openclaw-deployment-hardening

OpenClaw Deployment Hardening

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "openclaw-deployment-hardening" with this command: npx skills add bagelhole/devops-security-agent-skills/bagelhole-devops-security-agent-skills-openclaw-deployment-hardening

OpenClaw Deployment Hardening

Use this skill to add repeatable security gates around OpenClaw build and deployment workflows.

Enforce a Secure Build Pipeline

Add mandatory controls to CI before artifacts are promoted:

  • Dependency and lockfile vulnerability scan (fail on critical CVEs).

  • Image scan for OS/package vulnerabilities.

  • Secret scanning across source and build context.

  • SBOM generation and artifact signing.

  • Policy check that blocks deploy when controls fail.

Example CI step order:

Build

npm ci npm run build

Security gates

trivy fs . trivy image my-registry/openclaw:${GIT_SHA} syft my-registry/openclaw:${GIT_SHA} -o spdx-json > sbom.json cosign sign --key cosign.key my-registry/openclaw:${GIT_SHA}

Lock Down Container Runtime

Run OpenClaw with restrictive defaults:

  • Non-root user in container

  • Read-only root filesystem where possible

  • Drop all Linux capabilities, add back only required

  • no-new-privileges enabled

  • Constrained CPU/memory limits to reduce abuse impact

  • Seccomp/AppArmor (or equivalent) profile enforced

Kubernetes-oriented expectations:

  • runAsNonRoot: true

  • allowPrivilegeEscalation: false

  • readOnlyRootFilesystem: true

  • network policy deny-all baseline with explicit allow rules

Gate Production Promotion

Require explicit promotion checks:

  • Security sign-off on CVE exceptions.

  • Signed artifact verification in deployment stage.

  • Drift check between expected and live manifest values.

  • Deployment only from immutable tags or digests.

Avoid mutable latest tags for production OpenClaw services.

Protect Data and Session Surfaces

  • Minimize prompt/response retention by policy.

  • Mask secrets and PII in logs before shipping to SIEM.

  • Encrypt persistent volumes and backups.

  • Isolate tenant/session data boundaries when serving multiple teams.

Post-Deploy Verification

Run a hardening smoke test immediately after rollout:

kubectl get pods -n openclaw kubectl auth can-i --as=system:serviceaccount:openclaw:default list secrets -n openclaw kubectl get networkpolicy -n openclaw kubectl logs deploy/openclaw -n openclaw --tail=200

Verify:

  • Pod security context matches policy.

  • Service account permissions are least privilege.

  • Ingress auth/rate limits are effective.

  • No plaintext secrets appear in logs.

Incident-Ready Rollback Pattern

Maintain a hardened rollback workflow:

  • Freeze further rollouts.

  • Revoke suspect tokens and rotate secrets.

  • Roll back to last signed known-good image digest.

  • Re-run post-deploy hardening verification.

  • Capture timeline and artifacts for forensics.

Related Skills

  • container-hardening - Container security baseline controls

  • kubernetes-hardening - Pod and cluster hardening patterns

  • sbom-supply-chain - SBOM, signing, and provenance controls

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

sops-encryption

No summary provided by upstream source.

Repository SourceNeeds Review
-31
bagelhole
Security

linux-administration

No summary provided by upstream source.

Repository SourceNeeds Review
-29
bagelhole
Security

linux-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
-26
bagelhole