ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openmaic

v0.3.1

Guided SOP for setting up and using OpenMAIC from OpenClaw. Use when the user wants to clone the OpenMAIC repo, choose a startup mode, configure recommended...

4· 3.2k·31 current·32 all-time
by@wyuc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wyuc/openmaic.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Openmaic" (wyuc/openmaic) from ClawHub.
Skill page: https://clawhub.ai/wyuc/openmaic
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openmaic

ClawHub CLI

Package manager switcher

npx clawhub@latest install openmaic
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (OpenMAIC setup and classroom generation) align with the instructions: cloning the repo, configuring provider keys, starting the service, and calling the OpenMAIC APIs. The skill does not request unrelated binaries or credentials in the registry metadata.
Instruction Scope
Instructions are explicit and mostly limited to the OpenMAIC setup domain (git clone, pnpm, docker compose, health checks, POST/GET to the OpenMAIC server). The skill forbids asking users to paste API keys into chat and directs edits to local server-side configs. However, the skill will read a local skill config (~/.openclaw/openclaw.json) and—if an accessCode is present—defaults into hosted mode and will use it (including making authenticated requests to https://open.maic.chat). The SKILL.md says to 'still confirm before acting' but other parts instruct to 'use it directly' and 'do not ask the user to paste the code again', which is a small contradiction about whether the skill should confirm before using a stored secret to make network calls.
Install Mechanism
No install spec or code is included (instruction-only). That minimizes risk from arbitrary downloads or executables being written to disk.
Credentials
The skill itself does not require any environment variables or credentials. It documents and recommends many provider keys for OpenMAIC (OpenAI, Anthropic, Google, and optional image/video/tts/search keys) but instructs the user to place them in local .env or server-providers.yml themselves. Requiring multiple provider keys is proportionate to the functionality offered and is presented as optional.
Persistence & Privilege
always:false and no installs means the skill has no elevated persistence. However, because the skill reads a per-user config file (~/.openclaw/openclaw.json) and can be invoked by the agent (disable-model-invocation:false), it could read and use a stored accessCode to contact the hosted OpenMAIC service without asking the user to paste the code. That combination (autonomous invocation + stored access-code use) increases the blast radius if you are uncomfortable with the skill invoking remote APIs on your behalf.
What to consider before installing
This skill appears to implement a coherent SOP for installing and using OpenMAIC, but review these points before enabling it: 1) Check ~/.openclaw/openclaw.json — if it contains an accessCode (sk-...), the skill will treat that as a stored credential and may call https://open.maic.chat using it; remove the accessCode if you do not want the skill to use the hosted service automatically. 2) The skill explicitly discourages pasting API keys into chat and tells you to edit .env.local or server-providers.yml yourself; follow that guidance and never paste secrets into conversation. 3) If you are concerned about the agent making network calls without explicit consent, either avoid storing an accessCode or disable/autonomously-invokable skills in your agent settings. 4) The small contradiction in the doc ("still confirm before acting" vs "use it directly") means you should ask the agent to confirm before it performs any network request or state-changing command the first time you run this skill. If you want higher assurance, run the recommended steps manually or in a controlled shell rather than allowing the skill to act autonomously.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏫 Clawdis
latestvk972dfmma6z2h6xwhd992nvj0h83ncv0
3.2kdownloads
4stars
6versions
Updated 9h ago
v0.3.1
MIT-0
@wyuc
latest
Download

OpenMAIC Skill

Use this as a guided, confirmation-heavy SOP. Do not compress the whole setup into one reply and do not perform state-changing actions without explicit user confirmation.

Core Rules

  • Move one phase at a time.
  • Before any state-changing action, ask for confirmation.
  • If local state already exists, show what you found and ask whether to keep it.
  • Do not assume the OpenClaw agent's own model or API key will be reused by OpenMAIC.
  • OpenMAIC classroom generation uses OpenMAIC server-side provider config.
  • This skill must not rely on any request-time model or provider overrides.
  • Only OpenMAIC server-side config files may control provider selection and defaults.
  • Do not default to asking the user to paste API keys into chat.
  • Prefer guiding the user to edit local config files themselves.
  • Do not offer to write API keys into config files on the user's behalf.
  • Once setup is complete and the user clearly asks to generate a classroom, do not ask for a second confirmation before submitting the generation job.
  • Keep confirmations for local file reads such as reading a PDF from disk.

Optional Skill Config

If present, read defaults from ~/.openclaw/openclaw.json under:

{
  "skills": {
    "entries": {
      "openmaic": {
        "enabled": true,
        "config": {
          "accessCode": "sk-xxx",
          "repoDir": "/path/to/OpenMAIC",
          "url": "http://localhost:3000"
        }
      }
    }
  }
}
  • If accessCode is present, default to hosted mode and skip the mode-selection prompt.
  • Use repoDir and url only as defaults for local mode.
  • Still confirm before acting.

SOP Phases

0. Choose Mode

First check skill config for accessCode. If present, announce that a stored access code was found and proceed directly to hosted mode (load references/hosted-mode.md, skip phases 1–4). Do not ask the user to paste the code again.

If no accessCode in config, ask the user how they want to use OpenMAIC:

  1. Use hosted OpenMAIC (recommended for quick start) — Requires an access code from open.maic.chat. No local setup needed.
  2. Run locally — Clone the repo, configure provider keys, and run on your machine.

If the user chooses hosted mode, load references/hosted-mode.md and skip phases 1–4. If the user chooses local mode, proceed to phase 1 as usual.

1. Clone Or Reuse Existing Repo

Load references/clone.md.

Use this when the user has not installed OpenMAIC yet or when you need to confirm which local checkout to use.

2. Choose Startup Mode

Load references/startup-modes.md.

Use this after the repo location is confirmed. Present the available startup modes, recommend one, and wait for the user's choice.

3. Configure Provider Keys

Load references/provider-keys.md.

Use this before starting classroom generation. Recommend a provider path and tell the user exactly which config file to edit themselves. If generation later fails due to provider/model/auth issues, return to this phase and direct the user to update the same server-side config files.

After the core LLM key is configured, ask the user if they want to enable optional features (web search, image generation, video generation, TTS). Each requires its own provider key — see the "Optional Features" section in provider-keys.md.

4. Start And Verify OpenMAIC

After the user has chosen a startup mode and configured keys, start OpenMAIC using the chosen method, then verify the service with GET {url}/api/health.

5. Generate A Classroom

Load references/generate-flow.md.

Use this only after the service is healthy. Confirm before reading local PDFs. If the user has already clearly asked to generate, do not ask for a second confirmation before submitting the generation job, and then follow the polling loop until it succeeds or fails. Only send the supported content fields for generation requests. For long-running jobs, prefer sparse polling and tell the user to check back later if the turn ends before completion.

Response Style

  • Keep each step short and explicit.
  • Prefer 2-3 concrete options when the user must choose.
  • Always include the recommended option first and explain why in one sentence.
  • After a step completes, say what changed and what the next confirmation is for.
  • When returning a classroom link, place the raw absolute URL on its own line with no bold, markdown link syntax, code formatting, or tables.

Comments

Loading comments...