ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-server-secure-skill

v1.0.0

Comprehensive security hardening and installation guide for OpenClaw (formerly Clawdbot/Moltbot). Use this skill when the user wants to secure a server, install the OpenClaw agent, or configure Tailscale/Firewall for the agent.

1· 3.1k·18 current·21 all-time
by@kime541200
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (server hardening, Tailscale, OpenClaw install) match the actions in SKILL.md: editing sshd_config, enabling UFW/Fail2ban, installing Tailscale and OpenClaw, and locking down credentials. No unrelated credentials or unexplained capabilities are requested.
!
Instruction Scope
The instructions perform system-wide, high-privilege changes (modify /etc/ssh/sshd_config, enable UFW, install packages, change sysctl). They acknowledge risks (note about console access) but do not require or describe safe verification steps (e.g., test changes before enabling UFW, dry-run, or backup verification beyond a single sshd_config copy). They also instruct to run a remote installer script and global npm install which are out-of-band network actions that may introduce unverified code.
!
Install Mechanism
There is no formal install spec (skill is instruction-only). The Tailscale install is suggested via curl -fsSL https://tailscale.com/install.sh | sh (piping remote shell script) and OpenClaw via npm install -g openclaw. Piping a remote script to sh and performing global npm installs are common but elevate supply-chain risk; the SKILL.md does not advise verifying checksums, signatures, or package provenance.
Credentials
The skill requests no environment variables or external credentials. It asks interactively for a Telegram ID to configure allowlist, which is proportionate to the claimed goal. There are no unexplained credential or config path accesses declared.
Persistence & Privilege
The skill is instruction-only, always:false, user-invocable, and does not request persistent elevated platform privileges or modify other skills. Autonomous invocation remains allowed by platform default but the skill itself does not declare forced persistence.
What to consider before installing
This guide appears to do what it says, but it instructs you to run high‑privilege commands and to pipe a remote install script into sh and to run a global npm install. Before following it: (1) ensure you have console or out-of-band access so you cannot be locked out; (2) fetch and inspect any remote installer (do not blindly run curl | sh); prefer distro packages or verify checksums/signatures; (3) verify the npm package name and source (openclaw) and consider installing into a controlled environment first; (4) backup configuration and test firewall/SSH rules incrementally (add SSH allow rule before enabling default-deny); (5) run these steps on a non-production instance first or follow an established change-control process. If you want, I can rewrite the instructions to include verification steps, safe rollback commands, and least-risk installation alternatives (e.g., installing Tailscale from your distro repo or downloading and verifying release artifacts).

Like a lobster shell, security has layers — review code before you run it.

latestvk976hgm4xdry34xtqzrtk06ecn80d0jr
3.1kdownloads
1stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@kime541200
latest
Download

OpenClaw Server Security & Installation

Overview

This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.

Workflow

Phase 1: System Hardening

  1. Lock down SSH

    • Goal: Keys only, no passwords, no root login.
    • Action: Modify /etc/ssh/sshd_config.
    • Commands: 
      # Backup config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Disable Password Auth
sudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Disable Root Login
sudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
# Reload SSH
sudo sshd -t && sudo systemctl reload ssh

  2. Default-deny Firewall

    • Goal: Block everything incoming by default.
    • Action: Install and enable UFW.
    • Commands: 
      sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
      Note: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.

  3. Brute-force Protection

    • Goal: Auto-ban IPs after failed login attempts.
    • Action: Install Fail2ban.
    • Commands: 
      sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

Phase 2: Network Privacy (Tailscale)

  1. Install Tailscale

    • Goal: Create a private VPN mesh network.
    • Commands: 
      curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
    • Wait for user to authenticate the Tailscale link.

  2. Configure SSH & Web via Tailscale

    • Goal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.
    • Commands: 
      # Allow SSH over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp
# Remove public SSH access (Adjust rule name/number as needed)
sudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp
# Allow Web ports over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp
sudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp

  3. Disable IPv6 (Optional)

    • Goal: Reduce attack surface.
    • Commands: 
      sudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw
if ! grep -q "net.ipv6.conf.all.disable_ipv6 = 1" /etc/sysctl.conf; then
  echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
fi
sudo sysctl -p && sudo ufw reload

Phase 3: OpenClaw Installation

  1. Install OpenClaw

    • Commands: 
      npm install -g openclaw && openclaw doctor

  2. Configure Owner Access

    • Required Input: Ask the user for their Telegram ID.
    • Action: Update the config to allowlist only that ID.
    • JSON Config Target (verify location via openclaw doctor): 
      { 
  "dmPolicy": "allowlist", 
  "allowFrom": ["YOUR_TELEGRAM_ID"], 
  "groupPolicy": "allowlist" 
}

  3. Secure Credentials

    • Goal: Restrict file permissions.
    • Commands: 
      chmod 700 ~/.openclaw/credentials 2>/dev/null || true
chmod 600 .env 2>/dev/null || true

  4. Final Audit

    • Action: Run the built-in security audit.
    • Command: 
      openclaw security audit --deep

Verification Status

Run to confirm:

sudo ufw status verbose
ss -tulnp
tailscale status
openclaw doctor

Comments

Loading comments...