首页龙虾技能列表 › Teleport Machine ID tbot Bootstrap (MacOS LaunchAgent) — 技能工具

Teleport Machine ID tbot Bootstrap (MacOS LaunchAgent) — 技能工具

v1.0.0

Bootstrap a persistent Teleport Machine ID (tbot) setup on macOS using LaunchAgent and tbot configure identity. Trigger when asked to set up, automate, or va...

0· 204·0 当前·0 累计
by @webvictim·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/12
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill's files and runtime instructions consistently implement a macOS LaunchAgent bootstrap for Teleport tbot identity refresh; the requested inputs and filesystem changes match the stated purpose and there is no unexplained network exfiltration or unrelated credential access.
评估建议
This skill appears to do what it says: it will create ~/.openclaw/workspace/tbot, write tbot config/state and identity files, place a LaunchAgent plist in ~/Library/LaunchAgents, and start the agent. Before installing: (1) verify tbot and tsh are official Teleport binaries and come from a trusted source, (2) be prepared to provide the bot onboarding token or registration secret and understand those values and the produced identity files are sensitive (do not commit them to source control), (3) r...
详细分析 ▾
用途与能力
Name/description, SKILL.md, and the included script all focus on bootstrapping a persistent Teleport Machine ID (tbot) on macOS via a user LaunchAgent. Required binaries (tbot, tsh) and inputs (proxy, token or registration secret) align with that purpose; there are no unrelated binaries, services, or credentials requested.
指令范围
Instructions and the script perform the expected operations: create ~/.openclaw/workspace/tbot and state dirs, run 'tbot configure identity' with provided token/registration-secret, write a LaunchAgent plist to ~/Library/LaunchAgents, bootstrap it, and run a tsh smoke test. This stays within the stated scope. Important note: the workflow writes tbot config/state and identity files to disk (and may embed or use onboarding tokens) — these are sensitive artifacts and the SKILL.md correctly warns about treating them as secrets.
安装机制
No install spec is present (instruction-only with a helper script). Nothing is downloaded from remote URLs or installed automatically; the script expects tbot and tsh to already be present. This is low-install-risk and consistent with the skill's goal.
凭证需求
No environment variables or external credentials are declared by the registry metadata. The script requires a proxy address and either a token or registration secret provided at runtime — these are necessary for Teleport onboarding. Because the token/registration-secret are sensitive, the user should be aware they will be used during configuration and their values (or derived identity files) will be written to local files.
持久化与权限
The skill intentionally creates and loads a user LaunchAgent under ~/Library/LaunchAgents to persist tbot. It does not request system/root (LaunchDaemon) installation, does not modify other skills or system-wide agent settings, and 'always' is not set. This persistence level is consistent with the stated purpose.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/12

Initial release of teleport-tbot-bootstrap - Automates setup of persistent Teleport Machine ID (tbot) on macOS using LaunchAgent and `tbot configure identity` - Guides collection of required inputs: proxy address, onboarding token, bot roles, and output directory - Installs and manages user-level LaunchAgent for seamless tbot identity refresh at login - Performs automatic config, first-run verification, and status reporting using tsh - Emphasizes security best practices and provides known limitations for v1.0.0 - Complements the teleport-tsh-ssh skill for daily SSH and automation host access - Supports bound keypair onboarding (with registration secret) - Includes Teleport prereq YAML examples (Role/Bot/Token) - Scopes node access via openclaw-allowed: "true" label pattern - Includes host user auto-creation example (create_host_user_mode: insecure-drop)

● 无害

安装命令 点击复制

官方npx clawhub@latest install teleport-tbot-bootstrap
镜像加速npx clawhub@latest install teleport-tbot-bootstrap --registry https://cn.clawhub-mirror.com

技能文档

Set up a local, persistent Machine ID bot on macOS for OpenClaw/agent SSH access.

Pair this with teleport-tsh-ssh for operational host access once identity refresh is in place.

Compatibility

Tested against Teleport/tbot 18.7.0.

Inputs to collect

  • Teleport proxy address (for example teleport.example.com:443)
  • Bot onboarding secret (token and/or registration secret depending on cluster setup)
  • Bot role(s) / bot name context from Teleport setup
  • Optional output directory (default: ~/.openclaw/workspace/tbot)

LaunchAgent behavior (macOS)

Use LaunchAgent for user-session persistence.

  • Starts automatically at user login.
  • Starts immediately when loaded with launchctl bootstrap gui/ ....
  • Restarts automatically when KeepAlive is true.
  • Does not require root when installed under ~/Library/LaunchAgents.

Use LaunchDaemon only when system-wide root context is explicitly required.

Workflow

  • Ensure prerequisites: tbot, tsh, writable output dir.
  • Create output + state dirs (default ~/.openclaw/workspace/tbot and ~/.openclaw/workspace/tbot/state).
  • Generate config via tbot configure identity (do not hand-write config):
- destination should point to output dir (file://.../tbot) - storage should point to state dir (file://.../tbot/state) - set proxy and join method (bound_keypair preferred) - write config file to ~/.openclaw/workspace/tbot/tbot.yaml
  • Create LaunchAgent plist to run tbot start -c with RunAtLoad + KeepAlive.
  • Load/start LaunchAgent.
  • Verify identity output exists and is fresh (.../tbot/identity).
  • Verify access path with tsh -i --proxy= ls.
  • Report status and next steps.

Bound keypair guidance

Prefer bound_keypair join method for recoverability after interruptions (sleep/reboot). Use high recovery limits for resilient rejoin flows when appropriate.

Use a fresh bot/state directory for first-time setup. Reusing state from a different bot/token can cause key lookup mismatches.

Use Teleport-side preregistration first (Bot + role + join config). Keep access label-scoped (for example openclaw-allowed: "true") so access is opt-in per node. See:

  • references/teleport-prereq-examples.yaml
  • https://goteleport.com/docs/reference/cli/tbot/

Security notes

  • Never commit onboarding tokens or registration secrets to git.
  • Treat tbot.yaml, bot state, and identity outputs as sensitive material.
  • Prefer secure secret delivery (interactive input, secret manager, env injection) over plaintext chat logs.

Known limitations (v1.0.0)

  • Focuses on SSH identity output workflows (not Teleport app/db/kubernetes outputs).
  • Uses LaunchAgent user context; does not provide full LaunchDaemon/root automation.

Commands (reference)

  • Generate config:
- tbot configure identity --output ~/.openclaw/workspace/tbot/tbot.yaml ...
  • Start once (foreground test):
- tbot start -c ~/.openclaw/workspace/tbot/tbot.yaml
  • LaunchAgent load:
- launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.openclaw.tbot.plist
  • LaunchAgent restart:
- launchctl kickstart -k gui/$(id -u)/com.openclaw.tbot

Clawhub listing copy

Clawhub short description

Bootstrap a persistent Teleport Machine ID (tbot) identity on macOS using LaunchAgent and tbot configure identity.

Companion skill

Use with teleport-tsh-ssh for day-to-day SSH/command/scp operations using the refreshed identity.

Clawhub long description

Set up a local, persistent Machine ID bot for automation hosts. Generate config using tbot configure identity, install a user LaunchAgent (com.openclaw.tbot), and validate identity output with a tsh smoke test.

Includes LaunchAgent persistence (no root), bound keypair onboarding support, Teleport prereq examples (Role/Bot/Token), label-scoped node access patterns, registration-secret retrieval guidance, and first-run fresh-state guidance.

Resources

  • Setup script: scripts/bootstrap_tbot_launchagent.sh
  • Teleport YAML examples: references/teleport-prereq-examples.yaml
  • LaunchAgent template notes: references/launchagent-notes.md

Uninstall / cleanup

  • launchctl bootout gui/$(id -u)/com.openclaw.tbot
  • rm -f ~/Library/LaunchAgents/com.openclaw.tbot.plist
  • Remove bot files if desired: rm -rf ~/.openclaw/workspace/tbot
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务