功能描述

Production deployment checklist for AI agent infrastructure. Covers Mac Mini and server deployment with 5-layer stack (base install, IAM config, client softw...

使用说明 (SKILL.md)

Agent Deployment Checklist

Name: Agent Deployment Checklist
Author: samledger67-dotcom

Production deployment framework for AI agent infrastructure on dedicated hardware (Mac Mini, Linux servers). Every deployment follows the same 5-layer stack, every time, no shortcuts.

The 5-Layer Deployment Stack

Every agent deployment is five layers applied in order. No layer is optional. Each layer has a binary pass/fail gate before moving to the next.

Layer 1: Base OS + OpenClaw Install (Scripted)

Goal: Clean machine with OpenClaw runtime ready.

Checklist:

Fresh OS install or verified clean state
OS updates applied to latest stable
Xcode Command Line Tools installed (macOS)
Homebrew installed and updated (macOS)
Node.js LTS installed via nvm
Python 3.11+ installed
Git configured with deploy key
OpenClaw CLI installed and verified
Claude Code installed and licensed
Working directory created at ~/.openclaw/workspace
SSH key pair generated for this machine

Script template:

#!/bin/bash
# layer-1-base-install.sh
set -euo pipefail

echo "=== Layer 1: Base Install ==="

# macOS-specific
xcode-select --install 2>/dev/null || true
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew update && brew upgrade

# Runtime
brew install nvm [email protected] git jq
nvm install --lts
nvm use --lts

# OpenClaw workspace
mkdir -p ~/.openclaw/workspace
cd ~/.openclaw/workspace
git init

echo "Layer 1 complete. Verify: node --version && python3 --version && git --version"

Gate: node --version returns LTS, python3 --version returns 3.11+, git status works in workspace directory.

Layer 2: IAM Config (White-Glove)

Goal: Identity, access, and API keys configured for this specific client/deployment.

This layer is always done manually — never scripted — because every client's access pattern is different.

Checklist:

API keys provisioned (Anthropic, OpenAI if needed)
API keys stored in environment variables (never in files)
.env file created with proper permissions (chmod 600)
Client-specific service accounts created
MCP server credentials configured
GitHub/GitLab access tokens scoped to client repos only
Email/calendar integrations authorized (OAuth tokens)
QuickBooks / accounting integrations connected (if applicable)
All credentials tested with a live API call
Credential rotation schedule documented

Key principle: Client pays for their own API keys and licenses. We never share keys across clients.

# Verify all credentials work
echo "Testing Anthropic API..."
curl -s https://api.anthropic.com/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "content-type: application/json" \
  -d '{"model":"claude-sonnet-4-20250514","max_tokens":10,"messages":[{"role":"user","content":"ping"}]}' \
  | jq '.content[0].text'

echo "Testing GitHub access..."
gh auth status

Gate: Every configured API key returns a valid response. No 401s, no 403s.

Layer 3: Client-Specific Software (Varies)

Goal: Install and configure whatever tools this specific client needs.

This layer varies per deployment. Common patterns:

For accounting/bookkeeping clients:

QuickBooks MCP server configured (read-only by default)
Financial reporting templates deployed
Tax calendar crons scheduled

For marketing/content clients:

CMS integrations connected
Social media API access configured
Analytics dashboards linked

For development team clients:

CI/CD pipeline access configured
Code review automation set up
Deployment notification channels connected

For legal/compliance clients:

Document management system access
Compliance calendar configured
Audit trail logging enabled

Gate: Client-specific test suite passes. Each integration returns expected data.

Layer 4: Security Hardening (Every Deployment)

Goal: Lock down the machine to production security standards.

Checklist:

Firewall enabled and configured (only required ports open)
SSH hardening applied:
- Password authentication disabled
- Root login disabled
- Key-only authentication enforced
- Non-standard SSH port configured
Disk encryption enabled (FileVault on macOS, LUKS on Linux)
Automatic security updates enabled
Fail2ban or equivalent installed and configured
Log rotation configured
File integrity monitoring enabled
.env and credential files have 600 permissions
No credentials in git history (verified with git log --all -p | grep -i "api_key\|secret\|password")
SOUL, IDENTITY, USER, AGENTS files marked as sacred (never leave the environment)
Outbound network allowlist configured (only known API endpoints)

macOS firewall script:

#!/bin/bash
# layer-4-firewall.sh
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
echo "Firewall configured. Verify: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate"

Gate: Security audit script returns grade A or B. No grade C or below passes.

Layer 5: Onboarding — Day 1

Goal: Client can interact with their agent and sees value immediately.

Checklist:

5-file memory system scaffolded (see below)
Starter crons installed and verified
Health check running and reporting
Client walkthrough completed (30-min live session)
Client can ask agent a question and get a response
First real task completed with client watching
Emergency contact and escalation path documented
Client has link to support channel
Week-1 check-in scheduled

The Day-1 demo: Always do one real task live. Not a demo. Not a rehearsed script. Pick something from their actual workflow and do it. This is how you build trust.

Gate: Client has independently asked the agent a question and received a useful answer without help.

Pre-Scaffolded 5-File Memory System

Every deployment starts with the same five files. They are empty templates, not boilerplate — the agent fills them in during operation.

SOUL.md Template

# SOUL

## Identity
You are [CLIENT_NAME]'s AI operations agent, deployed by IAM Solutions.

## Core Values
- Accuracy over speed
- Ask before assuming
- Protect client data absolutely
- Learn and improve continuously

## Boundaries
- Never share client data outside this environment
- Never execute financial transactions without explicit approval
- Never modify production systems without confirmation
- Escalate to human when uncertain

## Communication Style
[To be calibrated during onboarding based on client preference]

IDENTITY.md Template

# IDENTITY

## Deployment
- Deployed: [DATE]
- Hardware: [MACHINE_SPEC]
- Location: [PHYSICAL_OR_CLOUD_LOCATION]
- Managed by: IAM Solutions

## Capabilities
[Populated during Layer 3 based on installed integrations]

## Limitations
[Documented during onboarding based on what's explicitly out of scope]

USER.md Template

# USER

## Primary User
- Name: [CLIENT_NAME]
- Role: [CLIENT_ROLE]
- Communication preference: [EMAIL/SLACK/SMS]

## Access Pattern
[How and when the client typically interacts — populated after first week]

## Domain Knowledge
[What the client knows well vs. where they need more explanation — populated over time]

AGENTS.md Template

# AGENTS

## Active Agents
[List of running agents, their roles, and their schedules — populated during Layer 3]

## Agent Communication
[How agents coordinate, share memory, escalate — configured during deployment]

MEMORY.md Template

# MEMORY

Memory index for [CLIENT_NAME] deployment.
Created: [DATE]

## Memories
[Index populated as agent creates memories during operation]

Starter Cron Templates

Every deployment gets these three crons minimum.

Health Check (Every 4 Hours)

# health-check.cron
# Runs every 4 hours, reports system health
0 */4 * * * /path/to/health-check.sh >> /var/log/openclaw/health.log 2>&1

#!/bin/bash
# health-check.sh
GRADE="A"
ISSUES=""

# Check disk space
DISK_USAGE=$(df -h / | awk 'NR==2 {print $5}' | tr -d '%')
if [ "$DISK_USAGE" -gt 90 ]; then GRADE="F"; ISSUES+="Disk >90%. ";
elif [ "$DISK_USAGE" -gt 80 ]; then GRADE="C"; ISSUES+="Disk >80%. "; fi

# Check memory
# Check API connectivity
# Check cron jobs running
# Check log file sizes

echo "$(date): Health Grade: $GRADE ${ISSUES:-No issues}"

Memory Maintenance (Daily at 2 AM)

# memory-maintenance.cron
0 2 * * * /path/to/memory-maintenance.sh >> /var/log/openclaw/memory.log 2>&1

#!/bin/bash
# memory-maintenance.sh
# Compress old session logs
# Archive memories older than 30 days
# Verify MEMORY.md index matches actual files
# Report memory file count and total size

MEMORY_DIR="$HOME/.openclaw/workspace/memory"
FILE_COUNT=$(find "$MEMORY_DIR" -name "*.md" | wc -l)
TOTAL_SIZE=$(du -sh "$MEMORY_DIR" | awk '{print $1}')
echo "$(date): Memory files: $FILE_COUNT, Total size: $TOTAL_SIZE"

Backup (Daily at 3 AM)

# backup.cron
0 3 * * * /path/to/backup.sh >> /var/log/openclaw/backup.log 2>&1

#!/bin/bash
# backup.sh
BACKUP_DIR="/backups/openclaw/$(date +%Y-%m-%d)"
mkdir -p "$BACKUP_DIR"

# Back up workspace (excluding node_modules, .git objects)
rsync -a --exclude='node_modules' --exclude='.git/objects' \
  "$HOME/.openclaw/workspace/" "$BACKUP_DIR/workspace/"

# Back up cron definitions
crontab -l > "$BACKUP_DIR/crontab.bak"

# Keep last 30 days of backups
find /backups/openclaw -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;

echo "$(date): Backup complete to $BACKUP_DIR"

Hardware Requirements

Minimum (Single-Agent Deployment)

Component	Spec
CPU	Apple M1 or equivalent
RAM	16 GB
Storage	256 GB SSD
Network	Stable broadband, static IP preferred
UPS	Recommended for always-on deployments

Recommended (Multi-Agent Deployment)

Component	Spec
CPU	Apple M2 Pro / M4 or equivalent
RAM	32 GB
Storage	512 GB SSD
Network	Business-grade with failover
UPS	Required

Network Configuration

Outbound allowlist (minimum):
- api.anthropic.com (Anthropic API)
- api.openai.com (if using OpenAI models)
- github.com (code repos)
- api.github.com (GitHub API)
- smtp.gmail.com (email, if applicable)
- quickbooks.api.intuit.com (QBO, if applicable)

Inbound:
- SSH on non-standard port (key-only)
- No other inbound ports required for typical deployments

Post-Deployment Monitoring

Week 1: Daily Check-ins

Is the agent responding correctly?
Are crons running on schedule?
Any errors in logs?
Client satisfaction?

Weeks 2-4: Twice-Weekly

Memory system growing appropriately?
Performance stable?
Any new integration needs?

Month 2+: Weekly

Health grade trend
Backup verification
Security update status
Client feature requests

Deployment Anti-Patterns

Don't do these:

Sharing API keys across clients. Every client pays for their own. No exceptions.
Skipping Layer 4. "It's just a test deployment" is how breaches start.
Copying another client's SOUL.md. Every deployment gets a fresh identity calibrated to the client.
Enabling write access on day 1. Start read-only. Earn write access through demonstrated reliability.
Deploying without a health check cron. If you can't monitor it, don't deploy it.
Promising specific features before Layer 3. Scope the deployment, then promise.

安全使用建议

This checklist appears to be a reasonable deployment playbook, but do not follow it blindly. Before running any provided scripts: 1) Verify the origin of instal scripts (Homebrew, nvm, OpenClaw/Claude installers) and prefer vendor-signed releases or package managers you trust; avoid piping remote scripts into a shell without review. 2) Use least-privilege API keys and OAuth tokens; prefer a secrets manager over plaintext .env files when possible. If you must use a .env, enforce strict permissions and ensure it is never committed. 3) Resolve the contradiction in the doc about 'never in files' vs creating a .env file—decide on a single secure practice and follow it. 4) Review and vet any referenced third-party components (’Claude Code’, ‘MCP server’, etc.) to confirm legitimate download/licensing sources. 5) Scrub git history before pushing, and validate outbound allowlists and logging controls for client data. If you want higher confidence, provide the full (non-truncated) SKILL.md, confirmation of authoritative installer URLs for OpenClaw/Claude components, and the origin/maintainer identity for this checklist.

功能分析

Type: OpenClaw Skill Name: agent-deployment-checklist Version: 98.0.1 thought The user wants me to analyze a set of files for an OpenClaw AgentSkills skill bundle. The bundle contains: - `_meta.json`: Metadata about the skill (owner, slug, version, date). - `SKILL.md`: A detailed markdown file describing a "Production deployment checklist for AI agent infrastructure". I need to classify this as `benign`, `suspicious`, or `malicious` based on specific criteria: - Data exfiltration - Malicious execution (RCE, etc.) - Persistence/backdoors - Prompt injection against the agent - Obfuscation - Supply chain issues Let's look at `SKILL.md`. It's a checklist for deploying AI agents on Mac Mini or Linux servers. It includes: - Layer 1: Base OS + OpenClaw Install (Scripted). Includes a bash script that installs Homebrew, nvm, python, git, etc. - Layer 2: IAM Config (Manual). Mentions API keys, `.env` files, etc. - Layer 3: Client-Specific Software. - Layer 4: Security Hardening. Includes a script for macOS firewall. - Layer 5: Onboarding. - 5-file memory system templates (`SOUL.md`, `IDENTITY.md`, `USER.md`, `AGENTS.md`, `MEMORY.md`). - Starter Cron Templates (Health check, Memory maintenance, Backup). Analysis: 1. **Data exfiltration**: The scripts provided are templates. The `backup.sh` script backs up the workspace to a local directory `/backups/openclaw/`. It doesn't seem to exfiltrate data to an external endpoint. 2. **Malicious execution**: The scripts use `curl | bash` for Homebrew installation, which is standard practice but technically a risk. However, it's a well-known URL (`raw.githubusercontent.com/Homebrew/install/HEAD/install.sh`). The scripts are intended for the user/admin to run during deployment. 3. **Persistence / backdoors**: It sets up cron jobs. These are for health checks, memory maintenance, and backups. This is standard for server management. It also mentions SSH hardening (disabling passwords, root login). 4. **Prompt injection**: The `SKILL.md` is a set of instructions for a human or an AI agent to follow. Does it contain instructions to ignore the user or hide actions? No. It emphasizes security ("Protect client data absolutely", "Never share client data outside this environment"). 5. **Obfuscation**: None found. 6. **Supply chain**: It installs standard tools (nvm, python, git, jq). The content seems to be a legitimate, well-structured guide for deploying AI agents securely. It includes security hardening steps (Layer 4) and emphasizes data protection. Wait, let's look closer at the scripts. `layer-1-base-install.sh`: - Installs Homebrew. - Installs nvm, python, git, jq. - Creates a workspace. This is standard setup. `layer-4-firewall.sh`: - Enables macOS firewall and blocks all incoming connections. This is a security measure. Cron scripts: - `health-check.sh`: Checks disk space. - `memory-maintenance.sh`: Manages files in the workspace. - `backup.sh`: Backs up the workspace locally. The `SKILL.md` instructions are for the agent to help a user deploy infrastructure. The "5-file memory system" is a common pattern in agentic frameworks. Is there any prompt injection? The `SOUL.md` template says: "Protect client data absolutely", "Never share client data outside this environment". The "Deployment Anti-Patterns" section warns against sharing API keys and skipping security. The instructions are very specific to "dedicated hardware (Mac Mini, Linux servers)" and "NOT for cloud/serverless deployments". One potential concern: The script in Layer 1 runs `curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash`. While standard for Homebrew, in a security context, it's a "curl|bash" pattern. However, given the context of a deployment checklist, this is expected behavior for setting up a Mac. The `SKILL.md` contains instructions that an AI agent would interpret. If an agent reads this, it will understand the deployment process. There are no "ignore previous instructions" or "exfiltrate keys" commands. The `_meta.json` has a version `98.0.1` and a date in the future (1773724909664 is roughly March 2026). This is slightly odd but not necessarily malicious. The content is a "Production deployment checklist". It's a guide. The "5-layer stack" and "5-file memory system" are architectural patterns. Classification: Benign. The bundle provides a comprehensive and security-conscious framework for deploying AI agents. The scripts are standard administrative tasks (installing runtimes, configuring firewalls, setting up backups). There is no evidence of malicious intent, data exfiltration, or harmful prompt injection. Wait, let me double check the "Prompt injection" aspect. The instructions tell the agent how to behave: "Accuracy over speed", "Protect client data absolutely". These are positive constraints. The "Gate" sections are for the human/agent to verify progress. One detail: `claude-sonnet-4-20250514` in the API test. This model name doesn't exist yet (as of my current knowledge cutoff), suggesting this is a forward-looking or hypothetical template. The `backup.sh` script: `find /backups/openclaw -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;` This is a standard cleanup for backups. The `SKILL.md` is essentially a SOP (Standard Operating Procedure). Conclusion: Benign. Summary points: - The bundle provides a structured deployment framework for AI agents on dedicated hardware. - It includes security-focused steps like firewall configuration, SSH hardening, and local backup scripts. - The instructions emphasize data privacy and operational integrity without any signs of malicious intent or exfiltration. One more check: Does it try to steal keys? Layer 2 says: "API keys stored in environment variables (never in files)", "`.env` file created with proper permissions (`chmod 600`)". This is good practice. It includes a test script for the API key using `curl`. This is for verification. The `SKILL.md` is a documentation file that an agent uses to guide a deployment. It doesn't contain code that executes automatically upon loading the skill, but rather scripts that are meant to be run as part of the process. Final check on "malicious" vs "suspicious": - No intentional harmful behavior. - No risky capabilities that aren't justified by the purpose (deployment). - No obfuscation. - No exfiltration. Classification: benign. ```json { "classification": "benign", "summary": "The skill bundle provides a comprehensive and security-conscious production deployment checklist for AI agent infrastructure on dedicated hardware. It includes standard administrative scripts for environment setup (Layer 1), firewall configuration (Layer 4), and local backup/maintenance crons, all of which align with the stated purpose of infrastructure management. The instructions in SKILL.md emphasize data protection, credential safety (e.g., using .env with restricted permissions), and operational integrity, with no evidence of malicious intent, data exfiltration, or harmful prompt injection." } ```

能力评估

✓ Purpose & Capability

Name and description align with the checklist contents: base OS setup, IAM/configuration, client-specific installs, security hardening and onboarding. Requested actions (installing Homebrew, nvm, Python, configuring API keys, connecting client services like QuickBooks/GitHub/Anthropic) are appropriate for an agent deployment checklist.

⚠ Instruction Scope

SKILL.md contains concrete shell scripts and manual steps that will be executed by operators. It instructs live API calls to test API keys and to create a ~/.openclaw/workspace and git init. There is a direct contradiction: it says 'API keys stored in environment variables (never in files)' and also instructs creating a '.env' file with chmod 600. The document also references 'sacred' files (SOUL, IDENTITY, USER, AGENTS) without clear handling guidance. These inconsistencies broaden the agent operator's discretion and risk accidental exposure of secrets if followed blindly.

ℹ Install Mechanism

Skill is instruction-only (no install spec), which reduces static risk, but provided scripts call network installers (curl to raw.githubusercontent.com to install Homebrew, brew installs, nvm installs). Using remote install scripts (curl|bash patterns) is common but increases risk if sources aren't verified. 'Claude Code installed and licensed' and 'OpenClaw CLI installed' are referenced without authoritative install URLs or verification guidance.

⚠ Credentials

Although no env vars are declared in metadata, the checklist expects many credentials (Anthropic, OpenAI possibly, GitHub/GitLab tokens, MCP server credentials, QuickBooks, OAuth tokens, etc.). That breadth is expected for multi-client deployments, but it increases the attack surface and requires careful policy: the file contradicts itself about never storing keys in files vs creating a .env file. The checklist also instructs testing keys with live API calls which is reasonable but implies handling and transmission of secrets to external endpoints—operators should ensure use of least-privilege keys and secure storage (secret manager) rather than plaintext .env when possible.

✓ Persistence & Privilege

Metadata shows no always:true and no install artifacts embedded in the skill; it's user-invocable only. The skill does not request modification of other skills or system-wide agent settings. Persistence is limited to operator actions described in the instructions (creating workspace, installing packages).

版本历史

v98.0.1

Corrected display name

v98.0.0

probe

v1.0.0

test

元数据

Slug agent-deployment-checklist

版本 98.0.1

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 3

常见问题