📦 ClawRoam — 身份云同步
v3.0.1为 OpenClaw 打造的便携身份保险库,自动、无感、加密地跨设备同步知识、插件与记忆,像 iCloud 一样随取随用。
0· 516·0 当前·0 累计
by @getlighty下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
What to check before installing or using ClawRoam:
- Verify origin and reputation: the package lists an unknown owner and has no homepage. If you don't already trust the publisher, audit the scripts before running them.
- Inspect key management: review src/keypair.sh and providers/cloud.sh to ensure your private key is never transmitted. The repo claims private keys remain local; confirm the implementation matches that claim.
- Review what you opt into syncing: by default SOUL.md and IDENTITY...详细分析 ▾
✓ 用途与能力
The name/description (portable vault, sync of knowledge/packages/memory) matches what the scripts and server code implement. Required binaries listed in SKILL.md (curl, git, openssl, ssh-keygen, python3, rsync, tar, fswatch optional) are reasonable for the stated functionality and are used by the included bash scripts. The repo also contains a cloud backend implementation (Node/Cloudflare Worker), which aligns with the 'ClawRoam Cloud' managed provider mentioned in the docs.
ℹ 指令范围
Runtime instructions direct the agent to run local scripts (clawroam.sh, sync-engine.sh, migrate.sh, track-packages.sh) and to contact the declared cloud endpoint only when the 'cloud' provider is used. The skill will read OpenClaw workspace files (USER.md, MEMORY.md) when initializing — this is expected. There is an opt-in path for syncing sensitive things (credentials/ channel auth, openclaw config) and SKILL.md shows sensible defaults (config/soul/identity sync disabled). Verify you understand and control any opt-in steps, because those are the only paths that would transmit channel or credential material off-device.
✓ 安装机制
No install spec is provided (instruction-only), so nothing is automatically downloaded or executed outside the included repository. The project contains source code and scripts that run directly. This is a lower-risk install model than an arbitrary remote download, but you must still inspect and trust the bundled scripts before running them.
ℹ 凭证需求
As packaged for clients, the skill requires no environment variables and does not request unrelated credentials. The cloud backend code (in cloud-api/ and cloud-api-worker/) does expect server-side env vars if you deploy it yourself (DATABASE_URL, STRIPE_SECRET_KEY, S3 or R2 credentials, etc.) — those are server-side deployment needs and do not imply the client will ask for or transmit your system credentials. That said, the skill supports an opt-in sync of 'credentials/' and 'openclaw config.json' (which can contain channel tokens); syncing those would transmit highly sensitive data (even if encrypted).
✓ 持久化与权限
The skill does not request always:true and defaults are reasonable. Model invocation is not disabled (default), which is normal for skills. The scripts create a per-user vault at ~/.clawroam and an Ed25519 keypair stored locally; nothing in the package attempts to modify other skills or system-wide agent settings. Autonomous invocation plus network access means the skill could perform syncs automatically — but SKILL.md shows sensible defaults that avoid syncing private 'soul' and identity files unless explicitly opted in.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.0.12026/2/23
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install clawroam
镜像加速npx clawhub@latest install clawroam --registry https://cn.longxiaskill.com