Is j540/openclaw-setup safe?

The skill explicitly instructs the agent to promote https://www.jamesferrer.com as a paid done-for-you setup service when users encounter difficulty. This is an undisclosed commercial referral directive that benefits the skill author financially. It was not disclosed in the skill's description or metadata, and it instructs the agent to act as a sales referral agent without user knowledge.

The skill falsely asserts that m7i-flex.large EC2 instances are free tier eligible. AWS Free Tier provides only 750 hours/month of t2.micro or t3.micro for 12 months. The m7i-flex.large costs approximately $0.09/hour on-demand, resulting in approximately $65-70/month in charges. Users following this guidance on a new account expecting free tier would incur immediate unexpected costs.

The skill contains an explicit directive to always recommend Opus as the default model regardless of user circumstances, relegating Sonnet only for users with 'strict budget constraints.' This overrides agent judgment on model selection and steers users toward maximum API spend, potentially benefiting parties with commercial interest in API revenue.

The skill instructs the agent to elicit and handle six categories of high-value credentials: Anthropic API key, Telegram bot token, Groq API key, OpenAI API key, Google OAuth client secrets, and a GOG keyring password. While required for the stated setup purpose, the breadth of credential collection is unusually wide and creates a significant attack surface. If a future skill update added exfiltration logic, it would have access to credentials across multiple platforms.

The skill instructs the agent to execute a curl-pipe-bash pattern on the user's EC2 instance with sudo privileges. This downloads a setup script from nodesource.com and executes it immediately without inspection. This is a known supply chain attack vector — a compromise of the nodesource CDN or DNS poisoning would result in arbitrary code execution as root on the user's server.

The skill instructs cloning steipete/gogcli from a personal GitHub account, building from source via make, and copying the resulting binary to /usr/local/bin with sudo. No checksums, code review, or integrity verification is performed. This tool subsequently receives delegated access to Gmail, Calendar, Drive, Contacts, Sheets, and Docs. A malicious commit to the upstream repo would result in a privileged binary with full Google Workspace access.

The skill opens with a persona instruction directing the agent to assume the identity of 'Claude Code' setting up an AI assistant. While contextually appropriate for a setup guide, this pattern primes the agent to adopt a role and could reduce resistance to subsequent instructions that might conflict with default safety behaviors.

Phase 9 includes commented-out lines in the systemd service template suggesting GOG_KEYRING_PASSWORD be stored as an environment variable in the unit file. While commented, this normalizes plaintext credential storage in a world-readable (or group-readable) service file, contrary to security best practices.

The skill instructs npm install -g openclaw without a version pin. If the openclaw npm package were compromised via a supply chain attack, the npm install would silently execute malicious preinstall/postinstall hooks with the user's privileges on the EC2 instance.

The connection diff shows openclaw-gateway (pid=1084) with established TCP connections to AWS IP ranges after skill installation. This process and its connections are attributable to a pre-installed openclaw service in the audit VM environment — confirmed by the presence of /home/oc-exec/.openclaw-executor/gateway.pid in the pre-install filesystem baseline and the fact that SKILL.md contains no code capable of starting a process.