security-network-hardening

Audit and harden an OpenClaw host and its network exposure. Use for security checks, hardening, firewall setup, network exposure review, metrics endpoint restriction, OpenClaw gateway security fixes, or step-by-step remediation on a Linux host running OpenClaw.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-network-hardening" with this command: npx skills add jimpang8/security-network-hardening

Security + Network Hardening

Audit first, then harden with explicit approval. Keep this file short; read the references when needed.

Core rules

  • Start read-only unless the user explicitly asks for fixes.
  • Require confirmation before any state-changing action.
  • Preserve current management access; do not break SSH/RDP/VNC.
  • Prefer exact findings over generic advice.
  • After workspace edits, commit them.

Read-only baseline

Run:

uname -a
cat /etc/os-release
id
ss -ltnup 2>/dev/null || ss -ltnp 2>/dev/null
openclaw security audit --deep
openclaw update status
openclaw status --deep

If firewall state matters, also run:

ufw status verbose || true
firewall-cmd --state 2>/dev/null || true
nft list ruleset 2>/dev/null || true

Priorities

Check for these first:

  1. elevated wildcard access in tools.elevated.allowFrom.*
  2. writable credentials directories
  3. missing gateway auth rate limiting
  4. broad or unclear listening ports
  5. metrics endpoints exposed too widely
  6. ineffective custom gateway.nodes.denyCommands
  7. workspace skill symlink escapes

Fix patterns

Read these only when relevant:

  • UFW/firewall workflow: references/ufw-playbook.md
  • OpenClaw config fixes: references/openclaw-fix-patterns.md

Artifact generation

When the user wants generated files, create:

  • firewall-rules.md
  • apply-firewall.sh
  • scripts/rollback-firewall.sh
  • scripts/verify-firewall.sh

Safe firewall order

  1. Confirm allowed source subnet/IPs.
  2. Add SSH rule first if SSH is in use.
  3. Apply LAN-only and single-host rules.
  4. Verify from expected clients.
  5. Re-check ufw status verbose and ss -ltnp.

Verification

After fixes, verify with:

openclaw security audit --deep
openclaw gateway status
python3 -m json.tool ~/.openclaw/openclaw.json >/dev/null
sudo ufw status verbose
ss -ltnp

Success means:

  • no critical audit findings
  • no warning audit findings when practical
  • gateway reachable
  • required ports reachable only from approved sources

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Production Code Audit

Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...

Registry SourceRecently Updated
1520Profile unavailable
Security

Soc Deploy Misp

Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...

Registry SourceRecently Updated
1760Profile unavailable
Security

SEO Intel

Local SEO competitive intelligence tool. Use when the user asks about SEO analysis, competitor research, keyword gaps, content strategy, site audits, AI cita...

Registry SourceRecently Updated
2230Profile unavailable
Security

MAL-Updater

Multi-provider anime → MyAnimeList sync and recommendations skill with guarded auth, review-queue triage, health checks, bootstrap auditing, and user-systemd...

Registry SourceRecently Updated
2190Profile unavailable