功能描述

Install and activate @bowong/clawshow-gateway in OpenClaw, then migrate existing Gateway channel configuration to ClawShow with rollback safety. Use when a u...

使用说明 (SKILL.md)

Clawshow Gateway Connect

Name: ClawShow-Gateway-Connect
Author: yudi-xiao

Execute a safe, minimal install-and-migrate flow from current OpenClaw settings to ClawShowGateway without breaking unrelated configuration.

Runtime Inputs

Required: authToken
Optional: relayUrl (default wss://clawshow-api.bowong.cc)
If authToken is missing, ask once and stop before editing.

Workflow

Install ws dependency

Run npm i ws in the project root before proceeding.
Confirm installation succeeds before continuing.

Identify current config source

Search only OpenClaw gateway config files (*.json, *.yaml, *.yml) in the active project path.
Do not read .env, secrets files, deployment manifests, or unrelated workspace files.
Prefer editing the project-tracked config over user-global config when both exist.
If multiple candidate files exist, pick the file currently used by the running Gateway process.

Create rollback copy before edits

Save a sibling backup copy of the target config file with timestamp suffix (for example .bak.20260313-1405).
Never delete the backup in the same task.

Check OpenClaw version gate (before plugin install)

Query current OpenClaw version using the supported command only:
- openclaw version
Compare against 2026.3.2 using OpenClaw's version ordering.
If current version is earlier than 2026.3.2, upgrade OpenClaw using openclaw update first, then re-run:
- openclaw version
Continue only after version check/upgrade is complete.

Install plugin/package

Install using OpenClaw plugin manager only:
- openclaw plugins install @bowong/clawshow-gateway
Verify installation:
- openclaw plugins list
Confirm package id is exactly @bowong/clawshow-gateway.
If already installed, do not reinstall unless version repair is needed.

Migrate channel config to ClawShow

Ensure package id references @bowong/clawshow-gateway where plugin/package declarations are required.
Ensure channel section exists under channels.clawshow.
Set:
- channels.clawshow.enabled: true (required)
- channels.clawshow.relayUrl: "wss://clawshow-api.bowong.cc" (optional)
- channels.clawshow.authToken: "\x3Creal token>" (required)
- channels.clawshow.name: "ClawShow Gateway" (required)
- channels.clawshow.dmPolicy: "open" (required)
- channels.clawshow.allowFrom: ["*"] (required)
Preserve unrelated channels, plugins, and runtime options unchanged.

Remove conflicting legacy routing only when necessary

If older channel config routes the same outbound traffic target, disable only the overlapping route.
Do not remove entire legacy channel blocks unless user explicitly asks.

Validate config shape

Confirm JSON/YAML syntax after edit.
Confirm required keys exist for ClawShow (authToken at minimum).
Confirm package/plugin id and channel id are consistent (clawshow).
Confirm enabled, relayUrl, authToken, name, dmPolicy, and allowFrom are directly under channels.clawshow (no default layer).

Apply config (Config RPC only)

Follow Config RPC (programmatic updates) exactly, using config.apply (full replace).
Do not use direct file-edit-only activation, config.patch, or manual restart as the primary path.
Execute:
- openclaw gateway call config.get --params '{}'
- Capture payload.hash as baseHash.
- Build the full post-migration config as one JSON5 string in raw.
- openclaw gateway call config.apply --params '{ "raw": "\x3Cfull-json5-config>", "baseHash": "\x3Chash>", "note": "migrate to @bowong/clawshow-gateway" }'
Respect control-plane rate limits for write RPCs (config.apply, config.patch, update.run): 3 requests per 60 seconds per deviceId+clientIp.
If apply fails due to stale hash/conflict, call config.get again, rebase on newest config, and retry once.

Verify runtime behavior

Do not force a manual restart here; config.apply already validates, writes, and restarts in one step.
Run status/probe command if available.
Do not send outbound test messages by default.
Only send an external test message if the user explicitly asks for network verification.

Report outcome

Include the backup file path.
Include verification command results.
If verification is blocked, state the blocker and provide the exact next command.

Canonical Target Snippet

Use this structure when writing or repairing JSON config:

{
  "channels": {
    "clawshow": {
      "enabled": true,
      "relayUrl": "wss://clawshow-api.bowong.cc",
      "authToken": "YOUR_CLAWSHOW_AUTH_TOKEN",
      "name": "ClawShow Gateway",
      "dmPolicy": "open",
      "allowFrom": [
        "*"
      ]
    }
  }
}

Guardrails

Keep edits minimal and reversible.
Never invent secrets; leave placeholders for missing keys.
Never exfiltrate secrets from local files.
Never rewrite formatting style of the whole file.
Never remove unrelated keys to "clean up".

安全使用建议

This skill appears to do what it says (install @bowong/clawshow-gateway and migrate OpenClaw channel config) and only requests the expected CLAWSHOW_AUTH_TOKEN. However, it instructs the agent to run `npm i ws` in the project root despite not declaring npm in its metadata — that will download and write third-party code into your workspace and may run package lifecycle scripts. Before installing/running this skill: (1) confirm why `ws` is needed and prefer running that step manually in a controlled environment or a disposable/staging workspace; (2) verify the source and trustworthiness of the `@bowong/clawshow-gateway` plugin separately; (3) ensure you keep and test the backup produced by the skill (it instructs to create one) and consider running the migration on a staging device first; (4) be aware `config.apply` performs a full-replace — review the generated JSON5 thoroughly before applying. If the author can justify the npm step, or the skill is updated to declare npm as a required binary and explain the dependency, the concerns would be reduced.

功能分析

Type: OpenClaw Skill Name: clawshow-gateway-connect Version: 1.0.4 The skill automates the installation of a third-party plugin (@bowong/clawshow-gateway) and configures a connection to an external relay (wss://clawshow-api.bowong.cc). While SKILL.md includes explicit safety guardrails—such as prohibiting the reading of .env files and requiring backups—it performs high-risk actions including software installation (npm and openclaw plugins) and the configuration of broad access policies (allowFrom: ['*']). The automated setup of remote access via an external service without clear provenance of the provider makes this bundle suspicious.

能力评估

ℹ Purpose & Capability

The name/description, declared primary credential (CLAWSHOW_AUTH_TOKEN), and required binary (openclaw) align with a plugin install + config migration task. However, the runtime instructions require running `npm i ws` (a Node package install) even though the skill metadata does not declare npm or any Node-related dependency; this is unexpected given the stated purpose and should be justified.

ℹ Instruction Scope

Instructions are detailed and mostly scoped to the OpenClaw project config and OpenClaw RPCs (version check, plugin install, config.get/config.apply). Guardrails explicitly ban reading .env/secrets and discourage outbound test traffic. Two scope issues: (1) the step to install `ws` modifies the local project root (writes to disk) which is outside purely invoking OpenClaw, and (2) selecting 'the file currently used by the running Gateway process' requires the agent to inspect process state to choose the correct file — the mechanism for that is not specified and could lead to extra file reads.

⚠ Install Mechanism

This is an instruction-only skill with no install spec, which is low risk in itself, but it explicitly tells the agent to run `npm i ws` in the project root. That command downloads and writes third‑party code from the npm registry and can run lifecycle scripts; the metadata does not declare npm as a required binary or justify why the package is needed. The lack of an install spec plus an ad-hoc dependency install is disproportionate and increases risk.

✓ Credentials

Only the CLAWSHOW_AUTH_TOKEN is declared as the primary credential and the SKILL.md asks for an authToken input consistent with that. The instructions explicitly forbid reading secret files or exfiltrating secrets. No unrelated credentials or config paths are requested.

✓ Persistence & Privilege

Skill is not always-enabled and does not request system-wide persistence. It does instruct the agent to apply a full-replace config via `config.apply`, which is powerful but consistent with the migration purpose. No modifications to other skills' configurations or permanent privileges are requested.

版本历史

v1.0.4

- Added new prerequisite step to install the `ws` dependency via `npm i ws` in the project root prior to running migration. - Introduced a version check: now requires OpenClaw version `2026.3.2` or newer, with instructions to upgrade if needed. - All subsequent steps and guardrails remain unchanged, except for updated step numbers. - No file changes apart from `SKILL.md`.

v1.0.3

- Updated configuration migration and validation to flatten the ClawShow channel structure (removed `default` layer; all keys now under `channels.clawshow`). - Adjusted target config snippets and migration requirements to match the new flat structure. - Clarified steps to confirm config shape: required keys must be directly under `channels.clawshow`. - All core workflow and guardrail logic remain unchanged.

v1.0.2

- Updated environment variable requirement from CLAWSHOW_API_KEY to CLAWSHOW_AUTH_TOKEN. - Changed required input from apiKey to authToken; updated config structure for new keys and layout. - Default endpoint changed from https://clawshow.bowong.cc to relayUrl: wss://clawshow-api.bowong.cc. - Channel configuration changed: now uses channels.clawshow.default with enabled, relayUrl, authToken, name, dmPolicy, and allowFrom fields. - Canonical JSON snippet and migration steps updated to match new config structure and requirements.

v1.0.1

- Refined config file selection to search only OpenClaw gateway config files (no .env, secrets, or deployment manifests). - Changed plugin installation to use only the OpenClaw plugin manager (`openclaw plugins install @bowong/clawshow-gateway`), with explicit post-install verification. - Clarified that outbound test messages are not sent by default—verification runs only when requested. - Added guardrail: never exfiltrate secrets from local files. - Updated the skill description and documentation for improved clarity and safety.

v1.0.0

- Initial release of clawshow-gateway-connect. - Automates safe installation and activation of @bowong/clawshow-gateway in OpenClaw. - Migrates existing Gateway channel configuration to ClawShow with rollback safety (timestamped backup). - Applies config using Config RPC full-replace, with built-in validation and conflict resolution. - Preserves unrelated configuration; only disables legacy routing if necessary. - Provides clear outcome reporting, including backup file path and verification steps.

元数据

Slug clawshow-gateway-connect

版本 1.0.4

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 5

常见问题