ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Setup Assistant

v1.0.0

Automates OpenClaw VPS setup, applies security hardening, configures multi-agent systems, messaging integrations, and generates deployment documentation.

0· 220·1 current·1 all-time
by@harvnk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for harvnk/openclaw-setup-assistant.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Setup Assistant" (harvnk/openclaw-setup-assistant) from ClawHub.
Skill page: https://clawhub.ai/harvnk/openclaw-setup-assistant
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-setup-assistant

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-setup-assistant
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims to perform full VPS setup (installing Node.js/OpenClaw, configuring UFW, SSH, fail2ban, creating users, editing openclaw.json, binding gateways, installing integrations). Those actions normally require root/sudo, specific binaries (node, ufw, fail2ban, systemctl, cron), and credentials for AI providers and messaging platforms. The registry metadata, however, lists no required env vars, binaries, or config paths — an incoherence between claimed purpose and declared requirements.
!
Instruction Scope
Instructions are high-level but direct the agent to perform system-level changes (user creation, firewall rules, package installs, editing configuration files, binding services, setting up cron jobs) and to configure external integrations using API keys/tokens. The SKILL.md does not include explicit safe-guards, nor does it enumerate precisely which credentials or files will be read/written, giving the agent broad discretion over sensitive operations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk because nothing will be written by a packaged installer. The risk comes from the actions the instructions ask the agent to perform on the target VPS, not from an installer downloading arbitrary code.
!
Credentials
SKILL.md explicitly requires 'AI provider API key' and optionally 'messaging platform bot token', and expects SSH root/sudo access. Yet the skill metadata declares no required env vars, primary credential, or config paths. Requesting broad credentials (provider keys, messaging tokens, root SSH access) is proportionate to the described actions — but the absence of declared required secrets in metadata is an inconsistency that prevents automated vetting and increases risk.
Persistence & Privilege
The skill is not 'always: true' (good) and has no install mechanism, but it instructs the agent to make durable system changes (users, firewall, cron jobs, backups). The default allowance for autonomous invocation is enabled; combined with the above inconsistencies, autonomous execution could have a large blast radius. There is no evidence the skill modifies other skills or system-wide agent configs.
What to consider before installing
Do not run this skill on a production host without manual review. Specific actions to take before installing/using: 1) Ask the publisher for provenance and a vetted install script or step-by-step commands you can inspect; 2) Require the skill to declare exactly which environment variables and files it will read/write (AI keys, bot tokens, openclaw.json path); 3) Test in an isolated VM or staging instance first; 4) Provide only temporary, least-privilege API tokens (rotate or revoke after testing); 5) Review any commands the agent proposes before executing, especially user creation, firewall and package installation steps; 6) Ensure the gateway/service is actually bound to localhost and sandbox mode is enabled in configuration; 7) Prefer manual setup or a signed/traceable installer if you cannot audit the commands. If the publisher cannot explain the metadata omissions (no declared env vars/binaries) and provide transparent install instructions, consider this skill untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ybzw8kswvd8wp063ngat41837ey0
220downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@harvnk
latest
Download

OpenClaw Setup Assistant

Automated VPS setup, security hardening, and multi-agent configuration for OpenClaw deployments.

Use when: setting up OpenClaw on a new VPS, hardening security, configuring multi-agent architecture, or deploying messaging integrations.

What it does

This skill guides you through a complete production-ready OpenClaw deployment:

  1. System Setup — Install OpenClaw, configure Node.js, set up the gateway
  2. Security Hardening — UFW firewall, SSH key-only auth, fail2ban, dedicated non-root user, sandbox mode
  3. Agent Configuration — SOUL.md persona, MEMORY.md persistence, daily notes, heartbeats
  4. Multi-Agent Architecture — Coordinator + specialized worker agents with isolated workspaces
  5. Messaging Integration — Telegram, Discord, WhatsApp, Slack — connected and tested
  6. Automation — Cron jobs, heartbeat monitoring, automated backups, health checks
  7. Documentation — Generates setup-specific docs for future reference

Usage

Setup OpenClaw on my VPS at 192.168.1.100 with Claude and Telegram integration

Harden my existing OpenClaw installation with full security

Configure a 3-agent architecture: main coordinator, research agent, and content agent

Requirements

  • Ubuntu 22.04+ or Debian 12+ VPS
  • SSH access (root or sudo user)
  • AI provider API key (Anthropic, OpenAI, or Google)
  • Messaging platform bot token (optional)

Security Checklist

The skill ensures:

  • UFW firewall enabled (ports 22, 80, 443 only)
  • SSH key-only authentication (password disabled)
  • fail2ban installed and configured
  • Non-root dedicated user for OpenClaw
  • Gateway bound to localhost only (not exposed)
  • Sandbox mode enabled in openclaw.json
  • Automated daily backups configured

Tags

openclaw, vps-setup, security, multi-agent, deployment, telegram, discord, automation

Comments

Loading comments...