepare Runtime

ssh root@<server>
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
node --version
npm --version

Step 2: Install OpenClaw and Channel Integrations

npm install -g openclaw@latest
openclaw --version

# DingTalk official connector
openclaw plugins install @dingtalk-real-ai/dingtalk-connector --pin
# or install from official GitHub repo
openclaw plugins install https://github.com/DingTalk-Real-AI/dingtalk-openclaw-connector.git
openclaw plugins list | grep dingtalk

# Feishu channel
openclaw plugins install @openclaw/feishu
openclaw plugins list | grep feishu

# Discord channel (built-in, no extra plugin needed)
# Configure token in Step 3 and start gateway in Step 4

If upgrading from old DingTalk plugins, uninstall legacy plugin IDs first and keep only the official connector in plugins.allow.

Step 3: Auto-Discover Additional Channels from Official Docs

When user asks for any extra channel beyond current setup, do this first:

  1. Open https://docs.openclaw.ai/channels/index.
  2. Identify requested channel pages from the "Supported channels" list.
  3. Open each channel page and extract:
    • Whether it is built-in or plugin-based.
    • Exact install command (do not guess package names).
    • Required credentials/tokens and config keys.
  4. Apply installation/configuration on host.
  5. Record channel-specific notes into ~/.openclaw/openclaw.json.

Use the exact workflow in references/channel-discovery.md.

Step 4: Configure openclaw.json

Create or update ~/.openclaw/openclaw.json with:

  • models.providers.bailian for DashScope endpoint and models.
  • agents.defaults.model.primary in provider/model format, default to bailian/glm-5.
  • models.providers.bailian.models ordered as:
    1. qwen3-plus
    2. glm-5
    3. minimax-m2.5
    4. kimi-k2.5
  • agents.defaults.model.fallbacks ordered as:
    1. bailian/qwen3-plus
    2. bailian/minimax-m2.5
    3. bailian/kimi-k2.5
  • channels.dingtalk-connector, channels.feishu, or channels.discord credentials and policy.
  • plugins.allow including installed channel plugins.

Important:

  • Agent-level model config at ~/.openclaw/agents/main/agent/models.json can override ~/.openclaw/openclaw.json.
  • Keep provider definitions aligned in both files when defaults appear not to take effect.
  • Protocol must match endpoint:
    • api: openai-completions -> use https://dashscope.aliyuncs.com/compatible-mode/v1
    • api: openai-responses -> use https://dashscope.aliyuncs.com/api/v2/apps/protocols/compatible-mode/v1

Use the full template in references/config.md. Use DingTalk field mapping in references/dingtalk-setup.md. Use Feishu setup and field mapping in references/feishu-setup.md. Use Discord setup and field mapping in references/discord-setup.md. Use channel discovery workflow in references/channel-discovery.md.

Step 5: Install and Start Gateway

openclaw gateway install
openclaw gateway start
openclaw gateway status

If running with user-level systemd, reload after config changes:

systemctl --user import-environment DASHSCOPE_API_KEY
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway

Step 6: Verify and Troubleshoot

openclaw doctor
openclaw gateway status
openclaw gateway logs -f

Common failures:

  • Plugin not loaded: re-run plugin install and check plugins.allow.
  • Unknown model: check agents.defaults.model.primary format (provider/model-id).
  • API key error: verify models.providers.bailian.apiKey and DASHSCOPE_API_KEY imported in systemd.
  • Config changed but runtime model unchanged: check and update ~/.openclaw/agents/main/agent/models.json.
  • Empty payload / unexpected fallback: verify protocol-endpoint pair (openai-completions vs openai-responses) and clear stale session if needed.
  • DingTalk no response: use openclaw logs --follow and check gateway/channels/dingtalk-connector lines for stream reconnect or credential issues.
  • Official connector installed but old probes inconsistent: rely on runtime logs and real message send/receive as source of truth.
  • Feishu no response: check event subscription mode is WebSocket and gateway is running.
  • Discord no response: verify bot intents, token, and first-DM pairing approval.

Security Notes

  • Do not hardcode real secrets in repository files.
  • Keep production keys in server-local configs or secret managers.
  • Redact logs before sharing in tickets or chat.

Validation

mkdir -p output/aliyun-openclaw-setup
echo "validation_placeholder" > output/aliyun-openclaw-setup/validate.txt

Pass criteria: command exits 0 and output/aliyun-openclaw-setup/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-openclaw-setup/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

Comments

Loading comments...