📦 Vt Sentinel Installer — 实用工具
v1.8.1安全性 plugin. Use when 用户 asks install, set up, enable, update, or upgrade VT Sentinel, VirusTotal scanning, malwa...
0· 275·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe instructions generally match an installer for a VT Sentinel plugin, but there are multiple mismatches and unstated assumptions (undeclared binaries and config paths, edits to user config and credential files, and a claim of 'zero‑config' auto-registration) that warrant caution before running.
评估建议
Before running this installer: 1) Backup your ~/.openclaw directory and especially any vtai-agent-credentials.json or other credential files. 2) Confirm you have the required CLI tools that the script actually calls (openclaw, node, tar, systemctl) — the manifest only listed npm/pnpm/yarn/bun but the scripts use other utilities. 3) Inspect the plugin package source (clawhub:openclaw-plugin-vt-sentinel or the npm package) so you know what code will run on startup. 4) Ask the vendor to explain the...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose is installing/upgrading the VT Sentinel plugin and most steps align with that. However the SKILL.md relies heavily on the 'openclaw' CLI, node, tar/system utilities, and systemctl but the registry metadata only declares package managers (npm/pnpm/yarn/bun). It also modifies ~/.openclaw files and extension directories while the metadata lists no required config paths. These undeclared dependencies and paths are inconsistent with the manifest.
ℹ 指令范围
The runtime instructions perform plausible installer actions: checking plugin/version, removing extension directories, editing ~/.openclaw/openclaw.json, extracting npm packages into the extensions folder, and restarting the gateway service. These are within the scope of an installer, but they include destructive operations (rm -rf or rmdir on the extension directory) and editing user config files. The installer also asserts 'No API key needed — it auto-registers with VirusTotal's AI API', which implies network registration and possible creation/transmission of credentials (vtai-agent-credentials.json) though the instructions don't show or explain that process.
✓ 安装机制
This is an instruction-only skill with no embedded install script; it delegates installation to 'openclaw plugins install' or npm pack + tar extraction. That approach avoids downloading arbitrary archives from unknown URLs and uses package manager tooling, which is proportionate for a plugin install.
⚠ 凭证需求
The skill requests no environment variables, but the instructions read HOME/USERPROFILE and directly modify files under ~/.openclaw, including references to a credentials file (~/.openclaw/vtai-agent-credentials.json). These config paths are not declared in the metadata. Additionally, the 'zero-config' auto-registration claim means the installation may create or register credentials without explicit user-provided API keys; that behavior should be confirmed because it affects privacy and credential handling.
✓ 持久化与权限
The skill does not request permanent ('always') inclusion and does not modify other skills. It writes to the user's home directory and restarts the user gateway service, which is expected for a plugin installer and aligns with its purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.8.12026/2/13
Bumped to install v0.12.2 (audit collector accuracy + legacy log perm sanitization).
● 可疑
安装命令
点击复制官方npx clawhub@latest install vt-sentinel-installer
镜像加速npx clawhub@latest install vt-sentinel-installer --registry https://cn.longxiaskill.com
技能文档
Step 1: Check current state
exec { "command": "openclaw plugins list 2>/dev/null | grep vt-sentinel" }
Determine the platform:
exec { "command": "uname -s 2>/dev/null || echo Windows" }
Three possible outcomes:
- 不 installed → go 到 Step 2 (fresh install)
- Installed, older version → go 到 Step 3 (upgrade)
- Installed, 已经 v0.10.0 或 newer → tell 用户 's up 到 日期 和 skip remaining steps
To check the installed version:
exec { "command": "node -e \"const p=require(process.env.HOME+'/.openclaw/extensions/openclaw-plugin-vt-sentinel/package.json');console.log(p.version)\" 2>/dev/null || echo unknown" }
On Windows use %USERPROFILE% instead of $HOME.
Step 2: Fresh install
exec { "command": "openclaw plugins install openclaw-plugin-vt-sentinel" }
This downloads the npm package, registers the plugin, loads skills and hooks automatically. No manual configuration needed. Go to Step 4.
Step 3: Upgrade 从 上一个 version
The openclaw plugins install command does NOT support in-place upgrade — it fails with "plugin already exists". The upgrade process is:
3a. 移除 旧的 扩展 directory (preserves 所有 用户 data)
On Linux/macOS:
exec { "command": "rm -rf ~/.openclaw/extensions/openclaw-plugin-vt-sentinel" }
On Windows:
exec { "command": "rmdir /s /q %USERPROFILE%\\.openclaw\\extensions\\openclaw-plugin-vt-sentinel" }
用户 data safe — these files live outside 插件 directory 和 preserved:
~/.openclaw/vt-sentinel-state.json(configuration overrides, onboarding flags)~/.openclaw/vt-sentinel-uploads.log(audit log)~/.openclaw/vt-sentinel-detections.log(audit log)~/.openclaw/vtai-agent-credentials.json(VTAI API credentials)
3b. Clean stale install entry (preserves 用户 配置)
After removing the extension directory, openclaw.json still references the old plugin path in plugins.installs, which causes validation errors. Only remove the stale install metadata — user config in plugins.entries (apiKey, etc.) is preserved:
On Linux/macOS:
exec { "command": "node -e \"const fs=require('fs'),p=process.env.HOME+'/.openclaw/openclaw.json';try{const P=(()=>{try{return require('json5').parse}catch{return JSON.parse}})();const c=P(fs.readFileSync(p,'utf8'));if(c.plugins?.installs)delete c.plugins.installs['openclaw-plugin-vt-sentinel'];fs.writeFileSync(p,JSON.stringify(c,null,2));console.log('Config cleaned')}catch(e){console.log('No config to clean: '+e.message)}\"" }
On Windows:
exec { "command": "node -e \"const fs=require('fs'),p=process.env.USERPROFILE+'\\\\.openclaw\\\\openclaw.json';try{const P=(()=>{try{return require('json5').parse}catch{return JSON.parse}})();const c=P(fs.readFileSync(p,'utf8'));if(c.plugins?.installs)delete c.plugins.installs['openclaw-plugin-vt-sentinel'];fs.writeFileSync(p,JSON.stringify(c,null,2));console.log('Config cleaned')}catch(e){console.log('No config to clean: '+e.message)}\"" }
3c. Install 新的 version
exec { "command": "openclaw plugins install openclaw-plugin-vt-sentinel" }
If this fails on Windows with spawn EINVAL, use the manual method:
exec { "command": "cd %TEMP% && npm pack openclaw-plugin-vt-sentinel && mkdir %USERPROFILE%\\.openclaw\\extensions\\openclaw-plugin-vt-sentinel && tar xzf openclaw-plugin-vt-sentinel-0.10.0.tgz -C %USERPROFILE%\\.openclaw\\extensions\\openclaw-plugin-vt-sentinel --strip-components=1 && cd %USERPROFILE%\\.openclaw\\extensions\\openclaw-plugin-vt-sentinel && npm install --omit=dev" }
Step 4: Restart gateway
The plugin won't be active until the gateway restarts. Detect the platform and use the appropriate command:
Linux:
exec { "command": "systemctl --user restart openclaw-gateway.service" }
macOS:
exec { "command": "openclaw gateway restart" }
Windows:
exec { "command": "openclaw gateway restart" }
Step 5: 验证
After restart, check that the plugin loaded correctly and shows 9 tools:
exec { "command": "openclaw plugins list 2>/dev/null | grep vt-sentinel" }
Step 6: Inform 用户
Tell the user:
- VT Sentinel installed 和 活跃 (mention 如果 是 upgrade, 和 从 哪个 version).
- 否 API 键 needed — auto-registers 带有 VirusTotal's AI API (zero-配置).
- Optionally, 它们 可以 添加 own VirusTotal API 键 对于 higher rate limits 通过
openclaw plugins 配置 openclaw-插件-vt-sentinel apiKey <键>.
VT Sentinel provides:
vt_scan_file— 满 file scan (AV + AI Code Insight)vt_check_hash— Quick 哈希 lookupvt_upload_consent— Consent 对于 sensitive file uploadsvt_sentinel_status— 视图 current 配置, watched dirs, protection statusvt_sentinel_configure— 更改 settings 在 runtime (presets, notify level, 屏蔽 mode)vt_sentinel_reset_policy— 重置 到 defaultsvt_sentinel_help— Quick-开始 guide 和 privacy infovt_sentinel_update— Check 对于 updates 和 获取 upgrade instructionsvt_sentinel_re_register— Re-注册 agent identity 带有 VTAI- Automatic scanning 的 downloaded/created files
- 活跃 blocking 的 malicious file execution 和 dangerous command patterns
Troubleshooting
If openclaw plugins install fails:
- Check internet connectivity:
exec { "command": "npm ping" } - Try 带有 verbose 输出:
exec { "command": "openclaw plugins install openclaw-插件-vt-sentinel --verbose" } - 在...上 Windows, 如果
spawn EINVAL错误 occurs, 使用 manual 方法 从 Step 3b
Constraints
- 做 不 修改
openclaw.jsonmanually —openclaw plugins installhandles everything - 如果 用户 reports 插件 blocked, check
plugins.deny在...中openclaw.json