clawpilot

install

source · Clone the upstream repo

git clone https://github.com/kcchien/clawpilot

Claude Code · Install into ~/.claude/skills/

git clone --depth=1 https://github.com/kcchien/clawpilot ~/.claude/skills/kcchien-clawpilot-clawpilot

manifest: SKILL.md

source content

OpenClaw Expert Skill

Auto-Update Check (Run First)

Before any other action, run the staleness check:

bash scripts/check_updates.sh

If
UP_TO_DATE
: Proceed normally.
If
STALE
: The skill references may be outdated. Before proceeding with the user's task:
1. Fetch the latest 3-5 releases from https://github.com/openclaw/openclaw/releases
2. Fetch https://docs.openclaw.ai/llms.txt for doc changes
3. Search web for recent OpenClaw CVEs or security advisories
4. Compare findings against the version in SKILL.md frontmatter and
```
references/security.md
```
5. Inform the user of any version gaps or new security issues found
6. If references were updated, run:
```
bash scripts/mark_updated.sh <latest-version>
```
7. If no updates needed, still mark as checked:
```
bash scripts/mark_updated.sh <current-version>
```

This check uses a

.last_update_check

marker file. The threshold is 7 days (configurable via first argument).

Security-First Principle

Every configuration action MUST pass a security review before recommending it.

For each setting change, evaluate:

Blast radius — If this setting is exploited, what can an attacker reach?
Credential exposure — Are secrets stored safely? Permissions correct?
Network surface — Is the gateway exposed beyond what's necessary?
Prompt injection risk — Can untrusted message content manipulate the agent?
Supply chain risk — Are installed skills/plugins from trusted sources?

When recommending configuration, always present the secure baseline first, then explain trade-offs of relaxing it.

Critical CVEs (Must Check)

CVE-2026-25253 (CVSS 8.8): Token exfiltration via Control UI — fixed in 2026.1.29
CVE-2026-24763: Command injection — fixed in 2026.1.29
CVE-2026-25157: Command injection (chainable with 25253) — fixed in 2026.1.29
2026.2.12: Mass security patch (40+ vulnerabilities) — path traversals, SSRF, privilege escalation
2026.2.15+: SHA-256 sandbox hashing, plugin discovery hardening, ACP session DoS fixes
2026.2.17+: SSRF ISATAP protection, iMessage SSH host-key enforcement, control-plane RPC rate limiting
2026.2.19: Browser relay auth hardening (
```
/extension
```
+
```
/cdp
```
require gateway-token)

Always verify user's version is >= 2026.2.19 before any other advice.

Quick Reference

Task	Command
Install	`npm install -g openclaw@latest`
Onboard	`openclaw onboard --install-daemon`
Start gateway	`openclaw gateway --port 18789`
Login channel	`openclaw channels login`
Health check	`openclaw health`
Security audit	`openclaw security audit --deep`
Skill safety scan	`openclaw skills scan <path>`
Diagnostics	`openclaw doctor`
Update	`openclaw update`
View logs	`openclaw logs`
Status (redacted)	`openclaw status --all`
Agent management	`openclaw agents list`
iOS/macOS node	`openclaw nodes`
Device management	`openclaw devices remove/clear`
Cron (staggered)	`openclaw cron add --stagger/--exact`
Spawn subagent	`/subagents spawn`
Shell completion	`openclaw completion`

Run

openclaw --help

for full command list.

Documentation Source

Use the reference files bundled in this skill as the primary source. They cover the core config schema, security hardening (including CVEs, OWASP mapping, NIST alignment), cloud deployment, and multi-agent routing.

Fetch from https://docs.openclaw.ai/ only when:

The bundled references do not cover a feature the user asks about
Version-specific behavior requires the latest docs
A command or config key is absent from the bundled references

Full docs index: https://docs.openclaw.ai/llms.txt

Core Architecture

Chat Apps --> Gateway (single process) --> AI Agent(s)
             |                              |
             +- Session manager             +- Workspace (SOUL.md, AGENTS.md, MEMORY.md)
             +- Channel routing             +- Auth profiles
             +- Tool policies               +- Memory (daily logs + vector search)
             +- Sandbox (Docker)            +- Sessions
             +- Cron scheduler              +- Skills
             +- Safety scanner              +- Subagents
             +- Agent mgmt RPC             +- iOS/macOS nodes

Gateway: Single source of truth for sessions, routing, channel connections. Binds to
```
127.0.0.1:18789
```
by default.
Agents: Isolated entities with own workspace, state dir, auth profiles, session store. Manageable via RPC (
```
agents.create
```
,
```
agents.update
```
,
```
agents.delete
```
).
Channels: Plugin-based — WhatsApp, Telegram, Discord, Slack, iMessage, Signal, LINE, Matrix, Teams, Google Chat, Mattermost, BlueBubbles, Feishu, Zalo.
Config:
```
~/.openclaw/openclaw.json
```
(JSON5 format).
```
OPENCLAW_HOME
```
env var overrides home directory for path resolution.
Nodes: iOS alpha + macOS nodes for remote code execution via pairing.
iOS: Watch Companion (inbox UI, notification relay), Share Extension (forward content to gateway), APNs push notifications (v2026.2.19+).

Secure Baseline

Always start from the secure baseline and relax only with justification. Key defaults:

bind: "loopback"

dmPolicy: "pairing"

sandbox: { mode: "non-main" }

redactSensitive: "tools"

Breaking Changes (v2026.2.10–2026.2.19)

Gateway HTTP APIs blocked for WebChat clients (
```
sessions.patch
```
,
```
sessions.delete
```
)
Browser relay now requires gateway-token auth on both
```
/extension
```
and
```
/cdp
```
endpoints
Subagent task messages now prefixed with source context
Cron stagger defaults applied to recurring top-of-hour schedules

Full baseline template and memory system config: see Configuration Reference and Security Hardening.

Common Workflows

Initial Setup

```
npm install -g openclaw@latest
```
```
openclaw onboard --install-daemon
```
```
openclaw channels login
```
(select channel)
```
openclaw gateway --port 18789
```
Run
openclaw security audit --deep
— fix any findings
Run
openclaw skills scan
— verify installed skills are safe
Verify:
```
openclaw health
```
and open
```
http://127.0.0.1:18789/
```

Add a Channel

```
openclaw channels login
```
-> select channel
Configure allowlists in
```
openclaw.json
```
(never use
```
"*"
```
for production)
Set
```
dmPolicy: "pairing"
```
or
```
"allowlist"
```
For groups:
```
requireMention: true
```
Security review: Verify allowlist, check tool access for that channel

Remote Access (Secure)

Preferred: Tailscale Serve — keeps loopback bind, no public exposure. Alternative: SSH tunnel —

ssh -N -L 18789:127.0.0.1:18789 user@host

Never: Bind to

0.0.0.0

without auth token + firewall.

Troubleshooting

```
openclaw doctor
```
— config validation
```
openclaw health
```
— gateway status
```
openclaw logs
```
— recent logs
```
openclaw status --all
```
— full state (secrets redacted)
```
openclaw memory search "topic"
```
— search agent memory
```
openclaw sessions list
```
— view active sessions
Check
```
/tmp/openclaw/openclaw-YYYY-MM-DD.log
```

Discover & Install Skills

When user asks about extending OpenClaw with new skills or asks "what skills are available":

Official registry: https://clawhub.com
Community curated list (1,715+ skills, 31 categories): https://github.com/VoltAgent/awesome-openclaw-skills
Install via CLI:
```
npx clawhub@latest install <skill-slug>
```
Manual install: copy skill folder to
```
~/.openclaw/skills/
```
(global) or
```
<project>/skills/
```
(workspace)

Security: Third-party skills execute as trusted code. Hundreds of malicious skills were discovered on ClawHub in early 2026. Always:

Run
```
openclaw skills scan <skill-path>
```
before installing (v2026.2.6+)
Review source code, especially skills using
```
exec
```
,
```
browser
```
, or
```
web_fetch
```
tools
Pin versions and avoid auto-updating untrusted skills

For skills config schema (load order, per-skill env/apiKey, hot reload), see Configuration Reference. For skill ecosystem URLs (ClawHub registry, community lists), see Security Hardening — Skill Supply Chain.

Local Inspection Scripts

Prefer native CLI when available:
openclaw security audit --deep
,
openclaw doctor
,
openclaw config get
provide authoritative results. Use the scripts below only for deeper heuristic checks or when the CLI is unavailable.

Run these scripts against the local OpenClaw installation. All accept

--state-dir PATH

to override

~/.openclaw

. Scripts use heuristic grep-based parsing of JSON5 config — results are best-effort.

Full Security Audit

bash scripts/security_audit.sh [--state-dir ~/.openclaw]

Check: version/CVE status, file permissions, hardcoded credentials, network binding, DM policies, sandbox config, tool policies, log redaction, plugins, skill supply chain (exfiltration/reverse shell/obfuscation patterns), Control UI security (CVE-2026-25253), reverse proxy config (CVE-2026-24763), gateway process exposure, synced folder detection, session secret scanning. Maps to OWASP Agentic Top 10 and NIST CSF. Return CRITICAL/WARNING/PASS summary.

Configuration Inspector

bash scripts/config_inspector.sh [--section gateway|channels|agents|tools|sessions|logging|all]

Parse

openclaw.json

and report security-relevant settings per section with colored recommendations.

Prompt & System Instruction Checker

bash scripts/prompt_checker.sh [--workspace PATH]

Scan AGENTS.md, SOUL.md, USER.md, CLAUDE.md, and other bootstrap files for: missing security guardrails, overly permissive instructions, hardcoded secrets, infrastructure exposure, prompt injection vulnerabilities, and missing identity boundaries.

Session Transcript Scanner

bash scripts/session_scanner.sh [--agent AGENT_ID] [--max-files 20] [--deep]

Scan

.jsonl

session files for leaked credentials (AWS keys, GitHub PATs, API keys, private keys, bot tokens, Google API keys). With

--deep

: also check for IP addresses, base64 blobs, file paths, and old files.

Example Output

security_audit.sh (abbreviated):

============================================
  1. Version & Known Vulnerabilities
============================================
[PASS]     Version 2026.2.19 includes CVE-2026-25253/24763/25157 patches
[PASS]     Version includes skill/plugin safety scanner (v2026.2.6+)
...
============================================
  Audit Summary
============================================
  0 CRITICAL
  2 Warnings
  3 Informational
  8 Passed

config_inspector.sh (abbreviated):

=== Gateway Configuration ===
  Mode:      local (default)
  Bind:      loopback (default)
  Port:      18789 (default)
  ✓ Loopback bind (secure default)

session_scanner.sh (abbreviated):

Found 5 session file(s) to scan (max: 20)
--- agents/main/sessions/2026-02-10.jsonl (1.2M) ---
[CRITICAL]   AWS Access Key: 1 match(es)
=== Summary ===
  1 file(s) contain potential secrets (1 total matches)

Script Prerequisites & Error Handling

All scripts require

bash

and standard Unix utilities (

grep

awk

wc

stat

). If a script fails:

~/.openclaw
not found: Pass
```
--state-dir PATH
```
to point to the actual OpenClaw home, or set
```
OPENCLAW_HOME
```
.
jq
not installed:
```
config_inspector.sh
```
uses heuristic grep-based parsing and does NOT require
```
jq
```
. Other scripts also avoid
```
jq
```
.
Permission denied: Scripts only read files — ensure the current user has read access to
```
~/.openclaw/
```
. Do not run as root.
No session files found:
```
session_scanner.sh
```
looks in
```
agents/*/sessions/*.jsonl
```
. If sessions are stored elsewhere, pass
```
--state-dir
```
.
Empty or missing
openclaw.json
: Scripts will report warnings for missing keys but will not crash. A missing config file is treated as "all defaults."

When to Run Scripts

User Request	Script
"Check my OpenClaw security"	`security_audit.sh`
"Is my config safe?"	`config_inspector.sh`
"Review my agent prompts"	`prompt_checker.sh`
"Are there leaked secrets?"	`session_scanner.sh --deep`
"Full security review"	Run all four in sequence
"Check for malicious skills"	`security_audit.sh` (section 9) + `openclaw skills scan`

Reference Files

Read these as needed based on the user's task:

Security Hardening — Known CVEs, OWASP Agentic Top 10 mapping, NIST CSF alignment, skill supply chain security, allowlists, sandbox, tool policies, credential management, audit checklist, incident response, prompt injection defense. Read this for ANY security-related question or before recommending config changes.
- Quick lookup:
```
grep -n "CVE\|sandbox\|dmPolicy\|tool.polic\|prompt.inject\|incident" references/security.md
```
Configuration Reference — All config keys, environment variables, channel setup (WhatsApp/Telegram/Discord/Slack/iMessage/Signal/BlueBubbles/etc.), session management, model providers, tools, logging, OPENCLAW_HOME.
- Quick lookup:
```
grep -n "whatsapp\|telegram\|discord\|slack\|imessage\|signal\|bind\|sandbox\|dmPolic\|session" references/configuration.md
```
Cloud Deployment — Docker, GCP, AWS Bedrock, Fly.io, Railway, Render, Hetzner, Northflank, Nix, Ansible, macOS VM. Network architecture, IAM, volumes, remote access via Tailscale/SSH.
Multi-Agent & Routing — Agent isolation, routing rules, per-agent sandbox/tools, bindings, session scoping, subagents, heartbeat, agent-to-agent communication.