ClawHub

Security Network Hardening

Audit and harden an OpenClaw host and its network exposure. Use for security checks, hardening, firewall setup, network exposure review, metrics endpoint res...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 24 · 0 current installs · 0 all-time installs
by@jimpang8
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (OpenClaw host/network hardening) align with the included SKILL.md, references, and scripts. The only mismatch is that the manifest lists no required binaries, yet the instructions and scripts expect commands like openclaw, ufw, ss, sudo, python3, and possibly firewall-cmd/nft; this is a declaration omission but not evidence of malicious intent.
Instruction Scope
SKILL.md stays on-topic: it instructs read-only audits first, explicit confirmation before changes, firewall playbooks, and verification steps. It references and reads OpenClaw config (~/.openclaw/openclaw.json) which is appropriate for this purpose. It does not instruct phone-home, exfiltration, or scanning unrelated user data.
Install Mechanism
No install spec (instruction-only) and included scripts are small and straightforward. No downloads or archive extraction are present.
Credentials
The skill requests no environment variables or external credentials. It does operate on local config (OpenClaw JSON) and requires root privileges to apply firewall changes; that is proportional to a firewall-hardening task.
Persistence & Privilege
always is false, the skill does not request persistent or privileged platform-level presence, and it does not modify other skills' configs. Scripts modify system firewall files only when the user runs them with sudo.
Assessment
This skill appears coherent and focused on hardening OpenClaw hosts. Before using it: (1) Run the suggested read-only audit commands first and review results. (2) Ensure the host has the tools the skill assumes (openclaw, ufw or nftables, ss, python3, sudo) since the manifest doesn't declare them. (3) Back up current firewall rules and configs (the provided rollback script expects backups in /etc/ufw/*.TIMESTAMP). (4) When applying changes, confirm the exact SSH/RDP management path to avoid locking yourself out. (5) Inspect the small scripts yourself (they are included) and test verification/rollback on a safe host or snapshot before applying to production.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97crvz0w5crtdp5mg2w5d9955831dvv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security + Network Hardening

Audit first, then harden with explicit approval. Keep this file short; read the references when needed.

Core rules

  • Start read-only unless the user explicitly asks for fixes.
  • Require confirmation before any state-changing action.
  • Preserve current management access; do not break SSH/RDP/VNC.
  • Prefer exact findings over generic advice.
  • After workspace edits, commit them.

Read-only baseline

Run:

uname -a
cat /etc/os-release
id
ss -ltnup 2>/dev/null || ss -ltnp 2>/dev/null
openclaw security audit --deep
openclaw update status
openclaw status --deep

If firewall state matters, also run:

ufw status verbose || true
firewall-cmd --state 2>/dev/null || true
nft list ruleset 2>/dev/null || true

Priorities

Check for these first:

  1. elevated wildcard access in tools.elevated.allowFrom.*
  2. writable credentials directories
  3. missing gateway auth rate limiting
  4. broad or unclear listening ports
  5. metrics endpoints exposed too widely
  6. ineffective custom gateway.nodes.denyCommands
  7. workspace skill symlink escapes

Fix patterns

Read these only when relevant:

  • UFW/firewall workflow: references/ufw-playbook.md
  • OpenClaw config fixes: references/openclaw-fix-patterns.md

Artifact generation

When the user wants generated files, create:

  • firewall-rules.md
  • apply-firewall.sh
  • scripts/rollback-firewall.sh
  • scripts/verify-firewall.sh

Safe firewall order

  1. Confirm allowed source subnet/IPs.
  2. Add SSH rule first if SSH is in use.
  3. Apply LAN-only and single-host rules.
  4. Verify from expected clients.
  5. Re-check ufw status verbose and ss -ltnp.

Verification

After fixes, verify with:

openclaw security audit --deep
openclaw gateway status
python3 -m json.tool ~/.openclaw/openclaw.json >/dev/null
sudo ufw status verbose
ss -ltnp

Success means:

  • no critical audit findings
  • no warning audit findings when practical
  • gateway reachable
  • required ports reachable only from approved sources

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…