This skill appears purpose-built rather than malicious, but it exposes OpenClaw agent control over the network with broad defaults and persistent global configuration changes that users should review carefully.
Install only if you intentionally want to expose agent execution as a network API. Prefer binding to 127.0.0.1 behind a TLS reverse proxy, or enable HTTPS before cross-host use; protect and rotate the API key; set expose_skills and allowed_agent_ids narrowly; review deny_skills; back up ~/.openclaw/openclaw.json; avoid OPENCLAW_CONFIG_SYNC_PATHS unless you need it; and disable the watchdog if you do not want automatic restart and hook-config repair.