openclaw-server-secure-skill

by @kime541200 in AI & LLM

# Install this skill:

npx skills add kime541200/openclaw-server-secure-skill

Or install specific skill: npx add-skill https://github.com/kime541200/openclaw-server-secure-skill

# Description

Comprehensive security hardening and installation guide for OpenClaw (formerly Clawdbot/Moltbot). Use this skill when the user wants to secure a server, install the OpenClaw agent, or configure Tailscale/Firewall for the agent.

# SKILL.md

name: openclaw-server-secure-skill
description: Comprehensive security hardening and installation guide for OpenClaw (formerly Clawdbot/Moltbot). Use this skill when the user wants to secure a server, install the OpenClaw agent, or configure Tailscale/Firewall for the agent.

OpenClaw Server Security & Installation

Overview

This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.

Workflow

Phase 1: System Hardening

Lock down SSH
- Goal: Keys only, no passwords, no root login.
- Action: Modify /etc/ssh/sshd_config.
- Commands:
  bash # Backup config sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak # Disable Password Auth sudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config # Disable Root Login sudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config # Reload SSH sudo sshd -t && sudo systemctl reload ssh
Default-deny Firewall
- Goal: Block everything incoming by default.
- Action: Install and enable UFW.
- Commands:
  bash sudo apt update && sudo apt install ufw -y sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw enable
  Note: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.
Brute-force Protection
- Goal: Auto-ban IPs after failed login attempts.
- Action: Install Fail2ban.
- Commands:
  bash sudo apt install fail2ban -y sudo systemctl enable --now fail2ban

Phase 2: Network Privacy (Tailscale)

Install Tailscale
- Goal: Create a private VPN mesh network.
- Commands:
  bash curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up
- Wait for user to authenticate the Tailscale link.
Configure SSH & Web via Tailscale
- Goal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.
- Commands:
  bash # Allow SSH over Tailscale sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp # Remove public SSH access (Adjust rule name/number as needed) sudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp # Allow Web ports over Tailscale sudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp sudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp
Disable IPv6 (Optional)
- Goal: Reduce attack surface.
- Commands:
  bash sudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw if ! grep -q "net.ipv6.conf.all.disable_ipv6 = 1" /etc/sysctl.conf; then echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf fi sudo sysctl -p && sudo ufw reload

Phase 3: OpenClaw Installation

Install OpenClaw
- Commands:
  bash npm install -g openclaw && openclaw doctor
Configure Owner Access
- Required Input: Ask the user for their Telegram ID.
- Action: Update the config to allowlist only that ID.
- JSON Config Target (verify location via openclaw doctor):
  json { "dmPolicy": "allowlist", "allowFrom": ["YOUR_TELEGRAM_ID"], "groupPolicy": "allowlist" }
Secure Credentials
- Goal: Restrict file permissions.
- Commands:
  bash chmod 700 ~/.openclaw/credentials 2>/dev/null || true chmod 600 .env 2>/dev/null || true
Final Audit
- Action: Run the built-in security audit.
- Command:
  bash openclaw security audit --deep

Verification Status

Run to confirm:

sudo ufw status verbose
ss -tulnp
tailscale status
openclaw doctor

# README.md

OpenClaw Server Secure Skill

Language: English | 繁體中文

Acknowledgments

This Skill's security workflow and configuration patterns are explicitly based on the guide provided by @BitsagaRob on X (formerly Twitter).
- Source: https://x.com/BitsagaRob/status/2015757134760202469?s=20

This is an Agent-dedicated Skill designed to provide a comprehensive security hardening and installation guide for OpenClaw (formerly Clawdbot/Moltbot).

Features

System Hardening: Automates SSH lockdown (keys only, no root), UFW firewall setup (default deny), and Fail2ban installation.
Network Privacy: Guides the installation and configuration of Tailscale to ensure the server is only accessible via a private VPN mesh network.
Secure Installation: Automates the OpenClaw agent installation and configures ownership policies.
Security Audit: Includes steps to run OpenClaw's built-in security audit tool.

Installation

You can install this Skill in the following ways:

Using npx

npx skill add kime541200/openclaw-server-secure-skill

Manual Installation

Clone this repository to your Skill directory:

cd ~/.gemini/skills  # or your skill storage path
git clone https://github.com/kime541200/openclaw-server-secure-skill.git

Usage

In Agent conversations, you can trigger this skill with requests such as:

"Help me set up a secure OpenClaw server"
"Harden my server security for the OpenClaw agent"
"Install OpenClaw and configure Tailscale"

System Requirements

Linux (Ubuntu/Debian recommended)
Requires sudo privileges for system configuration

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.