{ "schemaVersion": "1.0", "item": { "slug": "openclaw-cloudflare-secure", "name": "OpenClaw Cloudflare Secure", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/jskoiz/openclaw-cloudflare-secure", "canonicalUrl": "https://clawhub.ai/jskoiz/openclaw-cloudflare-secure", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-cloudflare-secure", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-cloudflare-secure", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "scripts/tunnel_service_install.sh", "scripts/dns_create_record.sh", "scripts/cf_dns.py", "scripts/dns_point_hostname_to_tunnel.sh", "scripts/install_cloudflared.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-cloudflare-secure" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-cloudflare-secure", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "OpenClaw WebUI: Cloudflare Access + Tunnel (VPS)", "body": "Use this when you want an easy public URL (e.g. openclaw.example.com) that is NOT directly exposed, protected by Cloudflare Access allowlist, and delivered via Cloudflare Tunnel to a local service (commonly http://127.0.0.1:18789)." }, { "title": "Assumptions", "body": "OpenClaw WebUI is reachable locally on the VPS at http://127.0.0.1:18789 (or your chosen local port).\nYou control DNS for the zone in Cloudflare (e.g. example.com).\nYou have a Cloudflare API token available to the agent/VPS as CLOUDFLARE_API_TOKEN.\n\nRecommended token perms (least privilege): Zone:DNS:Edit + Zone:Zone:Read for the target zone.\nThis is the key reason this setup is “agent-friendly”: the agent can securely create subdomains / manage DNS records without giving it full Cloudflare account access.\n\n\nYou can access Cloudflare Zero Trust UI to create:\n\nan Access Application for the hostname\nan Allow policy for specific emails\na Block policy for Everyone\na Tunnel and its token" }, { "title": "0) Optional: disable Tailscale Serve", "body": "If you used Tailscale Serve earlier and want to remove it:\n\nsudo tailscale serve reset" }, { "title": "1) Install and start cloudflared tunnel service (token-based)", "body": "In Cloudflare Zero Trust:\n\nNetworks → Connectors → Tunnels → Create tunnel → Cloudflared\nCopy the token from the command cloudflared service install \n\nOn the VPS:\n\n./scripts/install_cloudflared.sh\nsudo ./scripts/tunnel_service_install.sh ''\n\nVerify:\n\nsudo systemctl is-active cloudflared\nsudo systemctl status cloudflared --no-pager -l | sed -n '1,80p'" }, { "title": "2) DNS cutover: point hostname to the tunnel", "body": "This uses the bundled DNS helper (./scripts/cf_dns.py). It will:\n\nfind and delete any existing A/AAAA/CNAME for that hostname\ncreate a proxied CNAME to .cfargotunnel.com\n\nPrereq:\n\nexport CLOUDFLARE_API_TOKEN='...'" }, { "title": "2b) (Optional) Create/update a subdomain / DNS record (agent-friendly)", "body": "Use this when you want the agent (with least-privilege DNS token) to create records programmatically:\n\n./scripts/dns_create_record.sh --zone example.com --type A --name openclaw --content 1.2.3.4 --proxied true\n./scripts/dns_create_record.sh --zone example.com --type CNAME --name openclaw --content target.example.net --proxied true\n\n./scripts/dns_point_hostname_to_tunnel.sh \\\n --zone example.com \\\n --hostname openclaw.example.com \\\n --tunnel-uuid " }, { "title": "3) In Cloudflare Zero Trust UI: bind hostname → service", "body": "In the tunnel:\n\nAdd Public Hostname:\n\nHostname: openclaw.example.com\nService: http://127.0.0.1:18789" }, { "title": "4) Cloudflare Access policy", "body": "In Zero Trust:\n\nAccess → Applications → Add → Self-hosted\n\nPublic hostname: openclaw.example.com\n\n\nPolicies:\n\nAllow: include specific emails (your allowlist)\nBlock: include Everyone" }, { "title": "Notes / gotchas", "body": "If the Tunnel “route traffic” wizard errors with “record already exists”, it’s just DNS collision. Either:\n\ndelete the existing DNS record and let the wizard recreate it, OR\nkeep DNS as-is and set the Public Hostname mapping inside the Tunnel.\n\n\nKeep the hostname proxied (orange cloud). Access/Tunnel require proxy." }, { "title": "Rollback", "body": "DNS: point the hostname back to an origin A record (or remove the record).\nVPS: sudo systemctl disable --now cloudflared." } ], "body": "OpenClaw WebUI: Cloudflare Access + Tunnel (VPS)\n\nUse this when you want an easy public URL (e.g. openclaw.example.com) that is NOT directly exposed, protected by Cloudflare Access allowlist, and delivered via Cloudflare Tunnel to a local service (commonly http://127.0.0.1:18789).\n\nAssumptions\nOpenClaw WebUI is reachable locally on the VPS at http://127.0.0.1:18789 (or your chosen local port).\nYou control DNS for the zone in Cloudflare (e.g. example.com).\nYou have a Cloudflare API token available to the agent/VPS as CLOUDFLARE_API_TOKEN.\nRecommended token perms (least privilege): Zone:DNS:Edit + Zone:Zone:Read for the target zone.\nThis is the key reason this setup is “agent-friendly”: the agent can securely create subdomains / manage DNS records without giving it full Cloudflare account access.\nYou can access Cloudflare Zero Trust UI to create:\nan Access Application for the hostname\nan Allow policy for specific emails\na Block policy for Everyone\na Tunnel and its token\nQuick start (copy/paste)\n0) Optional: disable Tailscale Serve\n\nIf you used Tailscale Serve earlier and want to remove it:\n\nsudo tailscale serve reset\n\n1) Install and start cloudflared tunnel service (token-based)\n\nIn Cloudflare Zero Trust:\n\nNetworks → Connectors → Tunnels → Create tunnel → Cloudflared\nCopy the token from the command cloudflared service install \n\nOn the VPS:\n\n./scripts/install_cloudflared.sh\nsudo ./scripts/tunnel_service_install.sh ''\n\n\nVerify:\n\nsudo systemctl is-active cloudflared\nsudo systemctl status cloudflared --no-pager -l | sed -n '1,80p'\n\n2) DNS cutover: point hostname to the tunnel\n\nThis uses the bundled DNS helper (./scripts/cf_dns.py). It will:\n\nfind and delete any existing A/AAAA/CNAME for that hostname\ncreate a proxied CNAME to .cfargotunnel.com\n\nPrereq:\n\nexport CLOUDFLARE_API_TOKEN='...'\n\n2b) (Optional) Create/update a subdomain / DNS record (agent-friendly)\n\nUse this when you want the agent (with least-privilege DNS token) to create records programmatically:\n\n./scripts/dns_create_record.sh --zone example.com --type A --name openclaw --content 1.2.3.4 --proxied true\n./scripts/dns_create_record.sh --zone example.com --type CNAME --name openclaw --content target.example.net --proxied true\n\n./scripts/dns_point_hostname_to_tunnel.sh \\\n --zone example.com \\\n --hostname openclaw.example.com \\\n --tunnel-uuid \n\n3) In Cloudflare Zero Trust UI: bind hostname → service\n\nIn the tunnel:\n\nAdd Public Hostname:\nHostname: openclaw.example.com\nService: http://127.0.0.1:18789\n4) Cloudflare Access policy\n\nIn Zero Trust:\n\nAccess → Applications → Add → Self-hosted\nPublic hostname: openclaw.example.com\nPolicies:\nAllow: include specific emails (your allowlist)\nBlock: include Everyone\nNotes / gotchas\nIf the Tunnel “route traffic” wizard errors with “record already exists”, it’s just DNS collision. Either:\ndelete the existing DNS record and let the wizard recreate it, OR\nkeep DNS as-is and set the Public Hostname mapping inside the Tunnel.\nKeep the hostname proxied (orange cloud). Access/Tunnel require proxy.\nRollback\nDNS: point the hostname back to an origin A record (or remove the record).\nVPS: sudo systemctl disable --now cloudflared." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/jskoiz/openclaw-cloudflare-secure", "publisherUrl": "https://clawhub.ai/jskoiz/openclaw-cloudflare-secure", "owner": "jskoiz", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-cloudflare-secure", "agentUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-cloudflare-secure/agent.md" } }