setup
Automates the initial setup of NanoClaw, handling dependencies, authentication, and configuration for seamless operation.
Install this skill
or
0/100
Security score
The setup skill was audited on May 14, 2026 and we found 13 security issues across 5 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
critical line 50
Piping content to sh shell
SourceSKILL.md
| 50 | - Linux: install with `curl -fsSL https://get.docker.com | sh && sudo usermod -aG docker $USER`. Note: user may need to log out/in for group membership. |
high line 20
Curl to non-GitHub URL
SourceSKILL.md
| 20 | - Linux: `curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && sudo apt-get install -y nodejs`, or nvm |
high line 50
Curl to non-GitHub URL
SourceSKILL.md
| 50 | - Linux: install with `curl -fsSL https://get.docker.com | sh && sudo usermod -aG docker $USER`. Note: user may need to log out/in for group membership. |
medium line 78
Access to .env file
SourceSKILL.md
| 78 | If HAS_ENV=true from step 2, read `.env` and check for `CLAUDE_CODE_OAUTH_TOKEN` or `ANTHROPIC_API_KEY`. If present, confirm with user: keep or reconfigure? |
medium line 82
Access to .env file
SourceSKILL.md
| 82 | **Subscription:** Tell user to run `claude setup-token` in another terminal, copy the token, add `CLAUDE_CODE_OAUTH_TOKEN=<token>` to `.env`. Do NOT collect the token in chat. |
medium line 84
Access to .env file
SourceSKILL.md
| 84 | **API key:** Tell user to add `ANTHROPIC_API_KEY=<key>` to `.env`. |
medium line 105
Access to .env file
SourceSKILL.md
| 105 | 2. Collect credentials/tokens and write to `.env` |
medium line 165
Access to .env file
SourceSKILL.md
| 165 | **Service not starting:** Check `logs/nanoclaw.error.log`. Common: wrong Node path (re-run step 7), missing `.env` (step 4), missing channel credentials (re-invoke channel skill). |
medium line 171
Access to .env file
SourceSKILL.md
| 171 | **Channel not connecting:** Verify the channel's credentials are set in `.env`. Channels auto-enable when their credentials are present. For WhatsApp: check `store/auth/creds.json` exists. For token-b |
high line 10
Prompting for password/secret input
SourceSKILL.md
| 10 | **Principle:** When something is broken or missing, fix it. Don't tell the user to go fix it themselves unless it genuinely requires their manual action (e.g. authenticating a channel, pasting a secre |
low line 20
External URL reference
SourceSKILL.md
| 20 | - Linux: `curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && sudo apt-get install -y nodejs`, or nvm |
low line 49
External URL reference
SourceSKILL.md
| 49 | - macOS: install via `brew install --cask docker`, then `open -a Docker` and wait for it to start. If brew not available, direct to Docker Desktop download at https://docker.com/products/docker-deskto |
low line 50
External URL reference
SourceSKILL.md
| 50 | - Linux: install with `curl -fsSL https://get.docker.com | sh && sudo usermod -aG docker $USER`. Note: user may need to log out/in for group membership. |
Scanned on May 14, 2026
View Security Dashboard