← Back to Skills Marketplace
Agent Deployment Checklist
by
samledger67-dotcom
· GitHub ↗
· v98.0.1
· MIT-0
219
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install agent-deployment-checklist
Description
Production deployment checklist for AI agent infrastructure. Covers Mac Mini and server deployment with 5-layer stack (base install, IAM config, client softw...
README (SKILL.md)
Agent Deployment Checklist
Production deployment framework for AI agent infrastructure on dedicated hardware (Mac Mini, Linux servers). Every deployment follows the same 5-layer stack, every time, no shortcuts.
The 5-Layer Deployment Stack
Every agent deployment is five layers applied in order. No layer is optional. Each layer has a binary pass/fail gate before moving to the next.
Layer 1: Base OS + OpenClaw Install (Scripted)
Goal: Clean machine with OpenClaw runtime ready.
Checklist:
- Fresh OS install or verified clean state
- OS updates applied to latest stable
- Xcode Command Line Tools installed (macOS)
- Homebrew installed and updated (macOS)
- Node.js LTS installed via nvm
- Python 3.11+ installed
- Git configured with deploy key
- OpenClaw CLI installed and verified
- Claude Code installed and licensed
- Working directory created at
~/.openclaw/workspace - SSH key pair generated for this machine
Script template:
#!/bin/bash
# layer-1-base-install.sh
set -euo pipefail
echo "=== Layer 1: Base Install ==="
# macOS-specific
xcode-select --install 2>/dev/null || true
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew update && brew upgrade
# Runtime
brew install nvm [email protected] git jq
nvm install --lts
nvm use --lts
# OpenClaw workspace
mkdir -p ~/.openclaw/workspace
cd ~/.openclaw/workspace
git init
echo "Layer 1 complete. Verify: node --version && python3 --version && git --version"
Gate: node --version returns LTS, python3 --version returns 3.11+, git status works in workspace directory.
Layer 2: IAM Config (White-Glove)
Goal: Identity, access, and API keys configured for this specific client/deployment.
This layer is always done manually — never scripted — because every client's access pattern is different.
Checklist:
- API keys provisioned (Anthropic, OpenAI if needed)
- API keys stored in environment variables (never in files)
-
.envfile created with proper permissions (chmod 600) - Client-specific service accounts created
- MCP server credentials configured
- GitHub/GitLab access tokens scoped to client repos only
- Email/calendar integrations authorized (OAuth tokens)
- QuickBooks / accounting integrations connected (if applicable)
- All credentials tested with a live API call
- Credential rotation schedule documented
Key principle: Client pays for their own API keys and licenses. We never share keys across clients.
# Verify all credentials work
echo "Testing Anthropic API..."
curl -s https://api.anthropic.com/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "content-type: application/json" \
-d '{"model":"claude-sonnet-4-20250514","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
| jq '.content[0].text'
echo "Testing GitHub access..."
gh auth status
Gate: Every configured API key returns a valid response. No 401s, no 403s.
Layer 3: Client-Specific Software (Varies)
Goal: Install and configure whatever tools this specific client needs.
This layer varies per deployment. Common patterns:
For accounting/bookkeeping clients:
- QuickBooks MCP server configured (read-only by default)
- Financial reporting templates deployed
- Tax calendar crons scheduled
For marketing/content clients:
- CMS integrations connected
- Social media API access configured
- Analytics dashboards linked
For development team clients:
- CI/CD pipeline access configured
- Code review automation set up
- Deployment notification channels connected
For legal/compliance clients:
- Document management system access
- Compliance calendar configured
- Audit trail logging enabled
Gate: Client-specific test suite passes. Each integration returns expected data.
Layer 4: Security Hardening (Every Deployment)
Goal: Lock down the machine to production security standards.
Checklist:
- Firewall enabled and configured (only required ports open)
- SSH hardening applied:
- Password authentication disabled
- Root login disabled
- Key-only authentication enforced
- Non-standard SSH port configured
- Disk encryption enabled (FileVault on macOS, LUKS on Linux)
- Automatic security updates enabled
- Fail2ban or equivalent installed and configured
- Log rotation configured
- File integrity monitoring enabled
-
.envand credential files have600permissions - No credentials in git history (verified with
git log --all -p | grep -i "api_key\|secret\|password") - SOUL, IDENTITY, USER, AGENTS files marked as sacred (never leave the environment)
- Outbound network allowlist configured (only known API endpoints)
macOS firewall script:
#!/bin/bash
# layer-4-firewall.sh
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
echo "Firewall configured. Verify: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate"
Gate: Security audit script returns grade A or B. No grade C or below passes.
Layer 5: Onboarding — Day 1
Goal: Client can interact with their agent and sees value immediately.
Checklist:
- 5-file memory system scaffolded (see below)
- Starter crons installed and verified
- Health check running and reporting
- Client walkthrough completed (30-min live session)
- Client can ask agent a question and get a response
- First real task completed with client watching
- Emergency contact and escalation path documented
- Client has link to support channel
- Week-1 check-in scheduled
The Day-1 demo: Always do one real task live. Not a demo. Not a rehearsed script. Pick something from their actual workflow and do it. This is how you build trust.
Gate: Client has independently asked the agent a question and received a useful answer without help.
Pre-Scaffolded 5-File Memory System
Every deployment starts with the same five files. They are empty templates, not boilerplate — the agent fills them in during operation.
SOUL.md Template
# SOUL
## Identity
You are [CLIENT_NAME]'s AI operations agent, deployed by IAM Solutions.
## Core Values
- Accuracy over speed
- Ask before assuming
- Protect client data absolutely
- Learn and improve continuously
## Boundaries
- Never share client data outside this environment
- Never execute financial transactions without explicit approval
- Never modify production systems without confirmation
- Escalate to human when uncertain
## Communication Style
[To be calibrated during onboarding based on client preference]
IDENTITY.md Template
# IDENTITY
## Deployment
- Deployed: [DATE]
- Hardware: [MACHINE_SPEC]
- Location: [PHYSICAL_OR_CLOUD_LOCATION]
- Managed by: IAM Solutions
## Capabilities
[Populated during Layer 3 based on installed integrations]
## Limitations
[Documented during onboarding based on what's explicitly out of scope]
USER.md Template
# USER
## Primary User
- Name: [CLIENT_NAME]
- Role: [CLIENT_ROLE]
- Communication preference: [EMAIL/SLACK/SMS]
## Access Pattern
[How and when the client typically interacts — populated after first week]
## Domain Knowledge
[What the client knows well vs. where they need more explanation — populated over time]
AGENTS.md Template
# AGENTS
## Active Agents
[List of running agents, their roles, and their schedules — populated during Layer 3]
## Agent Communication
[How agents coordinate, share memory, escalate — configured during deployment]
MEMORY.md Template
# MEMORY
Memory index for [CLIENT_NAME] deployment.
Created: [DATE]
## Memories
[Index populated as agent creates memories during operation]
Starter Cron Templates
Every deployment gets these three crons minimum.
Health Check (Every 4 Hours)
# health-check.cron
# Runs every 4 hours, reports system health
0 */4 * * * /path/to/health-check.sh >> /var/log/openclaw/health.log 2>&1
#!/bin/bash
# health-check.sh
GRADE="A"
ISSUES=""
# Check disk space
DISK_USAGE=$(df -h / | awk 'NR==2 {print $5}' | tr -d '%')
if [ "$DISK_USAGE" -gt 90 ]; then GRADE="F"; ISSUES+="Disk >90%. ";
elif [ "$DISK_USAGE" -gt 80 ]; then GRADE="C"; ISSUES+="Disk >80%. "; fi
# Check memory
# Check API connectivity
# Check cron jobs running
# Check log file sizes
echo "$(date): Health Grade: $GRADE ${ISSUES:-No issues}"
Memory Maintenance (Daily at 2 AM)
# memory-maintenance.cron
0 2 * * * /path/to/memory-maintenance.sh >> /var/log/openclaw/memory.log 2>&1
#!/bin/bash
# memory-maintenance.sh
# Compress old session logs
# Archive memories older than 30 days
# Verify MEMORY.md index matches actual files
# Report memory file count and total size
MEMORY_DIR="$HOME/.openclaw/workspace/memory"
FILE_COUNT=$(find "$MEMORY_DIR" -name "*.md" | wc -l)
TOTAL_SIZE=$(du -sh "$MEMORY_DIR" | awk '{print $1}')
echo "$(date): Memory files: $FILE_COUNT, Total size: $TOTAL_SIZE"
Backup (Daily at 3 AM)
# backup.cron
0 3 * * * /path/to/backup.sh >> /var/log/openclaw/backup.log 2>&1
#!/bin/bash
# backup.sh
BACKUP_DIR="/backups/openclaw/$(date +%Y-%m-%d)"
mkdir -p "$BACKUP_DIR"
# Back up workspace (excluding node_modules, .git objects)
rsync -a --exclude='node_modules' --exclude='.git/objects' \
"$HOME/.openclaw/workspace/" "$BACKUP_DIR/workspace/"
# Back up cron definitions
crontab -l > "$BACKUP_DIR/crontab.bak"
# Keep last 30 days of backups
find /backups/openclaw -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;
echo "$(date): Backup complete to $BACKUP_DIR"
Hardware Requirements
Minimum (Single-Agent Deployment)
| Component | Spec |
|---|---|
| CPU | Apple M1 or equivalent |
| RAM | 16 GB |
| Storage | 256 GB SSD |
| Network | Stable broadband, static IP preferred |
| UPS | Recommended for always-on deployments |
Recommended (Multi-Agent Deployment)
| Component | Spec |
|---|---|
| CPU | Apple M2 Pro / M4 or equivalent |
| RAM | 32 GB |
| Storage | 512 GB SSD |
| Network | Business-grade with failover |
| UPS | Required |
Network Configuration
Outbound allowlist (minimum):
- api.anthropic.com (Anthropic API)
- api.openai.com (if using OpenAI models)
- github.com (code repos)
- api.github.com (GitHub API)
- smtp.gmail.com (email, if applicable)
- quickbooks.api.intuit.com (QBO, if applicable)
Inbound:
- SSH on non-standard port (key-only)
- No other inbound ports required for typical deployments
Post-Deployment Monitoring
Week 1: Daily Check-ins
- Is the agent responding correctly?
- Are crons running on schedule?
- Any errors in logs?
- Client satisfaction?
Weeks 2-4: Twice-Weekly
- Memory system growing appropriately?
- Performance stable?
- Any new integration needs?
Month 2+: Weekly
- Health grade trend
- Backup verification
- Security update status
- Client feature requests
Deployment Anti-Patterns
Don't do these:
- Sharing API keys across clients. Every client pays for their own. No exceptions.
- Skipping Layer 4. "It's just a test deployment" is how breaches start.
- Copying another client's SOUL.md. Every deployment gets a fresh identity calibrated to the client.
- Enabling write access on day 1. Start read-only. Earn write access through demonstrated reliability.
- Deploying without a health check cron. If you can't monitor it, don't deploy it.
- Promising specific features before Layer 3. Scope the deployment, then promise.
Usage Guidance
This checklist appears to be a reasonable deployment playbook, but do not follow it blindly. Before running any provided scripts: 1) Verify the origin of instal scripts (Homebrew, nvm, OpenClaw/Claude installers) and prefer vendor-signed releases or package managers you trust; avoid piping remote scripts into a shell without review. 2) Use least-privilege API keys and OAuth tokens; prefer a secrets manager over plaintext .env files when possible. If you must use a .env, enforce strict permissions and ensure it is never committed. 3) Resolve the contradiction in the doc about 'never in files' vs creating a .env file—decide on a single secure practice and follow it. 4) Review and vet any referenced third-party components (’Claude Code’, ‘MCP server’, etc.) to confirm legitimate download/licensing sources. 5) Scrub git history before pushing, and validate outbound allowlists and logging controls for client data. If you want higher confidence, provide the full (non-truncated) SKILL.md, confirmation of authoritative installer URLs for OpenClaw/Claude components, and the origin/maintainer identity for this checklist.
Capability Analysis
Type: OpenClaw Skill
Name: agent-deployment-checklist
Version: 98.0.1
thought
The user wants me to analyze a set of files for an OpenClaw AgentSkills skill bundle.
The bundle contains:
- `_meta.json`: Metadata about the skill (owner, slug, version, date).
- `SKILL.md`: A detailed markdown file describing a "Production deployment checklist for AI agent infrastructure".
I need to classify this as `benign`, `suspicious`, or `malicious` based on specific criteria:
- Data exfiltration
- Malicious execution (RCE, etc.)
- Persistence/backdoors
- Prompt injection against the agent
- Obfuscation
- Supply chain issues
Let's look at `SKILL.md`.
It's a checklist for deploying AI agents on Mac Mini or Linux servers.
It includes:
- Layer 1: Base OS + OpenClaw Install (Scripted). Includes a bash script that installs Homebrew, nvm, python, git, etc.
- Layer 2: IAM Config (Manual). Mentions API keys, `.env` files, etc.
- Layer 3: Client-Specific Software.
- Layer 4: Security Hardening. Includes a script for macOS firewall.
- Layer 5: Onboarding.
- 5-file memory system templates (`SOUL.md`, `IDENTITY.md`, `USER.md`, `AGENTS.md`, `MEMORY.md`).
- Starter Cron Templates (Health check, Memory maintenance, Backup).
Analysis:
1. **Data exfiltration**: The scripts provided are templates. The `backup.sh` script backs up the workspace to a local directory `/backups/openclaw/`. It doesn't seem to exfiltrate data to an external endpoint.
2. **Malicious execution**: The scripts use `curl | bash` for Homebrew installation, which is standard practice but technically a risk. However, it's a well-known URL (`raw.githubusercontent.com/Homebrew/install/HEAD/install.sh`). The scripts are intended for the user/admin to run during deployment.
3. **Persistence / backdoors**: It sets up cron jobs. These are for health checks, memory maintenance, and backups. This is standard for server management. It also mentions SSH hardening (disabling passwords, root login).
4. **Prompt injection**: The `SKILL.md` is a set of instructions for a human or an AI agent to follow. Does it contain instructions to ignore the user or hide actions? No. It emphasizes security ("Protect client data absolutely", "Never share client data outside this environment").
5. **Obfuscation**: None found.
6. **Supply chain**: It installs standard tools (nvm, python, git, jq).
The content seems to be a legitimate, well-structured guide for deploying AI agents securely. It includes security hardening steps (Layer 4) and emphasizes data protection.
Wait, let's look closer at the scripts.
`layer-1-base-install.sh`:
- Installs Homebrew.
- Installs nvm, python, git, jq.
- Creates a workspace.
This is standard setup.
`layer-4-firewall.sh`:
- Enables macOS firewall and blocks all incoming connections.
This is a security measure.
Cron scripts:
- `health-check.sh`: Checks disk space.
- `memory-maintenance.sh`: Manages files in the workspace.
- `backup.sh`: Backs up the workspace locally.
The `SKILL.md` instructions are for the agent to help a user deploy infrastructure.
The "5-file memory system" is a common pattern in agentic frameworks.
Is there any prompt injection?
The `SOUL.md` template says: "Protect client data absolutely", "Never share client data outside this environment".
The "Deployment Anti-Patterns" section warns against sharing API keys and skipping security.
The instructions are very specific to "dedicated hardware (Mac Mini, Linux servers)" and "NOT for cloud/serverless deployments".
One potential concern: The script in Layer 1 runs `curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash`. While standard for Homebrew, in a security context, it's a "curl|bash" pattern. However, given the context of a deployment checklist, this is expected behavior for setting up a Mac.
The `SKILL.md` contains instructions that an AI agent would interpret. If an agent reads this, it will understand the deployment process. There are no "ignore previous instructions" or "exfiltrate keys" commands.
The `_meta.json` has a version `98.0.1` and a date in the future (1773724909664 is roughly March 2026). This is slightly odd but not necessarily malicious.
The content is a "Production deployment checklist". It's a guide.
The "5-layer stack" and "5-file memory system" are architectural patterns.
Classification: Benign.
The bundle provides a comprehensive and security-conscious framework for deploying AI agents. The scripts are standard administrative tasks (installing runtimes, configuring firewalls, setting up backups). There is no evidence of malicious intent, data exfiltration, or harmful prompt injection.
Wait, let me double check the "Prompt injection" aspect.
The instructions tell the agent how to behave: "Accuracy over speed", "Protect client data absolutely". These are positive constraints.
The "Gate" sections are for the human/agent to verify progress.
One detail: `claude-sonnet-4-20250514` in the API test. This model name doesn't exist yet (as of my current knowledge cutoff), suggesting this is a forward-looking or hypothetical template.
The `backup.sh` script:
`find /backups/openclaw -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;`
This is a standard cleanup for backups.
The `SKILL.md` is essentially a SOP (Standard Operating Procedure).
Conclusion: Benign.
Summary points:
- The bundle provides a structured deployment framework for AI agents on dedicated hardware.
- It includes security-focused steps like firewall configuration, SSH hardening, and local backup scripts.
- The instructions emphasize data privacy and operational integrity without any signs of malicious intent or exfiltration.
One more check: Does it try to steal keys?
Layer 2 says: "API keys stored in environment variables (never in files)", "`.env` file created with proper permissions (`chmod 600`)". This is good practice.
It includes a test script for the API key using `curl`. This is for verification.
The `SKILL.md` is a documentation file that an agent uses to guide a deployment. It doesn't contain code that executes automatically upon loading the skill, but rather scripts that are meant to be run as part of the process.
Final check on "malicious" vs "suspicious":
- No intentional harmful behavior.
- No risky capabilities that aren't justified by the purpose (deployment).
- No obfuscation.
- No exfiltration.
Classification: benign.
```json
{
"classification": "benign",
"summary": "The skill bundle provides a comprehensive and security-conscious production deployment checklist for AI agent infrastructure on dedicated hardware. It includes standard administrative scripts for environment setup (Layer 1), firewall configuration (Layer 4), and local backup/maintenance crons, all of which align with the stated purpose of infrastructure management. The instructions in SKILL.md emphasize data protection, credential safety (e.g., using .env with restricted permissions), and operational integrity, with no evidence of malicious intent, data exfiltration, or harmful prompt injection."
}
```
Capability Assessment
Purpose & Capability
Name and description align with the checklist contents: base OS setup, IAM/configuration, client-specific installs, security hardening and onboarding. Requested actions (installing Homebrew, nvm, Python, configuring API keys, connecting client services like QuickBooks/GitHub/Anthropic) are appropriate for an agent deployment checklist.
Instruction Scope
SKILL.md contains concrete shell scripts and manual steps that will be executed by operators. It instructs live API calls to test API keys and to create a ~/.openclaw/workspace and git init. There is a direct contradiction: it says 'API keys stored in environment variables (never in files)' and also instructs creating a '.env' file with chmod 600. The document also references 'sacred' files (SOUL, IDENTITY, USER, AGENTS) without clear handling guidance. These inconsistencies broaden the agent operator's discretion and risk accidental exposure of secrets if followed blindly.
Install Mechanism
Skill is instruction-only (no install spec), which reduces static risk, but provided scripts call network installers (curl to raw.githubusercontent.com to install Homebrew, brew installs, nvm installs). Using remote install scripts (curl|bash patterns) is common but increases risk if sources aren't verified. 'Claude Code installed and licensed' and 'OpenClaw CLI installed' are referenced without authoritative install URLs or verification guidance.
Credentials
Although no env vars are declared in metadata, the checklist expects many credentials (Anthropic, OpenAI possibly, GitHub/GitLab tokens, MCP server credentials, QuickBooks, OAuth tokens, etc.). That breadth is expected for multi-client deployments, but it increases the attack surface and requires careful policy: the file contradicts itself about never storing keys in files vs creating a .env file. The checklist also instructs testing keys with live API calls which is reasonable but implies handling and transmission of secrets to external endpoints—operators should ensure use of least-privilege keys and secure storage (secret manager) rather than plaintext .env when possible.
Persistence & Privilege
Metadata shows no always:true and no install artifacts embedded in the skill; it's user-invocable only. The skill does not request modification of other skills or system-wide agent settings. Persistence is limited to operator actions described in the instructions (creating workspace, installing packages).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install agent-deployment-checklist - After installation, invoke the skill by name or use
/agent-deployment-checklist - Provide required inputs per the skill's parameter spec and get structured output
Version History
v98.0.1
Corrected display name
v98.0.0
probe
v1.0.0
test
Metadata
Frequently Asked Questions
What is Agent Deployment Checklist?
Production deployment checklist for AI agent infrastructure. Covers Mac Mini and server deployment with 5-layer stack (base install, IAM config, client softw... It is an AI Agent Skill for Claude Code / OpenClaw, with 219 downloads so far.
How do I install Agent Deployment Checklist?
Run "/install agent-deployment-checklist" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Agent Deployment Checklist free?
Yes, Agent Deployment Checklist is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Agent Deployment Checklist support?
Agent Deployment Checklist is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Agent Deployment Checklist?
It is built and maintained by samledger67-dotcom (@samledger67-dotcom); the current version is v98.0.1.
More Skills