← 返回 Skills 市场
martin2877

Tophant Clawvault Installer

作者 Ali0th · GitHub ↗ · v0.2.9 · MIT-0
cross-platform ✓ 安全检测通过
161
总下载
0
收藏
0
当前安装
10
版本数
在 OpenClaw 中安装
/install tophant-clawvault-installer
功能描述
Install, configure, test, and uninstall ClawVault AI security proxy
安全使用建议
This installer is internally coherent for its stated purpose (a local MITM inspection proxy) but that purpose itself is high-risk and should be intentionally chosen. Before installing: - Read SECURITY.md fully and confirm a MITM proxy fits your threat model — ClawVault will see API requests/responses (including API keys) and stores audit logs locally. - If you do not want the skill to modify OpenClaw integration, run install with --no-proxy and manually wire integration after review. Back up ~/.config/systemd/user/openclaw-gateway.service first. - Prefer installing in a disposable VM/container for initial evaluation. The script creates a venv but will run pip (PyPI or pinned GitHub) with no checksum/signature verification — inspect the pinned tag/commit referenced (v0.1.0) before trusting it in production. - Note default behavior disables TLS verification for proxied connections in order to inspect traffic; review and change that setting if it doesn't match your risk tolerance. - The dashboard binds to localhost by default and has no built-in authentication; use SSH tunneling or a reverse proxy with auth for remote access. - After installation, verify the installed package version and review files under ~/.clawvault-env/ and ~/.ClawVault/ (config, audit.db, logs). Use --no-start if you want to install without launching services. If you want a lower-privilege alternative, do not install this skill on production hosts or on machines storing high-value secrets; test first in an isolated environment.
能力标签
requires-sensitive-credentials
能力评估
Purpose & Capability
Name/description match the implementation: the script creates a venv (~/.clawvault-env), installs the clawvault package (PyPI with a pinned GitHub fallback), writes config under ~/.ClawVault, can start/stop services, run tests, generate rules, and optionally integrates OpenClaw proxy settings. There are no unrelated credentials or unrelated binaries requested.
Instruction Scope
SKILL.md and clawvault_manager.py instruct the agent to run only the bundled Python script and constrain file writes to predictable locations. However, the installer will modify an existing OpenClaw systemd unit (~/.config/systemd/user/openclaw-gateway.service) when present, set proxy-related environment lines, create a venv, download packages, and start background services. Those extra actions are documented but expand the runtime scope beyond merely 'installing a package' (it integrates into another agent runtime).
Install Mechanism
No install spec in registry, but the provided script performs pip installs inside a dedicated venv using a constrained PyPI spec and a pinned GitHub fallback (git+https). This is an expected install method for this purpose, but it carries standard supply-chain risks: no checksum/signature or dependency graph auditing is performed. The code does not download arbitrary archives from unknown personal URLs.
Credentials
The skill declares no required environment variables or credentials and does not request secrets. That is proportionate. Caveat: the installer will inject HTTP_PROXY/HTTPS_PROXY/NO_PROXY (and may set NODE_TLS_REJECT_UNAUTHORIZED or similar) into an existing openclaw systemd unit to route traffic through the proxy — this alters runtime environment for another component, which is a consequential but explained side-effect.
Persistence & Privilege
The skill creates persistent artifacts (venv, config, audit DB, logs) and can start persistent services. Importantly, it conditionally modifies the OpenClaw systemd user unit file to route agent traffic through ClawVault. Modifying another component's configuration is a privileged action and should be accepted explicitly by the operator (the skill offers --no-proxy to skip this). The skill is not force-enabled (always:false) and does not request global/always privileges, which mitigates some risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install tophant-clawvault-installer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /tophant-clawvault-installer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.9
Publish clean installer artifact with restored dedicated venv, no-start/no-proxy options, pinned package sources, and localhost dashboard defaults.
v0.2.8
Fix installer package metadata to include restored dedicated-venv installer implementation with no-start/no-proxy options.
v0.2.7
Restore dedicated-venv OpenClaw installer, keep pinned package sources, localhost dashboard defaults, and fail-fast config initialization.
v0.2.6
Sync latest installer fixes: pinned package sources, pinned GitHub fallback, localhost dashboard default, and explicit configuration failure handling.
v0.2.5
v0.2.5 — Install always from main branch; no tag fallback, no version pinning Simplifies the install flow: the skill now always runs `pip install git+https://github.com/tophant-ai/ClawVault.git` against the upstream main branch. No version tag, no fallback, no branching. Rationale: the repository is the authoritative source for the latest code. Git tags were causing intermittent install failures when a tag didn't exist upstream. Removing the tag logic makes the install a single-path operation that always pulls the current repo state. Changes: - clawvault_manager.py: removed the `@v{VERSION}` fallback; now a single pip install call. - SECURITY.md: updated "Design Intent", "Package Sources", and "Installation Process" to describe single-path main-branch install. No other behavior change.
v0.2.4
v0.2.4 — Install from main branch by default; tag is now fallback only Reverses the v0.2.2 install order. The new order matches the original intent: always pull the latest code from the upstream repository, with the version tag serving as a fallback when the main branch is unreachable. Rationale: - The @v{VERSION} git tag is not guaranteed to exist on the upstream repository before a given release is tagged. In that case, the tag-first order (v0.2.2/v0.2.3) caused install failures or unnecessary retries. - Main-first ensures users always receive current bug fixes and security patches. Tag fallback preserves reproducibility when the main fetch fails due to network issues or repository unavailability. Changes: - clawvault_manager.py: swapped the primary/fallback pip install URLs. - SECURITY.md: updated "Package Sources" and "Installation Process" sections to describe the new order and rationale. - SKILL.md and README.md: unchanged (they point to SECURITY.md for detail). No other behavior change.
v0.2.3
v0.2.3 — Shortened in-skill disclosure, moved detail to SECURITY.md This release trims the Capability Disclosure language in README.md and SKILL.md down to a single-line pointer, and relocates the full capability + threat-model content to SECURITY.md where it already lived. This mirrors the approach used in [email protected] and clears a stale moderation flag that the ClawHub scanner had carried over from earlier publishes. - SKILL.md: removed the verbose "What This Skill Does" enumeration and the duplicated "Security Considerations" section; both now point to SECURITY.md. - README.md: replaced the emoji-tagged capability banner with a one-line "Before Installing" pointer. - SECURITY.md: unchanged — still the authoritative location for the full capability surface, design intent, supply-chain notes, and operational guidance. No code changes.
v0.2.2
v0.2.2 — Supply-chain hardening (scan: concern → note) Addresses the "Install Mechanism" concern flagged by ClawHub security scanner. Changes: - Tag-pinned install by default: installer now runs `pip install git+https://[email protected]` first and only falls back to main branch if the tag is unavailable upstream. Previously it tracked main by default. (2-line change in clawvault_manager.py) - Updated SECURITY.md, SKILL.md, and README.md to reflect the new primary/fallback order so documentation matches code behavior. No behavior change in any other area. The venv, config layout, OpenClaw proxy integration, service ports, and capability surface are identical to v0.2.1.
v0.2.1
v0.2.1 — Documentation hardening (no code changes) Addresses capability-disclosure flags from the ClawHub security scanner. No behavior changes; only documentation is updated to accurately describe what the skill does. - Corrected SECURITY.md: installer installs exclusively from GitHub (git+https), not PyPI. Prior text incorrectly claimed PyPI was primary. - Added "Design Intent" table to SECURITY.md documenting why ssl_verify=false, dashboard no-auth default, and main-branch installs are intentional for a MITM AI-inspection proxy. - Added "Capability Disclosure" banner to README.md listing all high-risk capabilities up-front. - Added "What This Skill Does" section to SKILL.md explaining installer side effects, venv isolation, and the three predictable paths it touches (~/.clawvault-env/, ~/.ClawVault/, one optional systemd unit). - Clarified in documentation that --no-proxy skips the systemd modification and --no-start skips service launch. - Clarified the installation process flow: venv creation, pip from GitHub with @v0.2.0 tag fallback, config template copy, optional proxy integration, optional service start.
v0.2.0
First public release (v0.2.0) Features: - One-command install: creates isolated venv in ~/.clawvault-env, installs from GitHub, generates full ~/.ClawVault/config.yaml, integrates with OpenClaw gateway proxy, and starts services - Three install modes: quick (interactive guard), standard (strict), advanced (custom) - Opt-out flags --no-start and --no-proxy for CI/manual setups - Natural-language rule generation via /generate-rule with scenario templates (customer_service, development, production, finance) - Detection test suites for sensitive data, prompt injection, and dangerous commands - Complete uninstall workflow: stops services, removes systemd proxy integration, cleans venv and config Companion skill: tophant-clawvault-operator covers day-to-day operations after installation.
元数据
Slug tophant-clawvault-installer
版本 0.2.9
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 10
常见问题

Tophant Clawvault Installer 是什么?

Install, configure, test, and uninstall ClawVault AI security proxy. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 161 次。

如何安装 Tophant Clawvault Installer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tophant-clawvault-installer」即可一键安装,无需额外配置。

Tophant Clawvault Installer 是免费的吗?

是的,Tophant Clawvault Installer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Tophant Clawvault Installer 支持哪些平台?

Tophant Clawvault Installer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Tophant Clawvault Installer?

由 Ali0th(@martin2877)开发并维护,当前版本 v0.2.9。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论