Host Hardening
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly clear host-hardening guidance, but it includes high-impact root system changes and an optional root auto-starting OpenClaw gateway service that should be reviewed carefully before use.
Install or use this only if you are deliberately hardening a Linux server and can recover console access if SSH or firewall settings go wrong. Treat the gateway service section separately: review it carefully, avoid running it as root if possible, and make sure you know how to disable it before enabling persistence.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these commands are run on the wrong host or before SSH keys are verified, the user could lose remote access to the server.
These are root-level commands that modify SSH and firewall behavior. They are purpose-aligned and the skill warns to confirm before running them, but mistakes can lock the user out or disrupt access.
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart ssh ... ufw default deny incoming ufw allow ssh yes | ufw enable
Run these sections only with explicit approval, verify SSH key access first, keep an emergency console/session open, and apply firewall rules incrementally.
A persistent gateway running as root increases the impact of any gateway bug, misconfiguration, or credential exposure because it can affect the whole server.
The optional gateway service is configured to run with full root privileges and root-owned OpenClaw state. The artifact does not justify why the gateway itself needs root or provide least-privilege alternatives.
Creates a systemd service for auto-restart on reboot. **Runs as root** — review the service file before enabling. ... User=root WorkingDirectory=/root/.openclaw Environment=HOME=/root
Only enable the gateway if necessary, prefer a dedicated unprivileged service account, restrict file permissions, and review the exact service file before enabling it.
The OpenClaw gateway may keep running with high privilege after the original setup task is complete, which can expand the server's long-term attack surface.
The skill documents a persistent auto-restarting service that continues after the hardening task and starts on reboot. It is disclosed as optional, but it is outside the core hardening controls and lacks disable or rollback instructions.
Restart=always RestartSec=5 ... systemctl daemon-reload && systemctl enable openclaw-gateway
Require explicit user approval for this optional section, document how to disable and remove the service, and avoid enabling it by default.