OpenClaw安装服务
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a disclosed OpenClaw setup guide, but it involves installing a global npm CLI, configuring channel credentials, starting a heartbeat service, and paid support details that users should verify.
This appears to be a straightforward setup guide rather than hidden runnable code. Before using it, verify the OpenClaw npm package and any registry mirror, keep Feishu/DingTalk/WeChat credentials scoped and private, understand how to stop heartbeat automation, and verify ClawMart/payment details before sending money.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the install command executes code from the selected npm registry under the user’s local account.
The setup relies on installing a global npm package and optionally changing the npm registry. This is central to the stated installation purpose, but the package contents and registry provenance are not reviewed in this instruction-only artifact.
npm install -g openclaw ... npm config set registry https://registry.npmmirror.com
Verify the OpenClaw npm package and registry source, consider pinning a known-good version, and understand that changing the npm registry can affect future npm installs.
If credentials are over-scoped or exposed, OpenClaw or anyone with those secrets could operate the configured messaging channels within the granted permissions.
Channel setup uses account login, app secrets, and webhooks. These are expected for WeChat/Feishu/DingTalk integration, but they grant access according to the provider permissions.
openclaw channel add wechat # 扫码登录 ... # 配置 App ID 和 Secret ... # 配置 Webhook
Use least-privilege app credentials and webhooks, avoid sharing secrets in chat, and rotate credentials if they may have been exposed.
Heartbeat tasks may continue running after setup until the user stops or reconfigures them.
The guide starts an ongoing heartbeat/automation service. This is disclosed as part of the skill’s purpose, but the artifact does not include stop, disable, or scope-control instructions.
# 启动心跳服务 openclaw heartbeat start
Confirm what HEARTBEAT.md will do before starting it, and learn the OpenClaw command for stopping or disabling the heartbeat service.
A user could pay an unverified service provider for setup support.
The skill includes paid support tiers and a cryptocurrency payment address. This is disclosed, but users should verify the provider before sending funds.
| 基础安装 | ¥99 | 远程安装 + 基础配置 | ... USDT TRC20: `TYTvuzacfUgeei36NK9dmfUCKFqiQfYizp`
Confirm the service provider’s identity, refund policy, and official relationship to OpenClaw before paying, especially with irreversible cryptocurrency payments.