Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aliyun Openclaw
v1.0.0提供阿里云服务器上OpenClaw网关的远程部署、SSH隧道连接、设备配对及日常管理全流程支持。
⭐ 0· 40·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (deploy & manage OpenClaw on an Alibaba Cloud server) matches the instructions: SSH, Docker, starting services, and device pairing are expected. However the skill files contain hard-coded secrets and model/config credentials while the skill metadata declares no required env vars or credentials — a coherence issue and poor hygiene even if functionally plausible.
Instruction Scope
Runtime instructions ask the operator to: SSH as root using a plaintext password, use sshpass/scp to copy ~/.openclaw/workspace/skills (accessing local filesystem), run docker commands that mount/modify remote config and skills, and remove device files. These steps go beyond a narrow helper: they perform system-wide actions and give the skill (and synced skills) potential to run arbitrary code on the remote host.
Install Mechanism
This is instruction-only (no install spec) which is low platform-install risk. The guide asks the user to npm install/private package '@openclaw/browser-relay' inside the container; that package is noted as an internal (non-public) package — installing unverified/internal packages on a production host is a risk and may be hard to audit.
Credentials
Although the skill metadata lists no required env vars/credentials, the SKILL.md and included JSON files contain multiple sensitive secrets: an SSH root password, Gateway token, model API key (bailian), TAVILY API key, and Feishu appSecret/appId. Requesting or embedding multiple high-scope secrets (root password, API keys, app secrets) is disproportionate and not declared in the manifest.
Persistence & Privilege
The instructions tell the user to run the OpenClaw container with --restart always and to sync local skills into /app/skills on the remote — this grants persistent execution and the ability to install new skills (code) on the server. The remote gateway is configured with controlUi.allowedOrigins=["*"] and a static token in docs/URLs, which risks exposing the admin UI if network/firewall rules are not hardened.
Scan Findings in Context
[embedded_secret:ssh_password] unexpected: SKILL.md and browser_relay_guide.md include plaintext SSH credentials (root / Davinci@1984). A deployment guide might need SSH access, but embedding a root password in distributed skill files is insecure and the manifest did not declare this credential.
[embedded_secret:gateway_token] expected: A gateway token is required to configure and access the OpenClaw control UI; however it is hard-coded in multiple files and exposed in example URLs (http://localhost:18790/#token=...). Hard-coding tokens in shared skill files is unsafe.
[embedded_secret:api_key_bailian] expected: The bailian model API key appears in config JSON. Supplying a model API key is reasonable for integrated model access, but again it is embedded in distributed files instead of being declared as a required secret or stored in a secure secret store.
[embedded_secret:feishu_app_secret] expected: Feishu appSecret and appId are present in feishu config files. Channel integration needs these credentials, but embedding them in the skill bundle without manifest declaration is poor practice and increases exfiltration risk.
[embedded_secret:tavily_api_key] expected: TAVILY_API_KEY is present in multiple JSON files. It may be required for some integrations, but again should be declared and handled securely rather than hard-coded.
What to consider before installing
This skill appears to be a genuine deployment/config guide, but it contains multiple hard-coded sensitive credentials (root SSH password, gateway token, model API key, Feishu secrets) and instructs risky operations: using sshpass with a root password, copying your entire local skills directory to the remote host, and enabling control UI origins="*". Before using it: (1) do not copy or use the plaintext credentials — replace them with per-host SSH key auth and rotate any exposed keys/tokens; (2) inspect any local skills you plan to sync (they can run arbitrary code on the remote); (3) restrict gateway/control UI access with firewall rules and avoid allowedOrigins="*"; (4) verify the Docker image registry and any internal npm packages before installing; (5) store API keys and app secrets in a secure secrets manager rather than committing them into config files. Because the manifest does not declare required secrets yet the files include many, treat this skill with caution and consider remediation (remove secrets, use keys, limit copied content) before running any commands.Like a lobster shell, security has layers — review code before you run it.
latestvk977z3zf089fhvywgc2mztzwgs83q2rt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.