ClawHub

ShellWard Security Guide

OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation

Audits

Pass
ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install shellward-security-guide

ShellWard Security Deployment Guide / 安全部署指南

When the user invokes this skill, provide a complete security deployment checklist based on the following best practices. Check the current system state using available tools and give actionable recommendations.

Security Checklist

1. Network Control / 网络控制

  • Check if OpenClaw gateway port (19000/19001) is exposed to public network
  • Recommend binding to 127.0.0.1 or using a reverse proxy with authentication
  • Suggest firewall rules: ufw allow from 127.0.0.1 to any port 19000
  • For cloud servers: check security group rules

2. Container Isolation / 容器隔离

  • Recommend running OpenClaw in Docker with restricted capabilities: 
    docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --read-only --tmpfs /tmp \
  -u 1000:1000 \
  openclaw
  • Suggest resource limits: --memory=2g --cpus=1
  • Mount only necessary directories

3. Credential Management / 凭证管理

  • Scan for plaintext secrets in .env, .bashrc, environment variables
  • Recommend using a secret manager (Vault, doppler, etc.)
  • Check file permissions on sensitive files (should be 0600)
  • Suggest chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials

4. Audit Logging / 审计日志

  • Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl
  • Show recent security events
  • Recommend log rotation and backup strategy
  • Suggest sending critical events to external SIEM

5. Plugin Security / 插件安全

  • List all installed plugins and check for known risks
  • Disable auto-update for plugins
  • Only install from trusted sources
  • Scan plugin code for suspicious patterns

6. Patch Management / 补丁管理

  • Check current OpenClaw version
  • Report known vulnerabilities for current version
  • Recommend upgrade path
  • Check Node.js version (must be >= 22.12)

Available Commands

Remind the user about ShellWard's quick commands:

  • /security — Full security status overview
  • /audit [count] [filter] — View audit log
  • /harden — Scan for issues, /harden fix to auto-fix
  • /scan-plugins — Scan plugins for security risks
  • /check-updates — Check versions and vulnerabilities

Response Style

  • Be concise and actionable
  • Use the user's language (detect from their message)
  • Prioritize critical issues first
  • For each issue, provide the exact command to fix it
  • Ask for confirmation before executing destructive operations