ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Mobile Gateway Installer

Installs and manages OpenClaw mobile gateway as a system service. Invoke when users need one-command deploy, start, stop, upgrade, or uninstall.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 26 · 0 current installs · 0 all-time installs
by@jason141123-sys
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the presence of install.sh, uninstall.sh and a backend service. However the backend code accesses the user's OpenClaw config (by default ~/.openclaw/openclaw.json), enumerates installed skills directories, and can persist changes to that config — behavior not documented in SKILL.md/README.
!
Instruction Scope
SKILL.md instructs the user to set OPENCLAW_API_BASE_URL and optionally an auth header and run install.sh. The install script (and bundled backend) do more than 'install the gateway': they copy code to /opt, create /etc/openclaw-mobile-gateway/env (containing provided auth values), register a systemd service, run npm install (network), and the backend will read and write local OpenClaw config and inspect runtime skill directories. Those file reads/writes and potential mutation of user config are not described in the runtime instructions.
Install Mechanism
No registry install spec; this is instruction+bundle based. install.sh copies files to /opt, runs npm install inside the deployed backend (network access to npm registry), and creates a systemd unit. This is typical for an installer but means code from npm will be fetched at install time and new files will be written to /opt and /etc.
!
Credentials
The skill bundle does not declare required env vars, but install.sh expects OPENCLAW_API_BASE_URL and may be given OPENCLAW_AUTH_HEADER_VALUE which gets written to /etc/openclaw-mobile-gateway/env. The backend also reads OPENCLAW_CONFIG_PATH (defaults to ~/.openclaw/openclaw.json) and can read provider apiKey, channel secrets, etc., and can write that same file. This is broader credential/config access than the description explicitly warns about.
Persistence & Privilege
The installer creates a systemd service (enabled + restarted) that runs on boot and listens on the configured port (defaults to 4800). It therefore gains persistent presence on the system and network exposure. The skill metadata does not set always:true, and autonomous invocation metadata is default.
What to consider before installing
This package will copy a Node backend to /opt, run npm install (network), create /etc/openclaw-mobile-gateway/env containing any auth header value you provide, and register a systemd service that listens on port 4800. The backend code will also read and may overwrite your OpenClaw config file (by default ~/.openclaw/openclaw.json) and will enumerate local skills directories — meaning it can access API keys, channel secrets, and other configuration stored there. Before installing: (1) review backend/src/services.ts and the rest of the source (particularly any functions that perform system commands or downloads), (2) avoid supplying high-privilege tokens unless necessary, (3) prefer installing in an isolated VM or container or restrict the service to localhost/firewall if you do install on a host, and (4) consider auditing the npm install step and the node_modules that will be fetched. If the author can confirm the backend only uses the OpenClaw config for safe read-only purposes (and the service is bound to 127.0.0.1), that would reduce concern.
backend/src/services.ts:594
Shell command execution detected (child_process).
backend/src/services.ts:16
Environment variable access combined with network send.
!
backend/src/services.ts:4
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
devopsvk97646qfka64hwmp62rx9rg4zh830r3vgatewayvk97646qfka64hwmp62rx9rg4zh830r3vinstallervk97646qfka64hwmp62rx9rg4zh830r3vlatestvk975bvcfxc9py52ag8epz9gpdn830es3mobilevk97646qfka64hwmp62rx9rg4zh830r3vopenclawvk97646qfka64hwmp62rx9rg4zh830r3vsystemdvk97646qfka64hwmp62rx9rg4zh830r3v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Mobile Gateway Installer

作用

一键安装并管理 OpenClaw 移动端管理网关,自动注册为 systemd 服务并开机自启。

何时调用

  • 用户希望快速部署移动端管理网关
  • 用户希望开机自动启动网关
  • 用户需要升级、重启、卸载网关
  • 用户需要检查健康状态和端口监听

目录结构

  • backend/: 网关后端源码
  • install.sh: 安装/升级并启动服务
  • check.sh: 服务与健康检查
  • uninstall.sh: 卸载服务与目录

使用命令

export OPENCLAW_API_BASE_URL="https://openclaws.example.com"
export OPENCLAW_AUTH_HEADER_NAME="Authorization"
export OPENCLAW_AUTH_HEADER_VALUE="Bearer <token>"
bash ./install.sh

bash ./check.sh

bash ./uninstall.sh

安装后

  • 服务名:openclaw-mobile-gateway
  • 默认端口:4800
  • 健康检查:http://127.0.0.1:4800/health
  • APK 网关地址:http://<server-ip>:4800

常见排查

  • 如果 APK 提示 Cannot GET /api/quick-actions,说明服务端网关版本过旧,重新执行 bash ./install.sh 升级即可。

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…