← 返回 Skills 市场
PrivaClaw
作者
Jason Czarnecki
· GitHub ↗
· v1.0.4
465
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install privaclaw
功能描述
Secure outbound-only relay for remote OpenClaw control — no exposed ports, no SSH, no Telegram.
安全使用建议
Before installing: (1) Treat the relay operator as highly trusted — this skill transmits prompt content and streamed tokens to that remote relay. Verify the relay URL (prefer an operator you control or audited code). (2) Enforce TLS: provide a wss:// URL; note the code will accept ws:// if you give an http:// URL, and the token is sent in a post-open message (not as a WebSocket subprotocol/header). (3) Use a scoped, revocable AUTH_TOKEN and limit its lifetime/permissions on the relay side. (4) Review the shipped TypeScript (relayClient.ts, config.ts) to confirm behavior matches your expectations (especially restart and workflow semantics) and to ensure there are no hidden endpoints. (5) Run the skill in a controlled environment first (network egress rules, minimal privileges) and consider self-hosting the relay if you need stronger guarantees about persistence and data handling. If you want higher assurance, ask the maintainer for the relay server code or run your own relay implementation.
功能分析
Type: OpenClaw Skill
Name: privaclaw
Version: 1.0.4
This skill is classified as suspicious due to its inherent high-risk capabilities, despite being transparently documented. It establishes an outbound WebSocket connection to a remote relay server (`relay_url` from config.ts/SKILL.md) and transmits sensitive data, including an `auth_token` and prompt content/responses, as implemented in `relayClient.ts`. The skill enables remote execution of commands such as `prompt`, `workflow`, and `restart` on the local OpenClaw instance via the `OpenClawRuntime` interface. While the skill's code itself does not exhibit direct malicious intent (e.g., arbitrary file exfiltration, direct shell execution), the remote execution capabilities present a significant attack surface if the relay server is compromised or if the `OpenClawRuntime` implementation is vulnerable to injection, making it a powerful tool that requires a high degree of trust in the relay operator, as explicitly stated in SKILL.md.
能力评估
Purpose & Capability
The skill's name/description line up with the code: it opens an outbound WebSocket, authenticates with a token, sends heartbeats, and forwards relay commands to the host runtime. The three required env vars (relay URL, node id, auth token) are proportional to the purpose. Minor mismatch: SKILL.md was presented as an instruction-only skill in registry metadata, but the package actually includes TypeScript source files (relayClient.ts, config.ts, etc.), so it's not purely instruction-only.
Instruction Scope
SKILL.md claims the token is sent 'during the WebSocket handshake' and that all connections use TLS; the implementation actually sends the token as a post-open message and validateConfig will happily convert an http:// URL to ws:// (non-TLS). The skill also relies on the host-provided OpenClawRuntime API to execute prompts, workflows, and restart the process — this grants remote callers the ability to run declared workflows and restart the runtime, which is expected but requires you to trust the relay operator and to ensure workflows are properly scoped. The SKILL.md also asserts the relay does not persist data — that is a policy claim by the relay operator, not something enforced locally.
Install Mechanism
There is no install script or external download; the package provides TypeScript source and tests. That keeps install risk low (no arbitrary third-party binaries), but because code ships with the skill, it will run inside your agent's environment. Review the code before enabling.
Credentials
Only three env vars are required (RELAY_URL, NODE_ID, AUTH_TOKEN) and AUTH_TOKEN is declared as the primary credential — this is proportional. Small inconsistencies: code expects lowercase keys in the config object (relay_url/node_id/auth_token) while SKILL.md and registry list uppercase env var names; your platform likely maps them, but confirm. No other credentials or paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes. It can be invoked autonomously by the agent (default) which is normal for skills. It does not persist credentials or write to other skills' configs in the provided code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install privaclaw - 安装完成后,直接呼叫该 Skill 的名称或使用
/privaclaw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- Renamed skill from remote-relay to privaclaw and updated all references accordingly.
- Updated homepage URL to https://github.com/openclaw/privaclaw.
- Changed default relay endpoint in the Trust Statement from wss://privaclaw.fly.dev to wss://relay.privaclaw.com.
- Adjusted setup instructions and dashboard links to use the new skill name.
- No changes to files or core functionality; documentation and branding updated only.
v1.0.3
- Renamed the skill from "PrivateBridge" to "PrivaClaw"
- Updated trust statement with the new default relay: `wss://privaclaw.fly.dev`
- All references to the skill now use "PrivaClaw"
- No functional or file changes; documentation only
元数据
常见问题
PrivaClaw 是什么?
Secure outbound-only relay for remote OpenClaw control — no exposed ports, no SSH, no Telegram. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 465 次。
如何安装 PrivaClaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install privaclaw」即可一键安装,无需额外配置。
PrivaClaw 是免费的吗?
是的,PrivaClaw 完全免费(开源免费),可自由下载、安装和使用。
PrivaClaw 支持哪些平台?
PrivaClaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PrivaClaw?
由 Jason Czarnecki(@jason-czar)开发并维护,当前版本 v1.0.4。
推荐 Skills