← Back to Skills Marketplace
austineral

Agent Spawner

by AustinEral · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
1030
Downloads
1
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install agent-spawner
Description
Spawn a new OpenClaw agent through conversation. Uses official Docker setup and non-interactive onboarding, carries over API keys, tools, plugins, and skills...
README (SKILL.md)

Agent Spawner

Deploy a new OpenClaw agent conversationally. Official install, carry over config from the current agent. User never edits a file.

1. Read Current Config (silent)

cat ~/.openclaw/openclaw.json
cat ~/.openclaw/.env 2>/dev/null
env | grep -iE 'API_KEY|TOKEN'
ls ~/.openclaw/extensions/
ls \x3Cworkspace>/skills/

Identify:

  • Provider: check auth.profiles in config — could be Anthropic, OpenAI, Gemini, custom, etc.
  • API key: from env var or config (e.g. ANTHROPIC_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY)
  • Model: from agents.defaults.model
  • Tool keys: anything in tools.* (search APIs, etc.)
  • Plugins: plugins.installs — names and npm specs
  • Skills: run openclaw skills list to see what's bundled vs workspace-only. Only carry over non-bundled skills.

2. Ask

  1. "Where should I deploy it?" — Docker (local or remote SSH) or bare metal?
  2. "Name?" — for container. Generate one if they don't care.
  3. "Anything special?" — purpose, constraints. Optional.

Don't ask about keys, plugins, skills, ports, or config. Carry everything over, use defaults.

3. Confirm Plan

After gathering answers, present the full plan before doing anything. Show everything in one summary:

Here's the plan:

📦 Deploy: Docker on \x3Ctarget>
📛 Name: \x3Cagent-name>
🌐 Port: \x3Cport>

Carrying over from current agent:
  ✅ Provider: Anthropic (API key)
  ✅ Model: anthropic/claude-sonnet-4-20250514
  ✅ Brave Search API key
  ✅ Plugins: openclaw-agent-reach
  ✅ Skills: agent-spawner, weather
  ✅ Heartbeat: 30m

The new agent will bootstrap its own identity on first message.

Good to go?

Only list items that actually exist. Wait for explicit confirmation before proceeding. If the user wants changes, adjust and re-confirm.

4. Deploy

Docker

git clone https://github.com/openclaw/openclaw.git \x3Cagent-name>
cd \x3Cagent-name>

Set env and run non-interactive onboard. Match the provider detected in step 1:

export OPENCLAW_IMAGE=alpine/openclaw:latest
export OPENCLAW_CONFIG_DIR=~/.openclaw-\x3Cagent-name>
export OPENCLAW_WORKSPACE_DIR=~/.openclaw-\x3Cagent-name>/workspace
export OPENCLAW_GATEWAY_PORT=\x3Cunused port, default 18789>
export OPENCLAW_GATEWAY_BIND=lan

mkdir -p $OPENCLAW_CONFIG_DIR/workspace

Onboard flags vary by provider. Use the matching --auth-choice and key flag:

Provider --auth-choice Key flag
Anthropic apiKey --anthropic-api-key
Gemini gemini-api-key --gemini-api-key
OpenAI apiKey (set OPENAI_API_KEY env)
Custom custom-api-key --custom-api-key + --custom-base-url + --custom-model-id 
docker compose run --rm openclaw-cli onboard --non-interactive --accept-risk \
  --mode local \
  --auth-choice \x3Cdetected> \
  --\x3Cprovider>-api-key "$API_KEY" \
  --gateway-port 18789 \
  --gateway-bind lan \
  --skip-skills

docker compose up -d openclaw-gateway

Official compose uses bind mounts — host user owns files, no permission issues.

Onboard error about gateway connection is expected (not running yet). Config is written.

Bare metal

curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard

openclaw onboard --non-interactive --accept-risk \
  --mode local \
  --auth-choice \x3Cdetected> \
  --\x3Cprovider>-api-key "$API_KEY" \
  --gateway-port 18789 \
  --gateway-bind lan \
  --install-daemon \
  --daemon-runtime node \
  --skip-skills

5. Patch Running Agent

CLI alias:

  • Docker: OC="docker compose exec openclaw-gateway node /app/openclaw.mjs"
  • Bare metal: OC="openclaw"

Config (only patch what the current agent actually has):

$OC config set agents.defaults.model "\x3Cmodel>"
$OC config set agents.defaults.heartbeat.every "30m"
# Tool keys — only if they exist in current config
$OC config set tools.web.search.apiKey "\x3Ckey>"

Plugins (from plugins.installs in current config):

$OC plugins install \x3Cnpm-spec>
# Repeat for each plugin

Skills (copy workspace skills):

# Docker
docker cp \x3Csource-workspace>/skills/ \x3Ccontainer>:/home/node/.openclaw/workspace/skills/
# Bare metal
cp -r \x3Csource-workspace>/skills/ ~/.openclaw/workspace/skills/

Restart:

docker compose restart openclaw-gateway  # Docker
openclaw gateway restart                 # bare metal

6. Hand Off

Read the gateway token:

grep -A1 '"token"' $OPENCLAW_CONFIG_DIR/openclaw.json

Tell the user:

  • URL: http://\x3Chost>:\x3Cport>/
  • Token: (from config — onboard auto-generates one)
  • "Say hello — it'll bootstrap itself."

Notes

  • openclaw not in PATH inside Docker. Use node /app/openclaw.mjs.
  • --accept-risk required for non-interactive onboard.
  • alpine/openclaw:latest — pre-built official image.
  • Don't use named Docker volumes — root ownership issues. Official compose uses bind mounts.
  • Multiple agents on same host: use different OPENCLAW_CONFIG_DIR and OPENCLAW_GATEWAY_PORT.
  • Plugins and skills persist in ~/.openclaw/ volume (extensions/ and workspace/skills/).
  • SSH keys, git config, apt packages are ephemeral — not in the volume, by design.
Usage Guidance
This skill will, by design, read your OpenClaw config and environment and copy API keys, tokens, plugins, and skills into a new agent — and it explicitly instructs a 'silent' scan and to 'carry everything over' without asking about keys. Before installing or running it: (1) verify the skill's provenance and the openclaw.openclaw repository / openclaw.ai install script you will be fetching; (2) do NOT allow or permit silent reading of your environment — require explicit consent and show which keys will be copied; (3) prefer creating and using limited-scope API keys for the new agent and rotate keys afterward; (4) avoid running curl | bash from an unverified domain — download and inspect install scripts first; (5) run the process in an isolated host or VM if you must test; (6) consider manual migration of secrets rather than automating a silent copy. If you install this skill, require it to present the exact list of keys and files it intends to read/copy and obtain explicit user confirmation for each before proceeding.
Capability Analysis
Type: OpenClaw Skill Name: agent-spawner Version: 0.1.0 The skill is designed to spawn a new OpenClaw agent and transfer configuration, including API keys. The primary concern is the command `env | grep -iE 'API_KEY|TOKEN'` in `SKILL.md`. This command is overly broad and instructs the agent to read all environment variables matching 'API_KEY' or 'TOKEN', potentially exposing sensitive credentials unrelated to OpenClaw that might be present in the agent's execution environment. While the stated purpose appears to be transferring relevant OpenClaw keys, this implementation constitutes a significant data exposure vulnerability due to its lack of scope. Additionally, the use of `curl -fsSL https://openclaw.ai/install.sh | bash` for bare metal installation, while common for official installers, introduces a supply chain risk.
Capability Assessment
Purpose & Capability
The name/description (spawn a new OpenClaw agent and carry over keys/plugins/skills) align with the actions described in SKILL.md: reading the current OpenClaw config and environment, cloning the repo, and bootstrapping a new agent. Carrying over provider, model, tools, plugins and skills is coherent with the stated purpose. However, carrying secrets (API keys, gateway token) is a sensitive operation and should be made explicit to the user rather than done 'silent'.
Instruction Scope
The instructions explicitly tell the agent to run commands that read local config and secrets (cat ~/.openclaw/openclaw.json, cat ~/.openclaw/.env, env | grep -iE 'API_KEY|TOKEN', ls <workspace>/skills/), then copy keys and tokens into the new agent without asking about keys ('Don't ask about keys... Carry everything over'). Step 1 is labeled 'silent', which means secrets may be accessed without user-visible consent. The skill also instructs extracting the gateway token from the new agent's config and reporting it to the user. This broad, silent access to environment variables and files is out-of-band for typical conversational skills and expands the attack surface.
Install Mechanism
The skill is instruction-only (no install spec), which limits static risk, but the runtime instructions include execution of remote-install commands: git clone https://github.com/openclaw/openclaw.git and curl -fsSL https://openclaw.ai/install.sh | bash. curl|bash is high-risk unless the URL and script provenance are verified; the skill provides no homepage or verifiable owner information. Using these commands (and later npm plugin installs) will fetch and execute remote code during deployment.
Credentials
Although copying provider API keys and tool/plugin keys is relevant to migrating an agent, the skill requests no declared environment variables but instructs the agent to scan all environment variables for any API_KEY/TOKEN values and to read config files that may contain secrets. This implicit, broad secret collection (including grepping the entire environment) is disproportionate without explicit, granular user consent or restriction to only the minimal keys required for the new agent.
Persistence & Privilege
The skill does not request 'always: true' and is not persistent itself, but its workflow instructs duplicating secrets, plugins, and skills into a newly created agent. Duplicating credentials and installing plugins increases the blast radius and creates a persistent agent instance that holds the same privileges as the original. The SKILL.md also suggests installing npm plugins and running containerized services, which can introduce ongoing privileges on the host and network.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-spawner
  3. After installation, invoke the skill by name or use /agent-spawner
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: enables conversational deployment of new OpenClaw agents with minimal user input. - Gathers current agent's provider, API keys, plugins, and workspace skills automatically. - Asks user only for deployment target, agent name, and optional purpose. - Shows detailed deployment plan and waits for user confirmation. - Supports both Docker (local or remote) and bare metal installations. - Migrates relevant configs, tool keys, plugins, and custom skills to the new agent. - Presents final access URL and token upon successful agent creation.
Metadata
Slug agent-spawner
Version 0.1.0
License
All-time Installs 3
Active Installs 3
Total Versions 1
Frequently Asked Questions

What is Agent Spawner?

Spawn a new OpenClaw agent through conversation. Uses official Docker setup and non-interactive onboarding, carries over API keys, tools, plugins, and skills... It is an AI Agent Skill for Claude Code / OpenClaw, with 1030 downloads so far.

How do I install Agent Spawner?

Run "/install agent-spawner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Spawner free?

Yes, Agent Spawner is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Agent Spawner support?

Agent Spawner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agent Spawner?

It is built and maintained by AustinEral (@austineral); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments