Secure outbound-only relay for remote OpenClaw control — no exposed ports, no SSH, no Telegram.
Security Analysis
medium confidenceThe skill's code and declared requirements mostly match its stated purpose (an outbound-only relay), but there are several implementation and documentation mismatches and trust assumptions you should understand before installing.
The skill's name/description line up with the code: it opens an outbound WebSocket, authenticates with a token, sends heartbeats, and forwards relay commands to the host runtime. The three required env vars (relay URL, node id, auth token) are proportional to the purpose. Minor mismatch: SKILL.md was presented as an instruction-only skill in registry metadata, but the package actually includes TypeScript source files (relayClient.ts, config.ts, etc.), so it's not purely instruction-only.
SKILL.md claims the token is sent 'during the WebSocket handshake' and that all connections use TLS; the implementation actually sends the token as a post-open message and validateConfig will happily convert an http:// URL to ws:// (non-TLS). The skill also relies on the host-provided OpenClawRuntime API to execute prompts, workflows, and restart the process — this grants remote callers the ability to run declared workflows and restart the runtime, which is expected but requires you to trust the relay operator and to ensure workflows are properly scoped. The SKILL.md also asserts the relay does not persist data — that is a policy claim by the relay operator, not something enforced locally.
There is no install script or external download; the package provides TypeScript source and tests. That keeps install risk low (no arbitrary third-party binaries), but because code ships with the skill, it will run inside your agent's environment. Review the code before enabling.
Only three env vars are required (RELAY_URL, NODE_ID, AUTH_TOKEN) and AUTH_TOKEN is declared as the primary credential — this is proportional. Small inconsistencies: code expects lowercase keys in the config object (relay_url/node_id/auth_token) while SKILL.md and registry list uppercase env var names; your platform likely maps them, but confirm. No other credentials or paths are requested.
The skill is not always-enabled and does not request system-wide configuration changes. It can be invoked autonomously by the agent (default) which is normal for skills. It does not persist credentials or write to other skills' configs in the provided code.
Guidance
Before installing: (1) Treat the relay operator as highly trusted — this skill transmits prompt content and streamed tokens to that remote relay. Verify the relay URL (prefer an operator you control or audited code). (2) Enforce TLS: provide a wss:// URL; note the code will accept ws:// if you give an http:// URL, and the token is sent in a post-open message (not as a WebSocket subprotocol/header). (3) Use a scoped, revocable AUTH_TOKEN and limit its lifetime/permissions on the relay side. (4) Review the shipped TypeScript (relayClient.ts, config.ts) to confirm behavior matches your expectations (especially restart and workflow semantics) and to ensure there are no hidden endpoints. (5) Run the skill in a controlled environment first (network egress rules, minimal privileges) and consider self-hosting the relay if you need stronger guarantees about persistence and data handling. If you want higher assurance, ask the maintainer for the relay server code or run your own relay implementation.
Latest Release
v1.0.4
- Renamed skill from remote-relay to privaclaw and updated all references accordingly. - Updated homepage URL to https://github.com/openclaw/privaclaw. - Changed default relay endpoint in the Trust Statement from wss://privaclaw.fly.dev to wss://relay.privaclaw.com. - Adjusted setup instructions and dashboard links to use the new skill name. - No changes to files or core functionality; documentation and branding updated only.
Popular Skills
Published by @jason-czar on ClawHub
