Openclaw Remote Install

One-click remote OpenClaw deployment via SSH. Auto-detects OS and selects best method (Docker/Podman/npm). Use when: (1) Installing on VPS/cloud servers, (2)...

This skill appears to do what it says — remote SSH installation and configuration — but it uses several insecure practices you should weigh before running it on production systems: - Prefer SSH key-based authentication; avoid password-based usage with sshpass (passwords on command lines can leak via shell history and process lists). - The scripts disable SSH host key checking (StrictHostKeyChecking=no); enable host key verification in your environment to avoid MITM risks. - The installer may execute 'curl | sh' (get.docker.com) on the remote host and pulls a Docker image named openclawai/openclaw:latest — verify the image source and content before trusting it. - The Python script and installer print remote command output (including config contents) into local logs under ~/.openclaw/remote-install-logs; that output may contain secrets or API keys. If you must use this tool, ensure logs are stored securely, or clear/rotate secrets after use. - Use the '--secret-mode ref' approach and set required API keys as environment variables on the remote host rather than passing them inline. If the tool forces inline secrets for some workflows, avoid those workflows. - Test on an isolated VM or staging host first. Review the Docker image and any remote install commands manually, and consider running the installer with increased verbosity and a dry-run to inspect what it would do. If you want a stronger assurance, ask the author for: (1) provenance of the Docker image (official repo or signed release), (2) a verified checksum or signed release for any install scripts, and (3) an option to keep host key checking enabled and to suppress logging of remote config contents. If those are provided, my confidence in safety would increase.

Type: OpenClaw Skill Name: openclaw-remote-install Version: 1.0.1 The bundle provides tools for remote installation and configuration of OpenClaw via SSH. It includes a bash script (install_openclaw_remote.sh) and a Python script (configure_openclaw_remote.py) that handle SSH credentials and execute remote commands, including 'curl | bash' installers from openclaw.ai. While these capabilities are aligned with the stated purpose of remote deployment, they involve high-risk patterns such as disabling SSH host key verification (StrictHostKeyChecking=no), using sshpass for password authentication, and handling sensitive API keys. No evidence of intentional malice or data exfiltration was found, but the broad remote execution capabilities and credential handling warrant a cautious classification.