{ "schemaVersion": "1.0", "item": { "slug": "openclaw-server-secure-skill", "name": "openclaw-server-secure-skill", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill", "canonicalUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-server-secure-skill", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-server-secure-skill", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-server-secure-skill" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-server-secure-skill", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Overview", "body": "This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself." }, { "title": "Phase 1: System Hardening", "body": "Lock down SSH\n\nGoal: Keys only, no passwords, no root login.\nAction: Modify /etc/ssh/sshd_config.\nCommands:\n# Backup config\nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak\n# Disable Password Auth\nsudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config\n# Disable Root Login\nsudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config\n# Reload SSH\nsudo sshd -t && sudo systemctl reload ssh\n\n\n\n\n\nDefault-deny Firewall\n\nGoal: Block everything incoming by default.\nAction: Install and enable UFW.\nCommands:\nsudo apt update && sudo apt install ufw -y\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw enable\n\nNote: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.\n\n\n\nBrute-force Protection\n\nGoal: Auto-ban IPs after failed login attempts.\nAction: Install Fail2ban.\nCommands:\nsudo apt install fail2ban -y\nsudo systemctl enable --now fail2ban" }, { "title": "Phase 2: Network Privacy (Tailscale)", "body": "Install Tailscale\n\nGoal: Create a private VPN mesh network.\nCommands:\ncurl -fsSL https://tailscale.com/install.sh | sh\nsudo tailscale up\n\n\nWait for user to authenticate the Tailscale link.\n\n\n\nConfigure SSH & Web via Tailscale\n\nGoal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.\nCommands:\n# Allow SSH over Tailscale\nsudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp\n# Remove public SSH access (Adjust rule name/number as needed)\nsudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp\n# Allow Web ports over Tailscale\nsudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp\nsudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp\n\n\n\n\n\nDisable IPv6 (Optional)\n\nGoal: Reduce attack surface.\nCommands:\nsudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw\nif ! grep -q \"net.ipv6.conf.all.disable_ipv6 = 1\" /etc/sysctl.conf; then\n echo \"net.ipv6.conf.all.disable_ipv6 = 1\" | sudo tee -a /etc/sysctl.conf\nfi\nsudo sysctl -p && sudo ufw reload" }, { "title": "Phase 3: OpenClaw Installation", "body": "Install OpenClaw\n\nCommands:\nnpm install -g openclaw && openclaw doctor\n\n\n\n\n\nConfigure Owner Access\n\nRequired Input: Ask the user for their Telegram ID.\nAction: Update the config to allowlist only that ID.\nJSON Config Target (verify location via openclaw doctor):\n{ \n \"dmPolicy\": \"allowlist\", \n \"allowFrom\": [\"YOUR_TELEGRAM_ID\"], \n \"groupPolicy\": \"allowlist\" \n}\n\n\n\n\n\nSecure Credentials\n\nGoal: Restrict file permissions.\nCommands:\nchmod 700 ~/.openclaw/credentials 2>/dev/null || true\nchmod 600 .env 2>/dev/null || true\n\n\n\n\n\nFinal Audit\n\nAction: Run the built-in security audit.\nCommand:\nopenclaw security audit --deep" }, { "title": "Verification Status", "body": "Run to confirm:\n\nsudo ufw status verbose\nss -tulnp\ntailscale status\nopenclaw doctor" } ], "body": "OpenClaw Server Security & Installation\nOverview\n\nThis skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.\n\nWorkflow\nPhase 1: System Hardening\n\nLock down SSH\n\nGoal: Keys only, no passwords, no root login.\nAction: Modify /etc/ssh/sshd_config.\nCommands:\n# Backup config\nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak\n# Disable Password Auth\nsudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config\n# Disable Root Login\nsudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config\n# Reload SSH\nsudo sshd -t && sudo systemctl reload ssh\n\n\nDefault-deny Firewall\n\nGoal: Block everything incoming by default.\nAction: Install and enable UFW.\nCommands:\nsudo apt update && sudo apt install ufw -y\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw enable\n\nNote: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.\n\nBrute-force Protection\n\nGoal: Auto-ban IPs after failed login attempts.\nAction: Install Fail2ban.\nCommands:\nsudo apt install fail2ban -y\nsudo systemctl enable --now fail2ban\n\nPhase 2: Network Privacy (Tailscale)\n\nInstall Tailscale\n\nGoal: Create a private VPN mesh network.\nCommands:\ncurl -fsSL https://tailscale.com/install.sh | sh\nsudo tailscale up\n\nWait for user to authenticate the Tailscale link.\n\nConfigure SSH & Web via Tailscale\n\nGoal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.\nCommands:\n# Allow SSH over Tailscale\nsudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp\n# Remove public SSH access (Adjust rule name/number as needed)\nsudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp\n# Allow Web ports over Tailscale\nsudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp\nsudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp\n\n\nDisable IPv6 (Optional)\n\nGoal: Reduce attack surface.\nCommands:\nsudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw\nif ! grep -q \"net.ipv6.conf.all.disable_ipv6 = 1\" /etc/sysctl.conf; then\n echo \"net.ipv6.conf.all.disable_ipv6 = 1\" | sudo tee -a /etc/sysctl.conf\nfi\nsudo sysctl -p && sudo ufw reload\n\nPhase 3: OpenClaw Installation\n\nInstall OpenClaw\n\nCommands:\nnpm install -g openclaw && openclaw doctor\n\n\nConfigure Owner Access\n\nRequired Input: Ask the user for their Telegram ID.\nAction: Update the config to allowlist only that ID.\nJSON Config Target (verify location via openclaw doctor):\n{ \n \"dmPolicy\": \"allowlist\", \n \"allowFrom\": [\"YOUR_TELEGRAM_ID\"], \n \"groupPolicy\": \"allowlist\" \n}\n\n\nSecure Credentials\n\nGoal: Restrict file permissions.\nCommands:\nchmod 700 ~/.openclaw/credentials 2>/dev/null || true\nchmod 600 .env 2>/dev/null || true\n\n\nFinal Audit\n\nAction: Run the built-in security audit.\nCommand:\nopenclaw security audit --deep\n\nVerification Status\n\nRun to confirm:\n\nsudo ufw status verbose\nss -tulnp\ntailscale status\nopenclaw doctor" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill", "publisherUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill", "owner": "kime541200", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-server-secure-skill", "agentUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.md" } }