← Back to Skills Marketplace
421
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ohmyopenclaw
Description
AI-native configuration and setup guides for OpenClaw
Usage Guidance
Before installing or allowing this skill to run automatically:
- Do not run the provided 'curl | bash' or PowerShell 'iex' installer without auditing the remote script; prefer a vetted release (GitHub release tarball, signed binary, or manual inspection). The domain used by the installer (get.ohmyopenclaw.dev) is not a known trusted host.
- Review the repository and installer script contents (or ask the author for a release tarball) so you know exactly what will be written and executed on your machine.
- Expect the guides to request many API keys and to modify local config files under ~/.openclaw; only provide credentials you trust and store them securely (do not paste secrets into chat).
- Be cautious about enabling cron jobs/heartbeats and webhooks: they cause periodic scanning and external callbacks. Inspect any webhook endpoints and restrict network access (use firewall rules, vetted endpoints).
- The monitoring guide instructs scanning /var/log/myapp and GitHub issues; if you enable those, ensure the agent has only the minimum required file access and that sensitive logs are not exposed.
- If you want to proceed, consider: (1) manually applying guide steps instead of granting autonomous execution; (2) running the installer in an isolated environment or container; (3) backing up existing openclaw.json and workspace files so you can revert changes; (4) limiting the skill's access to credentials and network at the OS or container level.
Reason for rating: the skill is generally coherent with its stated purpose but includes high-risk installer commands, undocumented secret requirements, and instructions that allow system-level scanning and network callbacks — together these are suspicious and warrant manual review before trusting automatic installation or autonomous operation.
Capability Analysis
Type: OpenClaw Skill
Name: ohmyopenclaw
Version: 1.0.0
The skill bundle is classified as suspicious due to its extensive use of high-risk capabilities, including direct shell command execution, modification of the agent's core configuration (`openclaw.json`), creation of executable scripts (`check-costs.sh` in `guides/cost-optimization.md`), and instructions to create/modify sensitive files like `~/.openclaw/.env` (in `guides/chinese-providers.md`). Furthermore, `guides/monitor.md` configures autonomous scheduled tasks (cron jobs) for the AI, enabling it to perform actions without direct user prompting. While these actions are presented as legitimate configuration steps for an AI agent, they represent significant vulnerabilities if the skill bundle were malicious or if the agent were susceptible to prompt injection, as they grant broad control over the system and the agent's behavior. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoors) within the provided files, but the inherent power and potential for misuse make it suspicious.
Capability Assessment
Purpose & Capability
The name and description claim configuration/setup guides for OpenClaw and the included markdown files do provide such guides (agent-swarm, memory, monitoring, provider configuration, cost). That capability justifies most of the changes the guides suggest (editing openclaw.json, creating workspace files, enabling heartbeats/cron jobs). However, some suggested actions (scanning /var/log, checking GitHub issues, configuring external webhooks) expand the skill's reach beyond purely local config guidance; these actions are plausible for a monitoring/automation guide but should have been declared explicitly in metadata (no required env/config paths were declared).
Instruction Scope
The SKILL.md instructs the AI to execute configuration changes, create cron jobs, scan system logs (/var/log/myapp), scan code and GitHub issues, spawn agents, and update local state under ~/.openclaw. Those are powerful operations that can touch system logs and external endpoints. The guide also tells users to run remote installer commands (curl | bash and PowerShell iEx). The instructions do not declare or surface exactly what network callbacks/webhooks will be used; some examples include external endpoints (hooks.slack.com, api.example.com) which could be used for notifications or, if misconfigured, exfiltration.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md provides explicit install commands that pipe remote content into a shell: 'curl -fsSL https://get.ohmyopenclaw.dev | bash' and PowerShell 'irm https://get.ohmyopenclaw.dev/install.ps1 | iex'. The domain get.ohmyopenclaw.dev is not a well-known release host; installing arbitrary scripts from an unknown host is high risk because it executes remote code without review.
Credentials
Registry metadata lists no required environment variables, yet the Chinese providers guide and other docs instruct users to create ~/.openclaw/.env with many API keys (QWEN_API_KEY, ZHIPU_API_KEY, ERNIE_API_KEY/SECRET, DEEPSEEK_API_KEY, optional ANTHROPIC_API_KEY, etc.). The skill thus expects sensitive credentials to be provided and stored, but the metadata does not declare these requirements. That mismatch is an incoherence and increases risk: the agent may request secrets at runtime that were not signaled at install time. The guides also suggest adding webhook URLs and potentially storing those in config files.
Persistence & Privilege
The skill is not marked 'always: true' and model invocation is allowed (the default). It asks the AI to create cron jobs, heartbeat actions, and persistent files under ~/.openclaw (tasks, memory, monitoring). Those are reasonable for a configuration/monitoring skill, but they give the skill ongoing presence (periodic scans and automatic agent spawning) if the agent applies the guides. Because autonomous invocation is allowed by default, that combination amplifies risk if the skill or its installer is malicious — this is worth consideration but is not flagged as a metadata privilege misconfiguration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ohmyopenclaw - After installation, invoke the skill by name or use
/ohmyopenclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: AI-native configuration guides for OpenClaw
Metadata
Frequently Asked Questions
What is ohmyopenclaw?
AI-native configuration and setup guides for OpenClaw. It is an AI Agent Skill for Claude Code / OpenClaw, with 421 downloads so far.
How do I install ohmyopenclaw?
Run "/install ohmyopenclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ohmyopenclaw free?
Yes, ohmyopenclaw is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ohmyopenclaw support?
ohmyopenclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ohmyopenclaw?
It is built and maintained by Z.Y. Ma (@maxzyma); the current version is v1.0.0.
More Skills