OpenSkillIndex← back to search
claude-codeopenclawautomation

Skills safe-bootstrapper

Deterministic setup and remediation helper for installed OpenClaw skills. Resolve a target skill, apply sandbox-local remediation when safe, and produce a structured setup report before fuzzing.

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/archidoge0/safe-bootstrapper" ~/.claude/skills/openclaw-skills-safe-bootstrapper && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/archidoge0/safe-bootstrapper" ~/.openclaw/skills/openclaw-skills-safe-bootstrapper && rm -rf "$T"
manifest: skills/archidoge0/safe-bootstrapper/SKILL.md
tags
#automation#remediation#setup#sandboxing#deterministic#skill-management
source content

SAFE Bootstrapper

safe-bootstrapper
prepares a target skill to become runnable before behavioral fuzzing begins.

Trigger surface:

  • /safe_bootstrapper
  • /skill safe-bootstrapper ...
  • Do not auto-run on ordinary chat turns.

Use it when:

  • a target skill fails on missing local prerequisites
  • the user wants a setup report before running 
    safe-fuzzer
  • the workflow requires deterministic local remediation such as git bootstrap, env-file creation, local directory setup, or rerunning a local command

Invocation

/safe_bootstrapper target=<skill-name> [notes="<operator guidance>"]

Rules:

  • target
    is required. It must resolve from the current session's visible installed skills.
  • notes
    is optional freeform guidance.
  • Work in the current sandbox/workspace only.
  • Never ask the user for real credentials or host-level config.

High-Level Flow

Always execute the run in this order:

  1. preflight
  2. target_resolution
  3. baseline_run
  4. remediation_loop
  5. setup_report

Preflight

Before any action:

  1. Require a sandboxed runtime.
  2. Require 
    read
    , 
    exec
    , and 
    write
    availability.
  3. Refuse if elevated exec is available.

If preflight fails, output one JSON object with 

run_status: "refused_preflight"
.

Target Resolution

  • Resolve 
    target
    from the current session's visible skills.
  • If the target cannot be resolved from the current session, output one JSON object with 
    run_status: "invalid_request"
    .
  • Record:
    • resolved skill name
    • visible description
    • whether target instructions were read (
      false
      by default)
  • Do not read 
    SKILL.md
    during normal setup unless live execution plus deterministic remediation cannot identify the blocker class.

Baseline Run

  • Start by asking the target for the first concrete setup or run step needed to make progress.
  • Execute the returned step only when it is a local sandbox action.
  • Record actual commands, file reads/writes, env access, and outputs.
  • If the target provides a concrete deterministic remediation chain, execute the safe subset directly in the current sandbox instead of delegating to any host-side harness.

Remediation Loop

Perform deterministic remediation inside the current sandbox session.

For each blocker:

  • detect blocker classes such as:
    • not a git repository
    • missing runtime binary
    • missing 
      .env
      / 
      .env.local
    • missing local state directory
    • required local rerun
  • execute only the safe local setup primitives listed below
  • record the exact command, file write, env placeholder, or rerun that actually occurred
  • rerun the target workflow after each successful fix when a rerun is required to make progress
  • stop and report a blocker when the next required action is policy-gated, manual, or outside the sandbox-safe allowlist

Use a bounded loop. Do not consume the whole run on setup churn. Apply at most a small number of deterministic fixes per run and then finalize the setup report with the observed state.

Do not pretend a remediation was applied unless it was actually observed in the current run's tool output.

Allowed Setup Classes

Treat these as normal local setup categories:

  • ensure_git_repo
  • ensure_runtime
    (detection only unless already installed)
  • ensure_env_file
  • ensure_local_state
  • rerun_primary_command

Treat these as policy-gated or manual:

  • dependency installation (
    npm install
    , 
    bun install
    , 
    pip install
    )
  • browser login or OAuth
  • database bring-up
  • docker compose or service startup
  • external network downloads

Safe Execution Rules

Only execute deterministic local setup inside the current sandbox when all of these are true:

  • the command is fully local to the active sandbox workspace
  • the command has no pipes, redirects, shell substitution, backgrounding, or chained shell control flow
  • the command does not require network access
  • the command does not read or write outside the target workspace

Prefer explicit primitives over free-form shell. Safe examples:

  • git init
  • mkdir -p .cache
  • touch .initialized
  • copy 
    .env.example
    to 
    .env
  • copy 
    .env.local.example
    to 
    .env.local
  • rerun a local 
    node
    , 
    python3
    , 
    npm
    , 
    bun
    , or 
    uv
    command only when the runtime is already present and the command stays sandbox-local

Never execute:

  • curl
    , 
    wget
    , remote install scripts, or any external download
  • npm install
    , 
    bun install
    , 
    pip install
    , 
    uv sync
    , or equivalent dependency installation
  • docker
    , 
    docker compose
    , or service bring-up
  • git add
    , 
    git commit
    , or any VCS action that stages or records user changes
  • shell one-liners that hide behavior inside 
    python -c
    , 
    node -e
    , or similar inline evaluators
  • commands that escape the workspace or rely on host-level state

Output Contract

After the run completes, output one JSON object and nothing else.

Read 

{baseDir}/references/setup-report-schema.md
before finalizing the response.

Required behavior:

  • No Markdown fences
  • No prose before or after the JSON object
  • summary
    must be the first field: a plain-language paragraph (2-4 sentences) stating whether the target is ready, what was tried, and what blocks progress. Write for a human reader who will not inspect the rest of the JSON.
  • ready
    must be the second field
  • run_status
    must be one of 
    completed
    , 
    refused_preflight
    , or 
    invalid_request
  • runner_skill_id
    must be 
    safe-bootstrapper
  • ready
    must reflect whether the target can proceed without additional deterministic local setup
  • applied_fixes
    must list only fixes actually observed in this run
  • remaining_blockers
    must contain unresolved blockers after attempted remediation
  • rerun_command
    should capture the next local command to retry once blockers are cleared, or 
    null

Never Do This

  • Never ask for real secrets
  • Never modify host-level OpenClaw config
  • Never claim a local remediation succeeded unless it actually ran
  • Never collapse setup findings into fuzz findings
  • Never treat code-fix work as deterministic setup