GigaChat (Sber AI) Proxy
v1.1.2Integrate GigaChat (Sber AI) with OpenClaw via gpt2giga proxy
⭐ 0· 334·1 current·1 all-time
byAlex@smvlx
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (python3, curl), required env vars (GIGACHAT_CREDENTIALS, GIGACHAT_SCOPE), and the packaged scripts all align with running a local gpt2giga proxy and patching OpenClaw config. The primary credential and declared config paths match the described workflow.
Instruction Scope
SKILL.md and included scripts limit actions to: loading the local env file, starting/stopping a local gpt2giga process, backing up and patching the OpenClaw config, and checking process/port status. Scripts source a user-local env file and may be influenced by optional env overrides (GIGACHAT_ENV_FILE, OPENCLAW_CONFIG) but do not reference or exfiltrate other system secrets or remote endpoints beyond the expected Sber API via gpt2giga.
Install Mechanism
Installation is via pip (scripts/setup.sh: pip3 install gpt2giga) / declared uv package 'gpt2giga'. This is expected for a Python proxy but carries the usual PyPI risk (installing third-party package code). There are no downloads from unknown URLs or archive extracts in the skill itself.
Credentials
Only GIGACHAT_CREDENTIALS and GIGACHAT_SCOPE are required, which is proportionate for an OAuth-based proxy. The skill advises storing credentials in a local env file and exporting them; those files are sensitive and should be permissioned (the skill itself recommends chmod 600). Note: scripts export additional non-secret env flags (GIGACHAT_VERIFY_SSL_CERTS, GPT2GIGA_HOST/PORT) and write logs to ~/.openclaw/gpt2giga.log which could contain diagnostic info.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It writes its own PID/log files under the user's ~/.openclaw directory and can patch the user's OpenClaw config (intentional for its purpose). It does not request system-wide privileges or modify other skills' credentials.
Assessment
This skill appears to do what it claims, but before installing: (1) review the gpt2giga package on PyPI/GitHub to ensure you trust it (pip install will run third‑party code); (2) store your CLIENT_ID/CLIENT_SECRET carefully (the skill uses a base64-encoded GIGACHAT_CREDENTIALS in a file—use chmod 600 and keep it in your home directory); (3) check ~/.openclaw/gpt2giga.log after startup for any sensitive output (tokens might appear in logs depending on upstream library behavior); (4) back up your openclaw.json before running the patch script (the script does create a .bak but verify contents); (5) consider running the proxy on an isolated user account or container if you want extra separation; and (6) install the Sber root CA to enable SSL verification as suggested to avoid running with TLS verification disabled.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🤖 Clawdis
OSmacOS · Linux
Binspython3, curl
EnvGIGACHAT_CREDENTIALS, GIGACHAT_SCOPE
Primary envGIGACHAT_CREDENTIALS
Install
uv
uv tool install gpt2gigalatest
GigaChat Skill
Integrate GigaChat (Sber AI) with OpenClaw via gpt2giga proxy.
Features
- Three models: GigaChat, GigaChat-Pro, GigaChat-Max
- OpenAI API compatibility via gpt2giga proxy
- Automatic token management (gpt2giga handles OAuth internally)
- Credentials passed via environment variables only (never on CLI)
Prerequisites
-
GigaChat API Access:
- Register at https://developers.sber.ru/
- Create a GigaChat API application
- Note your Client ID and Client Secret
- Choose scope:
GIGACHAT_API_PERS(free tier) orGIGACHAT_API_CORP(paid)
-
Python & gpt2giga:
pip3 install gpt2giga -
Environment File: Create
~/.openclaw/gigachat-new.env:CLIENT_ID="your-client-id-here" CLIENT_SECRET="your-client-secret-here" # Auto-generate credentials (base64 of CLIENT_ID:CLIENT_SECRET) GIGACHAT_CREDENTIALS=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64) GIGACHAT_SCOPE="GIGACHAT_API_PERS"
Quick Start
1. Start the proxy
/openclaw/skills/gigachat/scripts/start-proxy.sh
Output:
Starting gpt2giga proxy on port 8443...
✅ gpt2giga started successfully (PID: 12345)
Log: ~/.openclaw/gpt2giga.log
Endpoint: http://localhost:8443/v1/chat/completions
gpt2giga handles OAuth token generation and refresh internally using the GIGACHAT_CREDENTIALS environment variable.
2. Configure OpenClaw
Run the patch script (backs up your config first):
/openclaw/skills/gigachat/scripts/patch-config.sh
Or add manually to openclaw.json:
{
"models": {
"providers": {
"gigachat": {
"baseUrl": "http://127.0.0.1:8443",
"apiKey": "not-needed",
"api": "openai-completions",
"models": [
{
"id": "GigaChat-Max",
"name": "GigaChat MAX",
"contextWindow": 32768,
"maxTokens": 8192
},
{
"id": "GigaChat-Pro",
"name": "GigaChat Pro",
"contextWindow": 32768,
"maxTokens": 4096
},
{
"id": "GigaChat",
"name": "GigaChat Lite",
"contextWindow": 8192,
"maxTokens": 2048
}
]
}
}
}
}
3. Test
curl -s -X POST http://localhost:8443/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "GigaChat-Max",
"messages": [{"role": "user", "content": "Привет!"}]
}' | jq -r '.choices[0].message.content'
Expected output:
Привет! Как дела?
Creating an Agent
Add a GigaChat-powered agent to openclaw.json:
{
"agents": {
"list": [
{
"id": "ruslan",
"name": "Ruslan",
"emoji": "🐻",
"model": "gigachat/GigaChat-Pro",
"workspace": "/root/.openclaw/agents/ruslan/workspace"
}
]
}
}
Create agent workspace:
mkdir -p /root/.openclaw/agents/ruslan/workspace
IDENTITY.md:
# IDENTITY.md
- Name: Ruslan
- Creature: Российский AI-ассистент
- Vibe: Дружелюбный, знает русский контекст
- Emoji: 🐻
SOUL.md:
# SOUL.md — Кто ты
Ты Руслан. Российский AI-ассистент на базе GigaChat.
Говоришь на русском, знаешь русский контекст (кухня, культура, реалии).
Отвечаешь кратко и по делу. Без лишней вежливости.
Token Management
gpt2giga handles OAuth token generation and refresh automatically using the GIGACHAT_CREDENTIALS environment variable. No manual token management is needed.
If the proxy loses its token (e.g. after a long idle period), restart it:
/openclaw/skills/gigachat/scripts/start-proxy.sh
Troubleshooting
Issue: 401 Unauthorized
Cause: Token expired or invalid credentials
Fix: Restart proxy script (generates fresh token)
Issue: 402 Payment Required
Cause: Quota exhausted for that model
Fix: Try a different model or wait for quota reset
- Free tier: Limits per model
- Strategy: Rotate between Max → Pro → Lite
Issue: Process defunct / zombie
Cause: gpt2giga crashes but holds port
Fix:
fuser -k 8443/tcp
/openclaw/skills/gigachat/scripts/start-proxy.sh
Architecture
OpenClaw → http://localhost:8443/v1/chat/completions
↓
gpt2giga (proxy, env-var auth)
↓
Sber GigaChat API (OAuth token auto-managed)
Flow:
- Startup script exports credentials as environment variables
- gpt2giga starts and handles OAuth token generation internally
- OpenClaw sends OpenAI-format requests to localhost:8443
- gpt2giga translates to GigaChat format and manages auth
- Responses translated back to OpenAI format
Files
scripts/start-proxy.sh— Start proxy with env-var credentialsscripts/start.sh— Alternative start (nohup)scripts/stop.sh— Stop proxyscripts/status.sh— Check proxy statusscripts/setup.sh— Install gpt2giga from PyPIscripts/patch-config.sh— Add GigaChat provider to openclaw.json (backs up config first)SKILL.md— This file
Limitations
- Free Tier Quotas: Limited tokens per model
- SSL Verification: Disabled by default due to Sber's custom CA; install Sber root CA to
/etc/ssl/certs/sber-ca.crtto enable - Credentials: Passed via environment variables only (never on the command line); protect
~/.openclaw/gigachat-new.envwithchmod 600
References
- GigaChat Docs: https://developers.sber.ru/docs/ru/gigachat/overview
- gpt2giga: https://pypi.org/project/gpt2giga/
- OpenClaw: https://openclaw.ai
Comments
Loading comments...