ClawHub

Remote Desktop Support

Other

Create short-lived browser-based remote desktop support links with local-only VNC/Guacamole/noVNC and outbound tunnels.

Install

openclaw skills install remote-desktop-support

Remote Desktop Support

Use when Ric asks for temporary browser-based access to this machine's desktop for troubleshooting.

Safety Contract

  • Default to preflight/status unless Ric explicitly asks to open access.
  • Never create permanent inbound firewall/router exposure.
  • Bind Guacamole to 127.0.0.1; public access must be via a short-lived outbound tunnel. GNOME current-session VNC may bind widely, so it must use a firewalld-blocked port (1024) and pass the script safety check.
  • Hard requirement: access must show the current live desktop session. Do not use headless/fresh desktop sessions as a substitute.
  • Default mode is view-only; keyboard/mouse control requires explicit wording like "control".
  • Every open session must have a TTL and cleanup path.
  • Do not leave credentials, tunnels, current-session GNOME VNC backend, or containers running after close.
  • Do not run install, open, or uninstall --purge from ambiguous/unauthorized group chatter.

Commands

Run scripts from this skill directory:

python3 {baseDir}/scripts/remote_support.py preflight
python3 {baseDir}/scripts/remote_support.py status
python3 {baseDir}/scripts/remote_support.py install --dry-run
python3 {baseDir}/scripts/remote_support.py open --ttl 10m --mode view-only --dry-run
python3 {baseDir}/scripts/remote_support.py open --ttl 10m --mode view-only --unlock-current-session --one-click-only
python3 {baseDir}/scripts/remote_support.py link
python3 {baseDir}/scripts/remote_support.py close
python3 {baseDir}/scripts/remote_support.py uninstall --dry-run

open must prove the backend is the current live desktop before exposing a public tunnel. Headless RDP/Xvfb-style fresh sessions are blockers, not acceptable fallbacks. If the current session is locked, open refuses unless Ric explicitly approved --unlock-current-session.

Workflow

  1. Run preflight and inspect missing dependencies / risks.
  2. If Ric approves setup, run install --dry-run, then install only missing local assets.
  3. Run status before any open attempt.
  4. Open with a short TTL, view-only unless Ric asked for control.
  5. In Discord, use --one-click-only and send only the one_click_url; it embeds a short-lived Guacamole token, so treat it like a password.
  6. On completion or expiry, run close and verify status reports closed.

See references/security-model.md for the threat model and rollback rules.