← Back to Skills Marketplace
OpenClaw VPS Deploy
by
maverick-software
· GitHub ↗
· v1.1.0
401
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-vps-deploy
Description
Deploy a custom OpenClaw repo (official or forked) to a Hostinger VPS and make it accessible via the cloud. Use when setting up a new OpenClaw instance on a...
Usage Guidance
Plain-language considerations before installing or running this skill:
- This skill will ask you to provide an SSH private key and will run as root on the remote VPS (apt installs, curl|bash, write systemd services, open firewall ports). Only run it against servers you control and trust.
- The SKILL.md and deploy.py expect ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY) but the package metadata does not declare these requirements — assume you must supply these keys. Check where the keys are stored: the script reads ~/.openclaw/secrets.json if present. Confirm you are comfortable with that file being read.
- The deploy script may write tokens/config files both on the remote machine and (per the docs) to a local vault; locate and inspect any local secrets file the script creates. If you do not want secrets stored locally, inspect/modify the script before running.
- The script will clone and build arbitrary git repos you pass; only deploy code from repositories you trust. A malicious fork would execute code on the VPS as root.
- The script runs 'curl https://deb.nodesource.com/setup_22.x | bash' on the remote host. This is a convenience but carries the usual security trade-offs of piping remote scripts into shell. Prefer to review the script or use a curated package source.
- Because part of deploy.py was truncated in the provided bundle, review the full file before use to ensure there are no extra operations (e.g., transmitting secrets off-host) in the omitted portion.
Recommended safe steps: inspect full deploy.py locally, test on an isolated/staging VPS first, back up any keys or configs, and only supply API keys and SSH keys after you confirm exactly where they will be written and stored.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-vps-deploy
Version: 1.1.0
The `scripts/deploy.py` file contains a shell injection vulnerability. The `--repo` argument, which can be controlled by the user, is directly interpolated into remote commands like `npm install -g {repo}` and `git clone {repo}` without robust sanitization. This could allow an attacker to execute arbitrary commands on the target VPS if they can control the `--repo` input. While the script's overall purpose is legitimate deployment, this significant flaw makes it suspicious due to the potential for remote code execution.
Capability Assessment
Purpose & Capability
The skill's purpose (deploy OpenClaw to Hostinger VPS) matches the shipped code: the script connects via SSH, installs Node, installs/builds OpenClaw, writes config, configures systemd and UFW. However, the registry metadata declares no required environment variables or primary credential while both the SKILL.md and the script clearly rely on ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). That omission is an incoherence: anyone deploying OpenClaw will legitimately need an API key, so the skill should declare that upfront.
Instruction Scope
Runtime instructions and the script read local secrets (~/.openclaw/secrets.json) and environment variables, generate and place an auth token, and run many privileged remote commands as root (apt installs, curl | bash, writing /etc/systemd/system, enabling services, opening firewall ports). Reading a local vault and writing tokens locally (SKILL.md claims saving token to local vault) is outside a minimal deployer's needs unless clearly documented and consented to; the SKILL.md and code are not fully consistent about what is saved locally vs remotely. The script also executes unverified upstream actions (npm install -g, git clone of arbitrary repos) which will be executed on the remote host.
Install Mechanism
There is no install spec for the skill itself (no code installed locally by the platform) — low platform install risk. The script will pip-install paramiko locally if missing and use apt/curl on the remote host, including running the NodeSource setup script via curl | bash and npm/pnpm operations. These are typical for remote provisioning, but curl | bash and cloning arbitrary git repos are higher-risk operations on the target VPS and should be run only against trusted sources.
Credentials
The skill did not declare required environment variables in registry metadata, yet both documentation and the script require an ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). The script will read keys from environment or from a local vault (~/.openclaw/secrets.json). Reading the user's local secrets file is a significant sensitive action and is not reflected in the skill's declared requirements — this mismatch increases the risk of accidental exposure or misuse of credentials.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or platform configuration. It creates and enables a systemd service on the remote VPS (expected for a deploy tool) and opens firewall ports — those are privileged remote actions but coherent with the deploy purpose. Autonomous invocation is allowed by default but not by itself a red flag here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-vps-deploy - After installation, invoke the skill by name or use
/openclaw-vps-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added multi-agent VPS reference — port allocation, per-agent systemd services, provisioning script, resource planning table, and Cloudflare tunnel integration guide.
v1.0.0
Initial release — deploy OpenClaw (official or custom fork) to Hostinger VPS via SSH. Includes paramiko deploy script, systemd service setup, UFW firewall, auth token generation, and 10 documented gotchas from real deployments.
Metadata
Frequently Asked Questions
What is OpenClaw VPS Deploy?
Deploy a custom OpenClaw repo (official or forked) to a Hostinger VPS and make it accessible via the cloud. Use when setting up a new OpenClaw instance on a... It is an AI Agent Skill for Claude Code / OpenClaw, with 401 downloads so far.
How do I install OpenClaw VPS Deploy?
Run "/install openclaw-vps-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw VPS Deploy free?
Yes, OpenClaw VPS Deploy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw VPS Deploy support?
OpenClaw VPS Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw VPS Deploy?
It is built and maintained by maverick-software (@maverick-software); the current version is v1.1.0.
More Skills