📦 VPS Bootstrap — VPS一键初始化
v1.0.0从零开始初始化一台全新VPS,自动部署并运行OpenClaw,集成备份/恢复与灾后验证,帮助你在几分钟内把裸机变成可生产环境。
1· 330·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill is largely coherent for bootstrapping and restoring an OpenClaw VPS, but it performs high‑privilege system changes, restores and installs sensitive credentials, and contains a couple of risky practices (creating an unprotected GPG key; piping a remote NodeSource script to bash) that deserve careful review before use.
评估建议
This script bundle appears to do what it says (system installs, OpenClaw install, backup/restore), but it will modify system configs and manage sensitive secrets. Before running: (1) review the scripts line-by-line — especially the curl | bash NodeSource step and the npm install -g openclaw; (2) back up existing ~/.gnupg, ~/.password-store, ~/.config/rclone and any keyrings because restore.sh can overwrite them; (3) remove or change the %no-protection flag in the GPG key params if you want a pas...详细分析 ▾
✓ 用途与能力
The name/description match what the files do: install system packages, Node.js, Chrome, OpenClaw, configure firewall/fail2ban/SSH, enable gateway services, and provide backup/restore and verification. Required privileges (root/sudo) and target paths (~/.openclaw, /etc/ssh, /etc/fail2ban, /usr/local/bin) are consistent with a bootstrap/restore tool.
⚠ 指令范围
SKILL.md accurately describes the scripts, but the scripts perform broad system changes and handle secrets. Notable issues: bootstrap.sh generates a GPG key using %no-protection (creates an unencrypted private key), which weakens secret protection and contradicts the SKILL.md security claim. restore.sh will overwrite ~/.gnupg, ~/.password-store, rclone config, keyrings, and other credential files from the backup tarball — expected for a restore, but potentially destructive and sensitive. The scripts modify system SSH configuration and enable system services without finer-grained prompts. These behaviors expand the scope beyond a simple installer and require explicit user consent and backups of existing keys/configs.
ℹ 安装机制
There is no packaged install spec; the scripts perform network installs from recognizable hosts (nodesource setup script piped to bash, dl.google.com for Chrome, npm install -g openclaw). These are common for bootstrappers but piping a remote script into sudo bash is a moderate risk pattern — the NodeSource script is from an expected host, but running it without inspection can execute arbitrary code on the machine.
ℹ 凭证需求
The skill declares no required env vars or credentials, which matches the bundle. It requires sudo/root to perform system changes — appropriate for the task. However the scripts create and restore sensitive artifacts (GPG keys, password store, rclone config, keyrings, OAuth credentials) and will copy them into the user's home (potentially overwriting existing secrets). That handling of credentials is proportionate to backup/restore, but it's high sensitivity and should be treated with caution.
✓ 持久化与权限
The skill does not request always:true and does not alter other skills. It does enable user linger and installs/enables an OpenClaw gateway service and hooks, and edits system services/configs (sshd_config, fail2ban, UFW), which are appropriate for a bootstrapper but are high‑privilege operations — ensure you run this only on a machine where those changes are acceptable.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/3
Initial release: bootstrap.sh + restore.sh + verify.sh for full VPS deployment and disaster recovery
● 可疑
安装命令
点击复制官方npx clawhub@latest install vps-bootstrap
镜像加速npx clawhub@latest install vps-bootstrap --registry https://cn.longxiaskill.com