{ "schemaVersion": "1.0", "item": { "slug": "openclaw-aws-deploy", "name": "OpenClaw AWS Deploy", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/godwinbabu/openclaw-aws-deploy", "canonicalUrl": "https://clawhub.ai/godwinbabu/openclaw-aws-deploy", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-aws-deploy", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-aws-deploy", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "ROADMAP.md", "SKILL.md", "assets/agent-defaults/AGENTS.md", "assets/agent-defaults/HEARTBEAT.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-aws-deploy" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-aws-deploy", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Prerequisites", "body": "AWS credentials — any of these methods:\n\n--profile flag (named AWS CLI profile)\n.env.aws file in workspace root or skill directory (optional):\nAWS_ACCESS_KEY_ID=...\nAWS_SECRET_ACCESS_KEY=...\nAWS_DEFAULT_REGION=us-east-1\n\n\nExisting environment variables, AWS SSO session, or IAM role\n\n\n.env.starfish in workspace root (recommended) or skill directory:\nTELEGRAM_BOT_TOKEN=... # from @BotFather (required)\nTELEGRAM_USER_ID=... # your Telegram user ID (optional, enables auto-approve pairing)\nGEMINI_API_KEY=... # from aistudio.google.com (optional, for Gemini models)\n\n\naws CLI installed OR Docker for sandboxed access\njq, openssl available" }, { "title": "One-Shot Deploy", "body": "# From the skill directory:\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --env-dir /path/to/workspace\n\n# Or with cleanup of previous deployment first:\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --env-dir /path/to/workspace --cleanup-first\n\nThis single command:\n\nCreates VPC + subnet + IGW + route table\nCreates security group (NO inbound ports — SSM only)\nCreates IAM role with minimal permissions (SSM + Parameter Store + Bedrock)\nStores secrets in SSM Parameter Store (fetched at each service start — rewritten on each start, never stored in repo or static images)\nLaunches t4g.medium ARM64 instance with user-data bootstrap\nUser-data installs Node.js 22 + OpenClaw + configures everything\nRuns smoke test via SSM\nSaves all resource IDs to deploy-output.json" }, { "title": "After Deploy", "body": "Message the Telegram bot — you'll get a pairing code\nApprove pairing via SSM:\naws ssm start-session --target --region us-east-1\nsudo -u openclaw bash\nexport HOME=/home/openclaw\nopenclaw pairing approve telegram \n\n\nBot is live! ✅" }, { "title": "Teardown", "body": "# Using saved output:\n./scripts/teardown.sh --from-output ./deploy-output.json --env-dir /path/to/workspace --yes\n\n# Or by name (discovers via tags):\n./scripts/teardown.sh --name starfish --region us-east-1 --env-dir /path/to/workspace --yes" }, { "title": "--model flag", "body": "Pass any model string — it goes directly into openclaw.json as model.primary:\n\n# Default (MiniMax M2.1 on Bedrock — no API key needed, uses IAM role)\n./scripts/deploy_minimal.sh --name starfish --region us-east-1\n\n# Gemini Flash (needs GEMINI_API_KEY in .env.starfish)\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --model google/gemini-2.0-flash" }, { "title": "AWS Bedrock", "body": "Bedrock IAM permissions (bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream) are always added to the instance role — regardless of which model you choose. This means any deployed instance can use Bedrock models out of the box via IAM role credentials (no API key needed).\n\nKnown Bedrock model IDs:\n\nModel flagDescriptionamazon-bedrock/minimax.minimax-m2.1MiniMax M2.1amazon-bedrock/minimax.minimax-m2MiniMax M2amazon-bedrock/deepseek.deepseek-r1DeepSeek R1amazon-bedrock/moonshotai.kimi-k2.5Kimi K2.5\n\nNote: Bedrock models must be enabled in your AWS account via the Bedrock console before use." }, { "title": "Gemini", "body": "If GEMINI_API_KEY is present in .env.starfish, it's stored in SSM and written to auth-profiles.json. If absent, it's simply skipped — no error." }, { "title": ".env.starfish", "body": "TELEGRAM_BOT_TOKEN=... # Required — from @BotFather\nGEMINI_API_KEY=... # Optional — from aistudio.google.com (needed for Gemini models)" }, { "title": "Architecture (Minimal)", "body": "┌─────────────────────────────────────────────────────┐\n│ VPC (10.50.0.0/16) │\n│ ┌───────────────────────────────────────────────┐ │\n│ │ Public Subnet (10.50.0.0/24) │ │\n│ │ ┌─────────────────────────────────────────┐ │ │\n│ │ │ EC2 t4g.medium (ARM64, 4GB) │ │ │\n│ │ │ ┌───────────────────────────────────┐ │ │ │\n│ │ │ │ OpenClaw Gateway │ │ │ │\n│ │ │ │ • Node.js 22.14.0 │ │ │ │\n│ │ │ │ • Any model (Bedrock/Gemini/etc) │ │ │ │\n│ │ │ │ • Telegram channel │ │ │ │\n│ │ │ │ • Encrypted EBS (gp3, 20GB) │ │ │ │\n│ │ │ └───────────────────────────────────┘ │ │ │\n│ │ └─────────────────────────────────────────┘ │ │\n│ └───────────────────────────────────────────────┘ │\n└─────────────────────────────────────────────────────┘\n ↑ ↓\n SSM (no SSH/inbound) Outbound HTTPS only" }, { "title": "Critical Lessons Learned (22 Issues)", "body": "These are baked into the deploy script. See references/TROUBLESHOOTING.md for full details." }, { "title": "Instance Sizing", "body": "t4g.medium (4GB) required — t4g.small (2GB) OOMs during npm install + gateway startup\nARM64 — better price/performance than x86" }, { "title": "Node.js", "body": "Node 22+ required — OpenClaw 2026.x requires Node ≥22.12.0\nOfficial tarball install — NodeSource setup_22.x unreliable on AL2023 ARM64\ngit required — OpenClaw npm install has git-based dependencies" }, { "title": "npm", "body": "Use openclaw@latest — bare openclaw may resolve to placeholder package (0.0.1)" }, { "title": "Gateway Startup", "body": "Use openclaw gateway run --allow-unconfigured — NOT gateway start (which tries systemctl --user and fails)\nConfig file must be openclaw.json — not config.yaml\ngateway.mode: \"local\" — required or you get \"Missing config\" error\ngateway.auth.mode: \"token\" — \"none\" is invalid" }, { "title": "Telegram", "body": "plugins.entries.telegram.enabled: true — must be explicit\ndmPolicy: \"pairing\" — not \"allowlist\" (blocks everyone without user list)\nstreamMode: \"partial\" — some models don't support streaming tools, use \"off\" as fallback" }, { "title": "Model", "body": "Gemini 2.0 Flash — recommended (free tier: 15 RPM, 1M tokens/day, supports tools)\nAuth profiles required — create auth-profiles.json in agent dir\nBedrock format — amazon-bedrock/MODEL_ID (not bedrock/)\nBedrock models need console enablement — Anthropic requires use case form" }, { "title": "Systemd Service", "body": "Simplified service file — removed ProtectHome, ReadWritePaths=/tmp/openclaw, PrivateTmp due to namespace issues\nUse NODE_OPTIONS=\"--max-old-space-size=1024\" — helps prevent OOM" }, { "title": "Security", "body": "No inbound ports — SSM Session Manager only\nSecrets fetched from SSM at runtime — startup script fetches secrets each time the service starts; config files are ephemeral (rewritten on each start, never stored in repo or static images)\nEncrypted EBS — enabled by default in deploy script\nIMDSv2 required — HttpTokens=required" }, { "title": "File Layout", "body": "scripts/\n deploy_minimal.sh # One-shot deploy (VPC + EC2 + OpenClaw)\n teardown.sh # Clean teardown of all resources\n setup_deployer_role.sh # Create IAM role/user with minimum permissions\n preflight.sh # Pre-deploy validation checks\n smoke_test.sh # Post-deploy health verification\n\nreferences/\n TROUBLESHOOTING.md # All 22 issues + solutions\n config-templates/ # Ready-to-use config files\n gemini-flash.json # OpenClaw config for Gemini Flash\n auth-profiles-gemini.json # Auth profile template\n openclaw.service.txt # Systemd unit file template\n startup.sh # Startup script template" }, { "title": "OpenClaw Config (gemini-flash.json)", "body": "See references/config-templates/gemini-flash.json — includes all required fields." }, { "title": "Auth Profiles (auth-profiles-gemini.json)", "body": "Create at ~/.openclaw/agents/main/agent/auth-profiles.json" }, { "title": "Systemd Service (openclaw.service)", "body": "Simplified for reliability — security hardening removed due to namespace issues." }, { "title": "Cost Breakdown (~$30/mo)", "body": "ResourceCostt4g.medium (4GB ARM64)~$24.53/moEBS gp3 20GB~$1.60/moPublic IP~$3.65/moGemini FlashFree tier / ~$0.30/1M tokensTotal~$29.78/mo" }, { "title": "\"No API key found for amazon-bedrock\"", "body": "Cause: OpenClaw needs models.providers config in openclaw.json with \"auth\": \"aws-sdk\". An auth-profiles.json entry alone is NOT sufficient.\n\nFix: Add to openclaw.json on the instance:\n\nsudo -u openclaw bash\ncd /home/openclaw/.openclaw\njq '.models = {\n \"providers\": {\"amazon-bedrock\": {\"baseUrl\": \"https://bedrock-runtime.us-east-1.amazonaws.com\", \"api\": \"bedrock-converse-stream\", \"auth\": \"aws-sdk\", \"models\": [{\"id\": \"minimax.minimax-m2.1\", \"name\": \"MiniMax M2.1\", \"input\": [\"text\"], \"contextWindow\": 128000, \"maxTokens\": 4096}]}},\n \"bedrockDiscovery\": {\"enabled\": true, \"region\": \"us-east-1\"}\n}' openclaw.json > /tmp/oc.json && mv /tmp/oc.json openclaw.json\nchown openclaw:openclaw openclaw.json\nsystemctl restart openclaw" }, { "title": "\"API rate limit reached\" (Gemini)", "body": "Fix: Switch to Bedrock (default in current version) or redeploy with --model amazon-bedrock/minimax.minimax-m2.1." }, { "title": "Bedrock model returns errors", "body": "Cause: Model must be enabled in AWS Console → Bedrock → Model access. MiniMax models are auto-authorized; Anthropic/Meta models require use-case approval." }, { "title": "Bot doesn't respond after deploy", "body": "Fix: Add TELEGRAM_USER_ID to .env.starfish for auto-pairing, or use --pair-user . Manual: openclaw pairing approve telegram via SSM." }, { "title": "Safety Rules", "body": "Never print secrets in logs\nNever open SSH/inbound ports; use SSM Session Manager only\nUse least-privilege IAM policies\nAll resources tagged with Project= and DeployId= for deterministic cleanup\nEncrypted EBS volumes always" } ], "body": "OpenClaw AWS Deploy Skill\nQuick Start (Minimal Deployment ~$30/mo)\nPrerequisites\nAWS credentials — any of these methods:\n--profile flag (named AWS CLI profile)\n.env.aws file in workspace root or skill directory (optional):\nAWS_ACCESS_KEY_ID=...\nAWS_SECRET_ACCESS_KEY=...\nAWS_DEFAULT_REGION=us-east-1\n\nExisting environment variables, AWS SSO session, or IAM role\n.env.starfish in workspace root (recommended) or skill directory:\nTELEGRAM_BOT_TOKEN=... # from @BotFather (required)\nTELEGRAM_USER_ID=... # your Telegram user ID (optional, enables auto-approve pairing)\nGEMINI_API_KEY=... # from aistudio.google.com (optional, for Gemini models)\n\naws CLI installed OR Docker for sandboxed access\njq, openssl available\nOne-Shot Deploy\n# From the skill directory:\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --env-dir /path/to/workspace\n\n# Or with cleanup of previous deployment first:\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --env-dir /path/to/workspace --cleanup-first\n\n\nThis single command:\n\nCreates VPC + subnet + IGW + route table\nCreates security group (NO inbound ports — SSM only)\nCreates IAM role with minimal permissions (SSM + Parameter Store + Bedrock)\nStores secrets in SSM Parameter Store (fetched at each service start — rewritten on each start, never stored in repo or static images)\nLaunches t4g.medium ARM64 instance with user-data bootstrap\nUser-data installs Node.js 22 + OpenClaw + configures everything\nRuns smoke test via SSM\nSaves all resource IDs to deploy-output.json\nAfter Deploy\nMessage the Telegram bot — you'll get a pairing code\nApprove pairing via SSM:\naws ssm start-session --target --region us-east-1\nsudo -u openclaw bash\nexport HOME=/home/openclaw\nopenclaw pairing approve telegram \n\nBot is live! ✅\nTeardown\n# Using saved output:\n./scripts/teardown.sh --from-output ./deploy-output.json --env-dir /path/to/workspace --yes\n\n# Or by name (discovers via tags):\n./scripts/teardown.sh --name starfish --region us-east-1 --env-dir /path/to/workspace --yes\n\nModel Support\n--model flag\n\nPass any model string — it goes directly into openclaw.json as model.primary:\n\n# Default (MiniMax M2.1 on Bedrock — no API key needed, uses IAM role)\n./scripts/deploy_minimal.sh --name starfish --region us-east-1\n\n# Gemini Flash (needs GEMINI_API_KEY in .env.starfish)\n./scripts/deploy_minimal.sh --name starfish --region us-east-1 \\\n --model google/gemini-2.0-flash\n\nAWS Bedrock\n\nBedrock IAM permissions (bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream) are always added to the instance role — regardless of which model you choose. This means any deployed instance can use Bedrock models out of the box via IAM role credentials (no API key needed).\n\nKnown Bedrock model IDs:\n\nModel flag\tDescription\namazon-bedrock/minimax.minimax-m2.1\tMiniMax M2.1\namazon-bedrock/minimax.minimax-m2\tMiniMax M2\namazon-bedrock/deepseek.deepseek-r1\tDeepSeek R1\namazon-bedrock/moonshotai.kimi-k2.5\tKimi K2.5\n\nNote: Bedrock models must be enabled in your AWS account via the Bedrock console before use.\n\nGemini\n\nIf GEMINI_API_KEY is present in .env.starfish, it's stored in SSM and written to auth-profiles.json. If absent, it's simply skipped — no error.\n\n.env.starfish\nTELEGRAM_BOT_TOKEN=... # Required — from @BotFather\nGEMINI_API_KEY=... # Optional — from aistudio.google.com (needed for Gemini models)\n\nArchitecture (Minimal)\n┌─────────────────────────────────────────────────────┐\n│ VPC (10.50.0.0/16) │\n│ ┌───────────────────────────────────────────────┐ │\n│ │ Public Subnet (10.50.0.0/24) │ │\n│ │ ┌─────────────────────────────────────────┐ │ │\n│ │ │ EC2 t4g.medium (ARM64, 4GB) │ │ │\n│ │ │ ┌───────────────────────────────────┐ │ │ │\n│ │ │ │ OpenClaw Gateway │ │ │ │\n│ │ │ │ • Node.js 22.14.0 │ │ │ │\n│ │ │ │ • Any model (Bedrock/Gemini/etc) │ │ │ │\n│ │ │ │ • Telegram channel │ │ │ │\n│ │ │ │ • Encrypted EBS (gp3, 20GB) │ │ │ │\n│ │ │ └───────────────────────────────────┘ │ │ │\n│ │ └─────────────────────────────────────────┘ │ │\n│ └───────────────────────────────────────────────┘ │\n└─────────────────────────────────────────────────────┘\n ↑ ↓\n SSM (no SSH/inbound) Outbound HTTPS only\n\nCritical Lessons Learned (22 Issues)\n\nThese are baked into the deploy script. See references/TROUBLESHOOTING.md for full details.\n\nInstance Sizing\nt4g.medium (4GB) required — t4g.small (2GB) OOMs during npm install + gateway startup\nARM64 — better price/performance than x86\nNode.js\nNode 22+ required — OpenClaw 2026.x requires Node ≥22.12.0\nOfficial tarball install — NodeSource setup_22.x unreliable on AL2023 ARM64\ngit required — OpenClaw npm install has git-based dependencies\nnpm\nUse openclaw@latest — bare openclaw may resolve to placeholder package (0.0.1)\nGateway Startup\nUse openclaw gateway run --allow-unconfigured — NOT gateway start (which tries systemctl --user and fails)\nConfig file must be openclaw.json — not config.yaml\ngateway.mode: \"local\" — required or you get \"Missing config\" error\ngateway.auth.mode: \"token\" — \"none\" is invalid\nTelegram\nplugins.entries.telegram.enabled: true — must be explicit\ndmPolicy: \"pairing\" — not \"allowlist\" (blocks everyone without user list)\nstreamMode: \"partial\" — some models don't support streaming tools, use \"off\" as fallback\nModel\nGemini 2.0 Flash — recommended (free tier: 15 RPM, 1M tokens/day, supports tools)\nAuth profiles required — create auth-profiles.json in agent dir\nBedrock format — amazon-bedrock/MODEL_ID (not bedrock/)\nBedrock models need console enablement — Anthropic requires use case form\nSystemd Service\nSimplified service file — removed ProtectHome, ReadWritePaths=/tmp/openclaw, PrivateTmp due to namespace issues\nUse NODE_OPTIONS=\"--max-old-space-size=1024\" — helps prevent OOM\nSecurity\nNo inbound ports — SSM Session Manager only\nSecrets fetched from SSM at runtime — startup script fetches secrets each time the service starts; config files are ephemeral (rewritten on each start, never stored in repo or static images)\nEncrypted EBS — enabled by default in deploy script\nIMDSv2 required — HttpTokens=required\nFile Layout\nscripts/\n deploy_minimal.sh # One-shot deploy (VPC + EC2 + OpenClaw)\n teardown.sh # Clean teardown of all resources\n setup_deployer_role.sh # Create IAM role/user with minimum permissions\n preflight.sh # Pre-deploy validation checks\n smoke_test.sh # Post-deploy health verification\n\nreferences/\n TROUBLESHOOTING.md # All 22 issues + solutions\n config-templates/ # Ready-to-use config files\n gemini-flash.json # OpenClaw config for Gemini Flash\n auth-profiles-gemini.json # Auth profile template\n openclaw.service.txt # Systemd unit file template\n startup.sh # Startup script template\n\nConfig Templates\nOpenClaw Config (gemini-flash.json)\n\nSee references/config-templates/gemini-flash.json — includes all required fields.\n\nAuth Profiles (auth-profiles-gemini.json)\n\nCreate at ~/.openclaw/agents/main/agent/auth-profiles.json\n\nSystemd Service (openclaw.service)\n\nSimplified for reliability — security hardening removed due to namespace issues.\n\nCost Breakdown (~$30/mo)\nResource\tCost\nt4g.medium (4GB ARM64)\t~$24.53/mo\nEBS gp3 20GB\t~$1.60/mo\nPublic IP\t~$3.65/mo\nGemini Flash\tFree tier / ~$0.30/1M tokens\nTotal\t~$29.78/mo\nTroubleshooting\n\"No API key found for amazon-bedrock\"\n\nCause: OpenClaw needs models.providers config in openclaw.json with \"auth\": \"aws-sdk\". An auth-profiles.json entry alone is NOT sufficient.\n\nFix: Add to openclaw.json on the instance:\n\nsudo -u openclaw bash\ncd /home/openclaw/.openclaw\njq '.models = {\n \"providers\": {\"amazon-bedrock\": {\"baseUrl\": \"https://bedrock-runtime.us-east-1.amazonaws.com\", \"api\": \"bedrock-converse-stream\", \"auth\": \"aws-sdk\", \"models\": [{\"id\": \"minimax.minimax-m2.1\", \"name\": \"MiniMax M2.1\", \"input\": [\"text\"], \"contextWindow\": 128000, \"maxTokens\": 4096}]}},\n \"bedrockDiscovery\": {\"enabled\": true, \"region\": \"us-east-1\"}\n}' openclaw.json > /tmp/oc.json && mv /tmp/oc.json openclaw.json\nchown openclaw:openclaw openclaw.json\nsystemctl restart openclaw\n\n\"API rate limit reached\" (Gemini)\n\nFix: Switch to Bedrock (default in current version) or redeploy with --model amazon-bedrock/minimax.minimax-m2.1.\n\nBedrock model returns errors\n\nCause: Model must be enabled in AWS Console → Bedrock → Model access. MiniMax models are auto-authorized; Anthropic/Meta models require use-case approval.\n\nBot doesn't respond after deploy\n\nFix: Add TELEGRAM_USER_ID to .env.starfish for auto-pairing, or use --pair-user . Manual: openclaw pairing approve telegram via SSM.\n\nSafety Rules\nNever print secrets in logs\nNever open SSH/inbound ports; use SSM Session Manager only\nUse least-privilege IAM policies\nAll resources tagged with Project= and DeployId= for deterministic cleanup\nEncrypted EBS volumes always" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/godwinbabu/openclaw-aws-deploy", "publisherUrl": "https://clawhub.ai/godwinbabu/openclaw-aws-deploy", "owner": "godwinbabu", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-aws-deploy", "agentUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-aws-deploy/agent.md" } }