Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug]: openclaw onboard wizard performs silent, unapproved skill installation based on fuzzy matching [2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#50954Fetched 2026-04-08 01:06:20
View on GitHub
Comments
2
Participants
2
Timeline
4
Reactions
0
Author
ie2718ie2718
Participants
ie2718ie2718RyceRyce
Timeline (top)
commented ×2labeled ×2

The openclaw onboard command currently operates with an over-aggressive "Wizard" mode. It analyzes user workspace history to infer requirements, performs fuzzy searches on ClawHub, and installs skills without explicit user confirmation. This led to the unexpected and unapproved installation of nano-banana-pro-image instead of the user-intended nano-banana-pro, causing confusion and configuration errors.

Root Cause

The openclaw onboard command currently operates with an over-aggressive "Wizard" mode. It analyzes user workspace history to infer requirements, performs fuzzy searches on ClawHub, and installs skills without explicit user confirmation. This led to the unexpected and unapproved installation of nano-banana-pro-image instead of the user-intended nano-banana-pro, causing confusion and configuration errors.

RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Summary

The openclaw onboard command currently operates with an over-aggressive "Wizard" mode. It analyzes user workspace history to infer requirements, performs fuzzy searches on ClawHub, and installs skills without explicit user confirmation. This led to the unexpected and unapproved installation of nano-banana-pro-image instead of the user-intended nano-banana-pro, causing confusion and configuration errors.

Steps to reproduce

  1. Run openclaw onboard.
  2. The wizard scans current workspace history to detect "needs".
  3. The wizard triggers an internal ClawHub search with fuzzy matching.
  4. The wizard algorithm auto-selects the "best fit" skill version based on its own heuristics.
  5. The system installs the skill silently without prompting the user.

Expected behavior

  1. Consent Gate: Modify onboard to present a list of proposed skills to the user. Installation must only proceed after the user explicitly confirms (e.g., 'y').
  2. Clarification for Ambiguity: If a fuzzy search matches multiple results, the wizard must stop and ask the user to clarify which slug is intended.
  3. Provenance Logging: Every installation triggered by the wizard should be logged in commands.log with a specific tag (e.g., action: "onboard_suggestion_install").

Actual behavior

The system installs the skill silently without any user prompt or confirmation. The user only discovers the installation post-hoc (e.g., via errors when the wrong environment variables are triggered or through manual file inspection).

OpenClaw version

2026.3.13

Operating system

ubuntu 24.04

Install method

No response

Model

google/gemini-3.1-flash-lite-preview

Provider / routing chain

openclaw -> google-api-gateway -> google/gemini-3.1-flash-lite-preview

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

extent analysis

Fix Plan

To address the issue, we need to modify the openclaw onboard command to introduce a consent gate, handle ambiguity in search results, and log installations triggered by the wizard. Here are the steps:

  • Modify the onboard function to present a list of proposed skills to the user and wait for explicit confirmation before installation.
  • Implement a clarification prompt when fuzzy search matches multiple results.
  • Add logging for installations triggered by the wizard.

Example Code

import logging

# ...

def onboard():
    # Scan workspace history and perform fuzzy search on ClawHub
    proposed_skills = scan_workspace_and_search()

    # Present proposed skills to the user and wait for confirmation
    print("Proposed skills:")
    for skill in proposed_skills:
        print(skill)
    confirm = input("Install these skills? (y/n): ")
    if confirm.lower() != 'y':
        print("Installation cancelled.")
        return

    # Install skills and log the action
    for skill in proposed_skills:
        install_skill(skill)
        logging.info(f"action: onboard_suggestion_install, skill: {skill}")

    # Handle ambiguity in search results
    ambiguous_skills = [skill for skill in proposed_skills if is_ambiguous(skill)]
    if ambiguous_skills:
        print("Ambiguous skills detected:")
        for skill in ambiguous_skills:
            print(skill)
        clarify = input("Please clarify which skill to install: ")
        # Install the clarified skill and log the action
        install_skill(clarify)
        logging.info(f"action: onboard_suggestion_install, skill: {clarify}")

# ...

Verification

To verify the fix, run the openclaw onboard command and check that:

  • A list of proposed skills is presented to the user.
  • Installation only proceeds after explicit user confirmation.
  • Ambiguous search results prompt the user for clarification.
  • Installations triggered by the wizard are logged in commands.log with the action: "onboard_suggestion_install" tag.

Extra Tips

  • Make sure to test the fix with different scenarios, including multiple proposed skills and ambiguous search results.
  • Consider adding additional logging or monitoring to track the effectiveness of the consent gate and clarification prompts.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

  1. Consent Gate: Modify onboard to present a list of proposed skills to the user. Installation must only proceed after the user explicitly confirms (e.g., 'y').
  2. Clarification for Ambiguity: If a fuzzy search matches multiple results, the wizard must stop and ask the user to clarify which slug is intended.
  3. Provenance Logging: Every installation triggered by the wizard should be logged in commands.log with a specific tag (e.g., action: "onboard_suggestion_install").
#api#ssr#installation#callback error#configuration error#environment variable

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING