healthcheck

Name: healthcheck
Author: steipete

Security hardening and risk-tolerance configuration for OpenClaw host deployments. Establishes system context (OS, privilege level, network exposure, backup status, disk encryption) through read-only checks before recommending changes Runs OpenClaw security audits and version checks as baseline, then produces a staged remediation plan aligned to user-selected risk profiles (Home/Workstation Balanced, VPS Hardened, Developer Convenience, or Custom) Requires explicit approval before any state-changing action; preserves remote access and includes rollback plans for each step Offers optional scheduling of periodic audits and version checks via OpenClaw cron, with audit logs stored in user-approved locations and secrets redacted

INSTALLATION

npx skills add https://github.com/steipete/clawdis --skill healthcheck

Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

OpenClaw host healthcheck

Goal: assess host risk, run read-only checks, then propose staged hardening without breaking access.

Rules

Ask before state-changing actions.

Do not change SSH/firewall/remote access until access path is confirmed.

Prefer reversible steps and rollback notes.

Never claim OpenClaw manages OS firewall, SSH, or updates.

If identity/role unknown, recommend only.

User choices: numbered list.

Never print secrets.

Context to infer first

OS/version, container vs host.

Privilege level.

Access path: local, SSH, RDP, tailnet.

Network exposure: public IP, reverse proxy, tunnel, LAN only.

OpenClaw gateway status, bind, auth.

Backup status.

Disk encryption.

Automatic security updates.

Usage mode: personal workstation, local assistant box, remote server, other.

Ask only for missing facts. Simple phrasing preferred.

Read-only checks

Ask once for permission to run read-only checks. Then run relevant commands.

Common:

openclaw security audit --deep

openclaw gateway status --deep

openclaw doctor

macOS:

sw_vers

lsof -nP -iTCP -sTCP:LISTEN

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

pfctl -s info

tmutil status

fdesetup status

softwareupdate --schedule

Linux:

cat /etc/os-release

ss -ltnup || ss -ltnp

ufw status || firewall-cmd --state || nft list ruleset

systemctl status ssh sshd

lsblk -f

Windows:

systeminfo

Get-NetFirewallProfile

Get-BitLockerVolume

Risk profile

After context is known, ask desired posture:

Convenience: local/private, minimal prompts.

Balanced: secure defaults, low friction.

Strict: remote/public/sensitive data, more lock-down.

Report shape

Current posture: one paragraph.

Findings: severity + evidence + why it matters.

Recommended plan: staged, reversible.

Commands: read-only first; write actions only after approval.

Gaps: what could not be checked.

Hardening menu

Offer only relevant items:

Bind gateway to loopback/LAN/tailnet intentionally.

Require auth for remote access.

Close public ports or restrict by firewall.

Enable OS security updates.

Enable disk encryption.

Verify backups and restore path.

Disable password SSH or require keys/MFA where appropriate.

Add scheduled openclaw security audit --deep.

Confirm exact action before applying.