New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@vercel/vclaw

Package Overview
Dependencies
Maintainers
385
Versions
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@vercel/vclaw

CLI to set up and deploy vercel-openclaw with one command

latest
Source
npmnpm
Version
0.1.0
Version published
Maintainers
385
Created
Source

OpenClaw logo

vclaw

Deploy vercel-openclaw from the command line.

vclaw is a workflow wrapper around the installed Vercel CLI. It automates the same high-level setup path as the OpenClaw deploy button:

  • clone vercel-labs/vercel-openclaw
  • link a Vercel project
  • provision Upstash Redis
  • configure managed environment variables
  • optionally enable deployment protection plus automation bypass
  • deploy
  • run launch verification

Install

Run without installing:

npx @vercel/vclaw init --scope my-team

Or install globally:

npm i -g @vercel/vclaw
vclaw init --scope my-team

Prerequisites

  • Node.js >=20
  • git
  • the Vercel CLI installed: npm i -g vercel
  • Vercel auth via vercel login or VERCEL_TOKEN

You can check your environment first:

vclaw doctor

Quick Start

Deploy OpenClaw into a Vercel team:

npx @vercel/vclaw init --scope my-team

This will:

  • check local prerequisites
  • clone vercel-labs/vercel-openclaw
  • link a Vercel project
  • provision Upstash via the Vercel Marketplace
  • generate an ADMIN_SECRET
  • push managed env vars
  • deploy to production
  • run launch verification

Common Flows

Basic deploy:

vclaw init --scope my-team

Choose a project name and target directory:

vclaw init --scope my-team --name my-openclaw --dir ~/dev/my-openclaw

Use your own admin secret:

vclaw init --scope my-team --admin-secret "$(openssl rand -hex 32)"

Set a dedicated cron secret:

vclaw init --scope my-team --cron-secret "$(openssl rand -hex 32)"

Enable deployment protection and configure webhook bypass automatically:

vclaw init --scope my-team --deployment-protection sso

Or password protection:

vclaw init --scope my-team --deployment-protection password

Prepare everything but stop before deploy:

vclaw init --scope my-team --skip-deploy

Commands

vclaw init

Full setup from zero to deployed.

--name <name>                      Vercel project name (default: openclaw)
--scope <scope>                    Vercel team scope
--team <slug>                      Deprecated alias for --scope
--dir <path>                       Clone destination (default: ./vercel-openclaw)
--admin-secret <hex>               Use a specific admin secret
--cron-secret <hex>                Optional dedicated cron secret
--deployment-protection <mode>     Optional protection mode: none | sso | password
--protection-bypass-secret <s>     Optional automation bypass secret
--skip-deploy                      Stop after provisioning
--yes                              Skip confirmation prompts where possible

Notes:

  • --yes does not bypass first-time marketplace terms acceptance if the integration requires a browser step.
  • --deployment-protection also injects VERCEL_AUTOMATION_BYPASS_SECRET so protected incoming webhooks can still reach OpenClaw.
  • if you do not pass --admin-secret, vclaw generates one for you.

vclaw verify

Run launch verification against an existing deployment.

--url <url>                        Deployment URL
--admin-secret <secret>            Admin secret for auth
--destructive                      Run destructive verification phases
--protection-bypass <secret>       Deployment protection bypass secret

Example:

vclaw verify \
  --url https://my-openclaw.vercel.app \
  --admin-secret "$ADMIN_SECRET"

Protected deployment:

vclaw verify \
  --url https://my-openclaw.vercel.app \
  --admin-secret "$ADMIN_SECRET" \
  --protection-bypass "$VERCEL_AUTOMATION_BYPASS_SECRET"

vclaw doctor

Check local prerequisites and current Vercel authentication status.

Managed Environment Variables

vclaw manages these variables directly:

  • ADMIN_SECRET
  • CRON_SECRET when you provide --cron-secret
  • VERCEL_AUTOMATION_BYPASS_SECRET when deployment protection or an explicit bypass secret is configured

It relies on the Vercel Marketplace integration to supply:

  • UPSTASH_REDIS_REST_URL
  • UPSTASH_REDIS_REST_TOKEN

Behavior Notes

  • vclaw assumes you already have the Vercel CLI installed.
  • vclaw does not replace vercel; it orchestrates it.
  • deploys are production deploys
  • verification calls OpenClaw’s admin preflight and launch-verify endpoints
  • if deployment protection is enabled, verify requests include the x-vercel-protection-bypass header when available

Development

Run tests:

npm test

Preview the npm payload:

npm pack --dry-run

Repository

  • GitHub: vercel-labs/vclaw
  • Source project deployed by this CLI: vercel-labs/vercel-openclaw

License

MIT

Keywords

vercel
openclaw
cli
sandbox

FAQs

Package last updated on 14 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code

Security News

Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code

Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.

By Sarah Gooding  -  Apr 14, 2026