← 返回 Skills 市场
maverick-software

OpenClaw VPS Deploy

作者 maverick-software · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
401
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install openclaw-vps-deploy
功能描述
Deploy a custom OpenClaw repo (official or forked) to a Hostinger VPS and make it accessible via the cloud. Use when setting up a new OpenClaw instance on a...
安全使用建议
Plain-language considerations before installing or running this skill: - This skill will ask you to provide an SSH private key and will run as root on the remote VPS (apt installs, curl|bash, write systemd services, open firewall ports). Only run it against servers you control and trust. - The SKILL.md and deploy.py expect ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY) but the package metadata does not declare these requirements — assume you must supply these keys. Check where the keys are stored: the script reads ~/.openclaw/secrets.json if present. Confirm you are comfortable with that file being read. - The deploy script may write tokens/config files both on the remote machine and (per the docs) to a local vault; locate and inspect any local secrets file the script creates. If you do not want secrets stored locally, inspect/modify the script before running. - The script will clone and build arbitrary git repos you pass; only deploy code from repositories you trust. A malicious fork would execute code on the VPS as root. - The script runs 'curl https://deb.nodesource.com/setup_22.x | bash' on the remote host. This is a convenience but carries the usual security trade-offs of piping remote scripts into shell. Prefer to review the script or use a curated package source. - Because part of deploy.py was truncated in the provided bundle, review the full file before use to ensure there are no extra operations (e.g., transmitting secrets off-host) in the omitted portion. Recommended safe steps: inspect full deploy.py locally, test on an isolated/staging VPS first, back up any keys or configs, and only supply API keys and SSH keys after you confirm exactly where they will be written and stored.
功能分析
Type: OpenClaw Skill Name: openclaw-vps-deploy Version: 1.1.0 The `scripts/deploy.py` file contains a shell injection vulnerability. The `--repo` argument, which can be controlled by the user, is directly interpolated into remote commands like `npm install -g {repo}` and `git clone {repo}` without robust sanitization. This could allow an attacker to execute arbitrary commands on the target VPS if they can control the `--repo` input. While the script's overall purpose is legitimate deployment, this significant flaw makes it suspicious due to the potential for remote code execution.
能力评估
Purpose & Capability
The skill's purpose (deploy OpenClaw to Hostinger VPS) matches the shipped code: the script connects via SSH, installs Node, installs/builds OpenClaw, writes config, configures systemd and UFW. However, the registry metadata declares no required environment variables or primary credential while both the SKILL.md and the script clearly rely on ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). That omission is an incoherence: anyone deploying OpenClaw will legitimately need an API key, so the skill should declare that upfront.
Instruction Scope
Runtime instructions and the script read local secrets (~/.openclaw/secrets.json) and environment variables, generate and place an auth token, and run many privileged remote commands as root (apt installs, curl | bash, writing /etc/systemd/system, enabling services, opening firewall ports). Reading a local vault and writing tokens locally (SKILL.md claims saving token to local vault) is outside a minimal deployer's needs unless clearly documented and consented to; the SKILL.md and code are not fully consistent about what is saved locally vs remotely. The script also executes unverified upstream actions (npm install -g, git clone of arbitrary repos) which will be executed on the remote host.
Install Mechanism
There is no install spec for the skill itself (no code installed locally by the platform) — low platform install risk. The script will pip-install paramiko locally if missing and use apt/curl on the remote host, including running the NodeSource setup script via curl | bash and npm/pnpm operations. These are typical for remote provisioning, but curl | bash and cloning arbitrary git repos are higher-risk operations on the target VPS and should be run only against trusted sources.
Credentials
The skill did not declare required environment variables in registry metadata, yet both documentation and the script require an ANTHROPIC_API_KEY (and optionally OPENAI_API_KEY). The script will read keys from environment or from a local vault (~/.openclaw/secrets.json). Reading the user's local secrets file is a significant sensitive action and is not reflected in the skill's declared requirements — this mismatch increases the risk of accidental exposure or misuse of credentials.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or platform configuration. It creates and enables a systemd service on the remote VPS (expected for a deploy tool) and opens firewall ports — those are privileged remote actions but coherent with the deploy purpose. Autonomous invocation is allowed by default but not by itself a red flag here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-vps-deploy
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-vps-deploy 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added multi-agent VPS reference — port allocation, per-agent systemd services, provisioning script, resource planning table, and Cloudflare tunnel integration guide.
v1.0.0
Initial release — deploy OpenClaw (official or custom fork) to Hostinger VPS via SSH. Includes paramiko deploy script, systemd service setup, UFW firewall, auth token generation, and 10 documented gotchas from real deployments.
元数据
Slug openclaw-vps-deploy
版本 1.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

OpenClaw VPS Deploy 是什么?

Deploy a custom OpenClaw repo (official or forked) to a Hostinger VPS and make it accessible via the cloud. Use when setting up a new OpenClaw instance on a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 401 次。

如何安装 OpenClaw VPS Deploy?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-vps-deploy」即可一键安装,无需额外配置。

OpenClaw VPS Deploy 是免费的吗?

是的,OpenClaw VPS Deploy 完全免费(开源免费),可自由下载、安装和使用。

OpenClaw VPS Deploy 支持哪些平台?

OpenClaw VPS Deploy 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 OpenClaw VPS Deploy?

由 maverick-software(@maverick-software)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论