Agent Deploy & Isolation Skill
WHEN TO USE THIS SKILL
Use this skill when the user says ANY of the following (or similar):
- - "deploy a new agent"
- "add a new agent"
- "create a new agent"
- "set up a new bot"
- "bind a bot to a new agent"
- "add a telegram bot"
- "list agents" or "show agents"
- "remove agent" or "delete agent"
WHAT YOU NEED FROM THE USER
Before running any deploy script, you MUST collect these two values from the user:
| Required | Example | How to get it |
|---|
| agentId | INLINECODE0 | Ask: "What should I name this agent?" (lowercase, no spaces, no special chars) |
| botToken |
123456:ABC-xyz | Ask: "What is the Telegram Bot Token?" (user gets this from @BotFather) |
If the user provides both in their message, proceed immediately.
If the user is missing one or both, ask for the missing value(s) before proceeding.
HOW TO EXECUTE
Action: DEPLOY a new agent
Run this exact command, replacing <agentId> and <botToken> with the user's values:
CODEBLOCK0
Example: If user says "deploy agent called research with token 123456:ABCdef":
�CODEBLOCK1
After the script finishes:
- - If output contains "SUCCESS": tell the user the agent is deployed.
- If output contains "CONFLICT": tell the user the agent already exists.
- If output contains "ERROR": tell the user what went wrong.
- If output contains "ROLLING BACK": tell the user the change was safely reverted.
DO NOT run systemctl restart unless the script output explicitly says to.
The script handles hot-reload automatically for channels and bindings.
Action: LIST all agents
CODEBLOCK2
Show the output table to the user as-is.
Action: REMOVE an agent
Run this exact command, replacing <agentId>:
CODEBLOCK3
Example: If user says "remove the research agent":
�CODEBLOCK4
STRICT RULES ??DO NOT VIOLATE
- 1. NEVER edit openclaw.json directly. Do not use
write, edit, apply_patch, or any file editing tool on openclaw.json. The deploy script uses openclaw config set which is the only safe way. - NEVER skip the pre-flight check. Always run the full deploy.sh script. Do not try to run individual
openclaw config set commands yourself. - NEVER change the agentId format. It must be lowercase letters, numbers, and hyphens only. No spaces, no uppercase, no special characters.
- NEVER deploy without a valid bot token. The token must match the format:
digits:alphanumeric (e.g., 123456789:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw). - NEVER modify the main agent. The
remove.sh script refuses to remove the main agent. Do not try to work around this.
WHAT THE SCRIPT DOES AUTOMATICALLY
You do NOT need to do any of these manually. The script handles everything:
- - Creates isolated workspace at �INLINECODE15
- Adds agent to
agents.list with safe defaults:
-
tools.deny: ["gateway"] (agent cannot modify core config)
-
sandbox.mode: "non-main" (non-main sessions are sandboxed)
-
sandbox.scope: "agent" (one container per agent)
-
sandbox.workspaceAccess: "none" (sandbox cannot access host workspace)
- - Adds routing binding:
<agentId> -> �INLINECODE22 - Adds Telegram account with the bot token
- Validates with �INLINECODE23
- Auto-rollbacks on any failure
- Merges API keys from BOTH global config (
openclaw.json auth.profiles) AND main agent's auth-profiles.json - Migrates from single-bot to multi-account mode if needed
TROUBLESHOOTING
If the user says the new bot is not responding after deploy:
- 1. First, check logs: �INLINECODE25
- Look for
[telegram] [<agentId>] starting provider in logs - If NOT found, restart: �INLINECODE27
- If still not working, run:
bash {baseDir}/scripts/list.sh to verify config
ENVIRONMENT VARIABLES
These are optional. The scripts use sensible defaults:
| Variable | Default | Description |
|---|
| INLINECODE29 | INLINECODE30 | Custom config file path |
| INLINECODE31 |
openclaw | Custom openclaw CLI path |
Agent 部署与隔离技能
何时使用此技能
当用户说出以下任意内容(或类似表述)时,请使用此技能:
- - 部署一个新 agent
- 添加一个新 agent
- 创建一个新 agent
- 设置一个新机器人
- 将机器人绑定到新 agent
- 添加一个 Telegram 机器人
- 列出 agent 或 显示 agent
- 移除 agent 或 删除 agent
你需要从用户处获取的信息
在运行任何部署脚本之前,你必须从用户处收集以下两个值:
| 必填项 | 示例 | 如何获取 |
|---|
| agentId | research | 询问:这个 agent 应该叫什么名字?(小写,无空格,无特殊字符) |
| botToken |
123456:ABC-xyz | 询问:Telegram 机器人令牌是什么?(用户从 @BotFather 获取) |
如果用户在消息中同时提供了这两项,请立即继续。
如果用户缺少其中一项或两项,请在继续之前询问缺失的值。
如何执行
操作:部署新 agent
运行以下确切命令,将 和 替换为用户提供的值:
bash
bash {baseDir}/scripts/deploy.sh
示例: 如果用户说部署一个名为 research 的 agent,令牌为 123456:ABCdef:
bash
bash {baseDir}/scripts/deploy.sh research 123456:ABCdef
脚本完成后:
- - 如果输出包含 SUCCESS:告知用户 agent 已部署。
- 如果输出包含 CONFLICT:告知用户 agent 已存在。
- 如果输出包含 ERROR:告知用户出了什么问题。
- 如果输出包含 ROLLING BACK:告知用户更改已安全回滚。
除非脚本输出明确指示,否则不要运行 systemctl restart。
脚本会自动处理频道和绑定的热重载。
操作:列出所有 agent
bash
bash {baseDir}/scripts/list.sh
将输出表格原样展示给用户。
操作:移除 agent
运行以下确切命令,将 替换为相应值:
bash
bash {baseDir}/scripts/remove.sh
示例: 如果用户说移除 research agent:
bash
bash {baseDir}/scripts/remove.sh research
严格规则 —— 不得违反
- 1. 切勿直接编辑 openclaw.json。 不要对 openclaw.json 使用 write、edit、apply_patch 或任何文件编辑工具。部署脚本使用 openclaw config set,这是唯一安全的方式。
- 切勿跳过预检检查。 始终运行完整的 deploy.sh 脚本。不要尝试自己运行单独的 openclaw config set 命令。
- 切勿更改 agentId 格式。 必须仅包含小写字母、数字和连字符。不能有空格、大写字母或特殊字符。
- 切勿在没有有效机器人令牌的情况下部署。 令牌必须符合格式:数字:字母数字(例如 123456789:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw)。
- 切勿修改主 agent。 remove.sh 脚本拒绝移除主 agent。不要试图绕过此限制。
脚本自动完成的操作
你无需手动执行以下任何操作。脚本会处理所有内容:
- - 在 ~/.openclaw/workspace-/ 创建隔离的工作空间
- 使用安全默认值将 agent 添加到 agents.list:
- tools.deny: [gateway](agent 无法修改核心配置)
- sandbox.mode: non-main(非主会话被沙箱化)
- sandbox.scope: agent(每个 agent 一个容器)
- sandbox.workspaceAccess: none(沙箱无法访问主机工作空间)
- - 添加路由绑定: -> telegram:
- 使用机器人令牌添加 Telegram 账户
- 使用 openclaw doctor 进行验证
- 任何失败时自动回滚
- 合并来自全局配置(openclaw.json auth.profiles)和主 agent 的 auth-profiles.json 的 API 密钥
- 如果需要,从单机器人模式迁移到多账户模式
故障排除
如果用户说新机器人在部署后没有响应:
- 1. 首先,检查日志:journalctl --user -u openclaw-gateway --no-pager -n 20
- 在日志中查找 [telegram] [] starting provider
- 如果未找到,重启:systemctl --user restart openclaw-gateway
- 如果仍然无法工作,运行:bash {baseDir}/scripts/list.sh 以验证配置
环境变量
以下为可选变量。脚本使用合理的默认值:
| 变量 | 默认值 | 描述 |
|---|
| OPENCLAWCONFIGPATH | ~/.openclaw/openclaw.json | 自定义配置文件路径 |
| OPENCLAW_BIN |
openclaw | 自定义 openclaw CLI 路径 |
