← 返回 Skills 市场
Agent Spawner
作者
AustinEral
· GitHub ↗
· v0.1.0
1030
总下载
1
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install agent-spawner
功能描述
Spawn a new OpenClaw agent through conversation. Uses official Docker setup and non-interactive onboarding, carries over API keys, tools, plugins, and skills...
使用说明 (SKILL.md)
Agent Spawner
Deploy a new OpenClaw agent conversationally. Official install, carry over config from the current agent. User never edits a file.
1. Read Current Config (silent)
cat ~/.openclaw/openclaw.json
cat ~/.openclaw/.env 2>/dev/null
env | grep -iE 'API_KEY|TOKEN'
ls ~/.openclaw/extensions/
ls \x3Cworkspace>/skills/
Identify:
- Provider: check
auth.profilesin config — could be Anthropic, OpenAI, Gemini, custom, etc. - API key: from env var or config (e.g.
ANTHROPIC_API_KEY,GEMINI_API_KEY,OPENAI_API_KEY) - Model: from
agents.defaults.model - Tool keys: anything in
tools.*(search APIs, etc.) - Plugins:
plugins.installs— names and npm specs - Skills: run
openclaw skills listto see what's bundled vs workspace-only. Only carry over non-bundled skills.
2. Ask
- "Where should I deploy it?" — Docker (local or remote SSH) or bare metal?
- "Name?" — for container. Generate one if they don't care.
- "Anything special?" — purpose, constraints. Optional.
Don't ask about keys, plugins, skills, ports, or config. Carry everything over, use defaults.
3. Confirm Plan
After gathering answers, present the full plan before doing anything. Show everything in one summary:
Here's the plan:
📦 Deploy: Docker on \x3Ctarget>
📛 Name: \x3Cagent-name>
🌐 Port: \x3Cport>
Carrying over from current agent:
✅ Provider: Anthropic (API key)
✅ Model: anthropic/claude-sonnet-4-20250514
✅ Brave Search API key
✅ Plugins: openclaw-agent-reach
✅ Skills: agent-spawner, weather
✅ Heartbeat: 30m
The new agent will bootstrap its own identity on first message.
Good to go?
Only list items that actually exist. Wait for explicit confirmation before proceeding. If the user wants changes, adjust and re-confirm.
4. Deploy
Docker
git clone https://github.com/openclaw/openclaw.git \x3Cagent-name>
cd \x3Cagent-name>
Set env and run non-interactive onboard. Match the provider detected in step 1:
export OPENCLAW_IMAGE=alpine/openclaw:latest
export OPENCLAW_CONFIG_DIR=~/.openclaw-\x3Cagent-name>
export OPENCLAW_WORKSPACE_DIR=~/.openclaw-\x3Cagent-name>/workspace
export OPENCLAW_GATEWAY_PORT=\x3Cunused port, default 18789>
export OPENCLAW_GATEWAY_BIND=lan
mkdir -p $OPENCLAW_CONFIG_DIR/workspace
Onboard flags vary by provider. Use the matching --auth-choice and key flag:
| Provider | --auth-choice | Key flag |
|---|---|---|
| Anthropic | apiKey |
--anthropic-api-key |
| Gemini | gemini-api-key |
--gemini-api-key |
| OpenAI | apiKey |
(set OPENAI_API_KEY env) |
| Custom | custom-api-key |
--custom-api-key + --custom-base-url + --custom-model-id |
docker compose run --rm openclaw-cli onboard --non-interactive --accept-risk \
--mode local \
--auth-choice \x3Cdetected> \
--\x3Cprovider>-api-key "$API_KEY" \
--gateway-port 18789 \
--gateway-bind lan \
--skip-skills
docker compose up -d openclaw-gateway
Official compose uses bind mounts — host user owns files, no permission issues.
Onboard error about gateway connection is expected (not running yet). Config is written.
Bare metal
curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
openclaw onboard --non-interactive --accept-risk \
--mode local \
--auth-choice \x3Cdetected> \
--\x3Cprovider>-api-key "$API_KEY" \
--gateway-port 18789 \
--gateway-bind lan \
--install-daemon \
--daemon-runtime node \
--skip-skills
5. Patch Running Agent
CLI alias:
- Docker:
OC="docker compose exec openclaw-gateway node /app/openclaw.mjs" - Bare metal:
OC="openclaw"
Config (only patch what the current agent actually has):
$OC config set agents.defaults.model "\x3Cmodel>"
$OC config set agents.defaults.heartbeat.every "30m"
# Tool keys — only if they exist in current config
$OC config set tools.web.search.apiKey "\x3Ckey>"
Plugins (from plugins.installs in current config):
$OC plugins install \x3Cnpm-spec>
# Repeat for each plugin
Skills (copy workspace skills):
# Docker
docker cp \x3Csource-workspace>/skills/ \x3Ccontainer>:/home/node/.openclaw/workspace/skills/
# Bare metal
cp -r \x3Csource-workspace>/skills/ ~/.openclaw/workspace/skills/
Restart:
docker compose restart openclaw-gateway # Docker
openclaw gateway restart # bare metal
6. Hand Off
Read the gateway token:
grep -A1 '"token"' $OPENCLAW_CONFIG_DIR/openclaw.json
Tell the user:
- URL:
http://\x3Chost>:\x3Cport>/ - Token: (from config — onboard auto-generates one)
- "Say hello — it'll bootstrap itself."
Notes
openclawnot in PATH inside Docker. Usenode /app/openclaw.mjs.--accept-riskrequired for non-interactive onboard.alpine/openclaw:latest— pre-built official image.- Don't use named Docker volumes — root ownership issues. Official compose uses bind mounts.
- Multiple agents on same host: use different
OPENCLAW_CONFIG_DIRandOPENCLAW_GATEWAY_PORT. - Plugins and skills persist in
~/.openclaw/volume (extensions/ and workspace/skills/). - SSH keys, git config, apt packages are ephemeral — not in the volume, by design.
安全使用建议
This skill will, by design, read your OpenClaw config and environment and copy API keys, tokens, plugins, and skills into a new agent — and it explicitly instructs a 'silent' scan and to 'carry everything over' without asking about keys. Before installing or running it: (1) verify the skill's provenance and the openclaw.openclaw repository / openclaw.ai install script you will be fetching; (2) do NOT allow or permit silent reading of your environment — require explicit consent and show which keys will be copied; (3) prefer creating and using limited-scope API keys for the new agent and rotate keys afterward; (4) avoid running curl | bash from an unverified domain — download and inspect install scripts first; (5) run the process in an isolated host or VM if you must test; (6) consider manual migration of secrets rather than automating a silent copy. If you install this skill, require it to present the exact list of keys and files it intends to read/copy and obtain explicit user confirmation for each before proceeding.
功能分析
Type: OpenClaw Skill
Name: agent-spawner
Version: 0.1.0
The skill is designed to spawn a new OpenClaw agent and transfer configuration, including API keys. The primary concern is the command `env | grep -iE 'API_KEY|TOKEN'` in `SKILL.md`. This command is overly broad and instructs the agent to read all environment variables matching 'API_KEY' or 'TOKEN', potentially exposing sensitive credentials unrelated to OpenClaw that might be present in the agent's execution environment. While the stated purpose appears to be transferring relevant OpenClaw keys, this implementation constitutes a significant data exposure vulnerability due to its lack of scope. Additionally, the use of `curl -fsSL https://openclaw.ai/install.sh | bash` for bare metal installation, while common for official installers, introduces a supply chain risk.
能力评估
Purpose & Capability
The name/description (spawn a new OpenClaw agent and carry over keys/plugins/skills) align with the actions described in SKILL.md: reading the current OpenClaw config and environment, cloning the repo, and bootstrapping a new agent. Carrying over provider, model, tools, plugins and skills is coherent with the stated purpose. However, carrying secrets (API keys, gateway token) is a sensitive operation and should be made explicit to the user rather than done 'silent'.
Instruction Scope
The instructions explicitly tell the agent to run commands that read local config and secrets (cat ~/.openclaw/openclaw.json, cat ~/.openclaw/.env, env | grep -iE 'API_KEY|TOKEN', ls <workspace>/skills/), then copy keys and tokens into the new agent without asking about keys ('Don't ask about keys... Carry everything over'). Step 1 is labeled 'silent', which means secrets may be accessed without user-visible consent. The skill also instructs extracting the gateway token from the new agent's config and reporting it to the user. This broad, silent access to environment variables and files is out-of-band for typical conversational skills and expands the attack surface.
Install Mechanism
The skill is instruction-only (no install spec), which limits static risk, but the runtime instructions include execution of remote-install commands: git clone https://github.com/openclaw/openclaw.git and curl -fsSL https://openclaw.ai/install.sh | bash. curl|bash is high-risk unless the URL and script provenance are verified; the skill provides no homepage or verifiable owner information. Using these commands (and later npm plugin installs) will fetch and execute remote code during deployment.
Credentials
Although copying provider API keys and tool/plugin keys is relevant to migrating an agent, the skill requests no declared environment variables but instructs the agent to scan all environment variables for any API_KEY/TOKEN values and to read config files that may contain secrets. This implicit, broad secret collection (including grepping the entire environment) is disproportionate without explicit, granular user consent or restriction to only the minimal keys required for the new agent.
Persistence & Privilege
The skill does not request 'always: true' and is not persistent itself, but its workflow instructs duplicating secrets, plugins, and skills into a newly created agent. Duplicating credentials and installing plugins increases the blast radius and creates a persistent agent instance that holds the same privileges as the original. The SKILL.md also suggests installing npm plugins and running containerized services, which can introduce ongoing privileges on the host and network.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install agent-spawner - 安装完成后,直接呼叫该 Skill 的名称或使用
/agent-spawner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: enables conversational deployment of new OpenClaw agents with minimal user input.
- Gathers current agent's provider, API keys, plugins, and workspace skills automatically.
- Asks user only for deployment target, agent name, and optional purpose.
- Shows detailed deployment plan and waits for user confirmation.
- Supports both Docker (local or remote) and bare metal installations.
- Migrates relevant configs, tool keys, plugins, and custom skills to the new agent.
- Presents final access URL and token upon successful agent creation.
元数据
常见问题
Agent Spawner 是什么?
Spawn a new OpenClaw agent through conversation. Uses official Docker setup and non-interactive onboarding, carries over API keys, tools, plugins, and skills... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1030 次。
如何安装 Agent Spawner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-spawner」即可一键安装,无需额外配置。
Agent Spawner 是免费的吗?
是的,Agent Spawner 完全免费(开源免费),可自由下载、安装和使用。
Agent Spawner 支持哪些平台?
Agent Spawner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Agent Spawner?
由 AustinEral(@austineral)开发并维护,当前版本 v0.1.0。
推荐 Skills