ClawHub

ShellWard Security Guide

OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 32 · 0 current installs · 0 all-time installs
by@jnMetaCode
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (OpenClaw security deployment guide) align with the SKILL.md: it instructs checks for network exposure, container hardening, credential management, audit logs, plugins, and patching — all appropriate for a security guide.
Instruction Scope
The runtime instructions explicitly ask the agent to inspect local state (ports, firewall, ~/.env, ~/.bashrc, ~/.ssh, ~/.aws/credentials, ~/.openclaw/shellward/audit.jsonl), list and scan plugin code, and check Node/OpenClaw versions. Those actions are coherent for a security scanner but involve reading sensitive files and potentially sending findings externally; the SKILL.md is somewhat broad ('Check the current system state using available tools') which grants the agent discretionary scope.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest disk/write risk. Nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required env vars or credentials, yet instructs scanning environment variables and credential files (including AWS creds). Reading those items is reasonable for a security guide, but the skill does not request or document how cloud credentials would be accessed — users should not provide cloud/provider credentials unless explicitly needed and verified.
Persistence & Privilege
Flags show always:false and user-invocable:true; disable-model-invocation:false (normal). The skill does not request persistent presence or modify other skills or global agent config.
Assessment
This skill looks coherent for its stated purpose but it will ask the agent to read sensitive local files (env, SSH keys, AWS creds), audit logs, and plugin code. Before using it: (1) prefer running it on a test or staging host or with read-only access; (2) do not paste cloud/provider credentials unless you trust the source (the package has no homepage/source repo listed); (3) review any 'auto-fix' actions and require manual confirmation before destructive fixes; and (4) if the skill asks to send data to external services (SIEM or other endpoints), validate where data will go and redact secrets if necessary.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970e9ewmhzk9kecxzbbxzdqnh830gxy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ShellWard Security Deployment Guide / 安全部署指南

When the user invokes this skill, provide a complete security deployment checklist based on the following best practices. Check the current system state using available tools and give actionable recommendations.

Security Checklist

1. Network Control / 网络控制

  • Check if OpenClaw gateway port (19000/19001) is exposed to public network
  • Recommend binding to 127.0.0.1 or using a reverse proxy with authentication
  • Suggest firewall rules: ufw allow from 127.0.0.1 to any port 19000
  • For cloud servers: check security group rules

2. Container Isolation / 容器隔离

  • Recommend running OpenClaw in Docker with restricted capabilities: 
    docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --read-only --tmpfs /tmp \
  -u 1000:1000 \
  openclaw
  • Suggest resource limits: --memory=2g --cpus=1
  • Mount only necessary directories

3. Credential Management / 凭证管理

  • Scan for plaintext secrets in .env, .bashrc, environment variables
  • Recommend using a secret manager (Vault, doppler, etc.)
  • Check file permissions on sensitive files (should be 0600)
  • Suggest chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials

4. Audit Logging / 审计日志

  • Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl
  • Show recent security events
  • Recommend log rotation and backup strategy
  • Suggest sending critical events to external SIEM

5. Plugin Security / 插件安全

  • List all installed plugins and check for known risks
  • Disable auto-update for plugins
  • Only install from trusted sources
  • Scan plugin code for suspicious patterns

6. Patch Management / 补丁管理

  • Check current OpenClaw version
  • Report known vulnerabilities for current version
  • Recommend upgrade path
  • Check Node.js version (must be >= 22.12)

Available Commands

Remind the user about ShellWard's quick commands:

  • /security — Full security status overview
  • /audit [count] [filter] — View audit log
  • /harden — Scan for issues, /harden fix to auto-fix
  • /scan-plugins — Scan plugins for security risks
  • /check-updates — Check versions and vulnerabilities

Response Style

  • Be concise and actionable
  • Use the user's language (detect from their message)
  • Prioritize critical issues first
  • For each issue, provide the exact command to fix it
  • Ask for confirmation before executing destructive operations

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…