← Back to Skills Marketplace
OpenClaw AWS Deploy
by
Godwin Babu
· GitHub ↗
· v1.0.0
645
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-aws-deploy
Description
Deploy OpenClaw securely on AWS with a single command. Creates VPC, EC2 (ARM64), Telegram channel, and configurable AI model (Bedrock, Gemini, or any provide...
Usage Guidance
This repository appears to genuinely implement a one-shot AWS deployer for OpenClaw, but take these precautions before running:
- Inspect .env files: TELEGRAM_BOT_TOKEN is required and will be written into SSM Parameter Store for the instance to read. Do not put high-value secrets here unless you accept SSM storage.
- Use a dedicated deployer identity/account or a dedicated IAM role/profile. The helper role/policy exercises broad EC2/SSM/IAM permissions needed to create and tear down resources; run setup_deployer_role.sh --dry-run to review the exact policy JSON before creating it.
- Confirm Bedrock permissions: the deployment will add Bedrock invoke permissions to the instance role even if you don't plan to use Bedrock; if you require stricter controls, modify the instance role policy to a model allowlist before granting bedrock:InvokeModel.
- Prefer --dry-run and preflight: run scripts/preflight.sh and use deploy scripts' dry-run mode to see actions that would be taken.
- Verify network downloads you are comfortable with (Node tarball from nodejs.org, npm/git during instance bootstrap). If you need an air-gapped or fully-audited bootstrap, prepare your own AMI or adjust user-data to use curated artifacts.
- Do not run this from an admin/root account you care about; review all scripts (deploy_minimal.sh, setup_deployer_role.sh, teardown.sh) end-to-end before executing.
If you want, I can: (1) point out the exact lines in the scripts that create IAM/SSM resources, (2) extract the inline IAM policy that would be applied, or (3) produce a safe checklist (dry-run steps and minimal permissions) you can follow before running the deploy.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-aws-deploy
Version: 1.0.0
The skill is classified as suspicious due to an overly permissive IAM policy defined in `scripts/setup_deployer_role.sh`. The `SSMParameterStore` statement grants `ssm:*` actions on `Resource: "*"`, allowing the deployer identity to access, modify, or delete *any* SSM parameter in the AWS account, not just those scoped to the OpenClaw deployment. This represents a significant privilege escalation vulnerability. While the skill otherwise demonstrates strong security practices (e.g., SHA256 verification for Node.js, runtime secret fetching from SSM, SSM-only access, IMDSv2 enforcement, robust input validation, and explicit safety rules in agent `SOUL.md`/`AGENTS.md`), this IAM flaw is a critical vulnerability that could be exploited if the deployer's credentials are compromised.
Capability Assessment
Purpose & Capability
The skill's name/description match what the included scripts do: create VPC/EC2/SSM/IAM resources and bootstrap OpenClaw. One mismatch: registry metadata declares no required env vars, but SKILL.md and the scripts expect .env.starfish/.env.<name> (TELEGRAM_BOT_TOKEN required, optional GEMINI_API_KEY) and accept AWS credentials via profile/.env.aws — this should have been declared in metadata.
Instruction Scope
SKILL.md instructs the agent to run the included deploy/teardown/setup scripts which perform the expected provisioning steps (create VPC, IAM role, put SSM params, launch EC2, bootstrap Node/OpenClaw, smoke test). The runtime instructions do not ask the agent to read or exfiltrate unrelated local files beyond .env.* workspace files, nor to contact unexpected external endpoints beyond model providers (Bedrock/Gemini) and standard Node/GitHub downloads referenced in troubleshooting. Secrets are stored in SSM as documented (deployment behavior — not hidden).
Install Mechanism
This is an instruction-only skill that bundles deploy scripts. There is no 'installer' that pulls arbitrary code onto the user's machine at install time. The actual install actions occur later in user-run scripts (and on the EC2 instance via user-data). Those scripts download Node tarballs on the EC2 host (official nodejs.org), which is expected for bootstrapping but should be audited if you require strict supply-chain constraints.
Credentials
The scripts and README require AWS credentials (profile / .env.aws / environment / SSO) and a TELEGRAM_BOT_TOKEN (required) and optionally GEMINI_API_KEY. The skill metadata did not list these required env vars, creating a transparency gap. The deployer role/policy created by the helper script includes SSM:PutParameter/GetParameter and broad EC2/IAM actions (Resource: "*") to perform provisioning — these privileges are proportional to creating and tearing down the resources but are powerful and should be run from a dedicated deployer identity with reviewed, least-privilege policies and in an account where you accept those privileges.
Persistence & Privilege
The skill is not always-included and does not request any platform-level persistent privileges. It creates cloud resources (IAM roles, instance roles) as part of normal deployment; that is expected. It does not modify other skills or agent-wide settings. Autonomous invocation is allowed (platform default) but not exceptional here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-aws-deploy - After installation, invoke the skill by name or use
/openclaw-aws-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — one-shot OpenClaw deployment to AWS. Creates VPC, EC2 (ARM64), Telegram channel, and configurable AI model (Bedrock/Gemini/any provider). SSM-only access, no SSH, encrypted EBS, ~$30/mo. Includes deploy, teardown, IAM setup, preflight checks, and 5 personality presets. 22 real-world issues documented and baked into scripts.
Metadata
Frequently Asked Questions
What is OpenClaw AWS Deploy?
Deploy OpenClaw securely on AWS with a single command. Creates VPC, EC2 (ARM64), Telegram channel, and configurable AI model (Bedrock, Gemini, or any provide... It is an AI Agent Skill for Claude Code / OpenClaw, with 645 downloads so far.
How do I install OpenClaw AWS Deploy?
Run "/install openclaw-aws-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw AWS Deploy free?
Yes, OpenClaw AWS Deploy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw AWS Deploy support?
OpenClaw AWS Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw AWS Deploy?
It is built and maintained by Godwin Babu (@godwinbabu); the current version is v1.0.0.
More Skills