← Back to Skills Marketplace
emberdesire

E.x.O. Installer

by emberDesire · GitHub ↗ · v0.4.1
cross-platform ⚠ suspicious
1021
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install exo-installer
Description
Install, update, and monitor E.x.O. tools like jasper-recall and hopeIDS, manage OpenClaw plugins, and perform health checks with a single command.
README (SKILL.md)

exo-installer Skill

E.x.O. Ecosystem Manager

Install, update, and monitor all E.x.O. tools with a single command.

When to Use

  • User wants to install E.x.O. tools (jasper-recall, hopeIDS, context-compactor)
  • User asks about the E.x.O. ecosystem
  • User needs to set up OpenClaw plugins
  • User wants to check health of installed tools

Quick Start

# Install all public E.x.O. packages
npx exo-installer install --all

# Or install specific tools
exo install jasper-recall
exo install hopeIDS
exo install jasper-context-compactor

# Health check
exo doctor
exo doctor --json  # For automation

Commands

Command Description
exo install --all Install all public packages
exo install \x3Cpkg> Install specific package
exo update Update all installed packages
exo doctor Health check all components
exo doctor --json Health check with JSON output
exo list List available packages
exo internal clone Clone private repos (needs GitHub access)

Available Packages

Public (npm)

Package Description
jasper-recall Local RAG system for agent memory
hopeIDS Behavioral anomaly detection
jasper-context-compactor Token management for local models
jasper-configguard Safe config changes with rollback

Internal (GitHub)

Repo Description
hopeClaw Meta-cognitive inference engine
moraClaw Temporal orchestration agent
task-dashboard Project management system
exo-distiller Agent distillation pipeline

Internal packages require GitHub org access:

exo internal clone

Health Check

$ exo doctor
🔍 E.x.O. Health Check

jasper-recall ................. ✅ v0.4.2
  ChromaDB: ✅ connected
  Embeddings: ✅ loaded
  Documents: 847

hopeIDS ...................... ✅ v1.3.3
  Analyzer: ✅ ready
  Models: 3 loaded

jasper-context-compactor ...... ✅ v0.2.2

Overall: 3/3 healthy

Integration

After installing, tools auto-register with OpenClaw:

{
  "extensions": {
    "jasper-recall": { "enabled": true },
    "hopeIDS": { "enabled": true },
    "jasper-context-compactor": { "enabled": true }
  }
}

Links

Usage Guidance
What to consider before installing/running this skill: - Trust the source: the CLI will run global npm installs and npx commands (these pull and execute third-party code). Only proceed if you trust the E.x.O. packages and the GitHub org listed. - Missing declared requirements: the skill requires npm, npx, git and may need GitHub credentials and Telegram tokens for alerts, but these are not declared — expect to provide or have these configured in your environment. - Local file access & persistence: it reads/writes ~/.openclaw/* and checks ~/projects paths; it can create state files and may modify OpenClaw config or set cron jobs. If you want to limit impact, run it in an isolated environment or container first. - Private repo cloning: internal packages reference private repos/local paths. If you run the 'internal clone' command the skill will attempt to access your GitHub account or local project directories — verify what it will clone and where. - Inspect the code: the shipped cli.js is readable; review the remainder of the truncated code paths (cron, telegram integration, internal clone) before use. Confirm how 'auto-register with OpenClaw' is implemented and whether it modifies other skills' configs. If unsure: run the tool in a disposable VM/container, or request the maintainer to clarify required credentials (GitHub token, Telegram token), the exact changes performed on ~/.openclaw, and supply signed provenance (official GitHub repo) before granting it access to your primary environment.
Capability Analysis
Type: OpenClaw Skill Name: exo-installer Version: 0.4.1 The skill 'exo-installer' is classified as suspicious due to its extensive use of `child_process.execSync` in `cli.js` to install global npm packages, execute `npx` commands, and clone GitHub repositories. While the commands executed are derived from hardcoded values in `packages.json` or internal logic, and do not appear to be directly vulnerable to user-input-based shell injection in this specific bundle, the inherent power of these operations (e.g., `npm install -g`, `git clone`) represents a significant attack surface and supply chain risk. Additionally, the `cmdCronSetup` function instructs the OpenClaw agent to set up a cron job, a powerful capability, even if the suggested payload is currently benign.
Capability Assessment
Purpose & Capability
The SKILL.md and cli.js broadly match the stated purpose (install/update/health-check of E.x.O. packages). However the skill executes global npm installs, npx commands, and may clone private GitHub repos — yet the metadata declares no required binaries or environment variables (e.g., git, npm, or a GitHub token). That mismatch (declaring nothing required while the code needs npm/git and potentially credentials) is disproportionate and inconsistent.
Instruction Scope
Runtime instructions and the shipped cli.js instruct the agent to run arbitrary shell commands (npm install -g, npx <tool> setup, doctor commands), check/modify files under ~/.openclaw, and suggest cloning internal repos requiring GitHub access. Those actions can execute arbitrary third-party code (via npm/npx) and touch user files; the SKILL.md does not document authentication or safety boundaries (how internal repo access is obtained, or what auto-registration modifies). This expands scope beyond a simple 'installer' without clear safeguards.
Install Mechanism
There is no external install spec (skill is instruction-only) and the included code uses standard sources: npm registry and GitHub. No unusual remote download URLs or archive extraction were observed. Installing or running this CLI will invoke npm and npx which pull and execute code from package registries — normal for an installer but a real risk if you don't trust the packages being installed.
Credentials
The package expects access to private/internal GitHub repos and can send alerts (README mentions Telegram), but requires.env is empty and no primary credential is declared. The packages.json includes internal packages with localPath entries under ~/projects, which implicitly accesses user files. Requiring GitHub access and potential notification tokens without declaring them is an inconsistency and increases risk.
Persistence & Privilege
The CLI writes state to ~/.openclaw/exo-state.json and references the OpenClaw config path (~/.openclaw/openclaw.json); README and SKILL.md mention cron setup and auto-registration. The skill is not 'always:true' and does not appear to escalate privileges beyond user-level file writes, but it will persist state and may create cron jobs or modify OpenClaw config if run — consider this persistent footprint when evaluating trust.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install exo-installer
  3. After installation, invoke the skill by name or use /exo-installer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.4.1
Add SKILL.md and openclaw.plugin.json for ClawHub
Metadata
Slug exo-installer
Version 0.4.1
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is E.x.O. Installer?

Install, update, and monitor E.x.O. tools like jasper-recall and hopeIDS, manage OpenClaw plugins, and perform health checks with a single command. It is an AI Agent Skill for Claude Code / OpenClaw, with 1021 downloads so far.

How do I install E.x.O. Installer?

Run "/install exo-installer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is E.x.O. Installer free?

Yes, E.x.O. Installer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does E.x.O. Installer support?

E.x.O. Installer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created E.x.O. Installer?

It is built and maintained by emberDesire (@emberdesire); the current version is v0.4.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments