# Send openclaw-server-secure-skill to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "openclaw-server-secure-skill",
    "name": "openclaw-server-secure-skill",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill",
    "canonicalUrl": "https://clawhub.ai/kime541200/openclaw-server-secure-skill",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/openclaw-server-secure-skill",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-server-secure-skill",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "openclaw-server-secure-skill",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T20:05:48.131Z",
      "expiresAt": "2026-05-06T20:05:48.131Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-server-secure-skill",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-server-secure-skill",
        "contentDisposition": "attachment; filename=\"openclaw-server-secure-skill-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "openclaw-server-secure-skill"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/openclaw-server-secure-skill"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill",
    "downloadUrl": "https://openagent3.xyz/downloads/openclaw-server-secure-skill",
    "agentUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent",
    "manifestUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.md"
  }
}
```
## Documentation

### Overview

This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.

### Phase 1: System Hardening

Lock down SSH

Goal: Keys only, no passwords, no root login.
Action: Modify /etc/ssh/sshd_config.
Commands:
# Backup config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Disable Password Auth
sudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Disable Root Login
sudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
# Reload SSH
sudo sshd -t && sudo systemctl reload ssh





Default-deny Firewall

Goal: Block everything incoming by default.
Action: Install and enable UFW.
Commands:
sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Note: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.



Brute-force Protection

Goal: Auto-ban IPs after failed login attempts.
Action: Install Fail2ban.
Commands:
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

### Phase 2: Network Privacy (Tailscale)

Install Tailscale

Goal: Create a private VPN mesh network.
Commands:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up


Wait for user to authenticate the Tailscale link.



Configure SSH & Web via Tailscale

Goal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.
Commands:
# Allow SSH over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp
# Remove public SSH access (Adjust rule name/number as needed)
sudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp
# Allow Web ports over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp
sudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp





Disable IPv6 (Optional)

Goal: Reduce attack surface.
Commands:
sudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw
if ! grep -q "net.ipv6.conf.all.disable_ipv6 = 1" /etc/sysctl.conf; then
  echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
fi
sudo sysctl -p && sudo ufw reload

### Phase 3: OpenClaw Installation

Install OpenClaw

Commands:
npm install -g openclaw && openclaw doctor





Configure Owner Access

Required Input: Ask the user for their Telegram ID.
Action: Update the config to allowlist only that ID.
JSON Config Target (verify location via openclaw doctor):
{ 
  "dmPolicy": "allowlist", 
  "allowFrom": ["YOUR_TELEGRAM_ID"], 
  "groupPolicy": "allowlist" 
}





Secure Credentials

Goal: Restrict file permissions.
Commands:
chmod 700 ~/.openclaw/credentials 2>/dev/null || true
chmod 600 .env 2>/dev/null || true





Final Audit

Action: Run the built-in security audit.
Command:
openclaw security audit --deep

### Verification Status

Run to confirm:

sudo ufw status verbose
ss -tulnp
tailscale status
openclaw doctor
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: kime541200
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-29T20:05:48.131Z
- Expires at: 2026-05-06T20:05:48.131Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/openclaw-server-secure-skill)
- [Send to Agent page](https://openagent3.xyz/skills/openclaw-server-secure-skill/agent)
- [JSON manifest](https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/openclaw-server-secure-skill/agent.md)
- [Download page](https://openagent3.xyz/downloads/openclaw-server-secure-skill)