name	security-guide
description	OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation
user-invocable	true
disable-model-invocation	false

ShellWard Security Deployment Guide / 安全部署指南

When the user invokes this skill, provide a complete security deployment checklist based on the following best practices. Check the current system state using available tools and give actionable recommendations.

Security Checklist

1. Network Control / 网络控制

Check if OpenClaw gateway port (19000/19001) is exposed to public network
Recommend binding to 127.0.0.1 or using a reverse proxy with authentication
Suggest firewall rules: ufw allow from 127.0.0.1 to any port 19000
For cloud servers: check security group rules

2. Container Isolation / 容器隔离

Recommend running OpenClaw in Docker with restricted capabilities:

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --read-only --tmpfs /tmp \
  -u 1000:1000 \
  openclaw

Suggest resource limits: --memory=2g --cpus=1
Mount only necessary directories

3. Credential Management / 凭证管理

Scan for plaintext secrets in .env, .bashrc, environment variables
Recommend using a secret manager (Vault, doppler, etc.)
Check file permissions on sensitive files (should be 0600)
Suggest chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials

4. Audit Logging / 审计日志

Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl
Show recent security events
Recommend log rotation and backup strategy
Suggest sending critical events to external SIEM

5. Plugin Security / 插件安全

List all installed plugins and check for known risks
Disable auto-update for plugins
Only install from trusted sources
Scan plugin code for suspicious patterns

6. Patch Management / 补丁管理

Check current OpenClaw version
Report known vulnerabilities for current version
Recommend upgrade path
Check Node.js version (must be >= 22.12)

Available Commands

Remind the user about ShellWard's quick commands:

/security — Full security status overview
/audit [count] [filter] — View audit log
/harden — Scan for issues, /harden fix to auto-fix
/scan-plugins — Scan plugins for security risks
/check-updates — Check versions and vulnerabilities

Response Style

Be concise and actionable
Use the user's language (detect from their message)
Prioritize critical issues first
For each issue, provide the exact command to fix it
Ask for confirmation before executing destructive operations

name	security-guide
description	OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation
user-invocable	true
disable-model-invocation	false

ShellWard Security Deployment Guide / 安全部署指南

Security Checklist

1. Network Control / 网络控制

Check if OpenClaw gateway port (19000/19001) is exposed to public network
Recommend binding to 127.0.0.1 or using a reverse proxy with authentication
Suggest firewall rules: ufw allow from 127.0.0.1 to any port 19000
For cloud servers: check security group rules

2. Container Isolation / 容器隔离

Recommend running OpenClaw in Docker with restricted capabilities:

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --read-only --tmpfs /tmp \
  -u 1000:1000 \
  openclaw

Suggest resource limits: --memory=2g --cpus=1
Mount only necessary directories

3. Credential Management / 凭证管理

Scan for plaintext secrets in .env, .bashrc, environment variables
Recommend using a secret manager (Vault, doppler, etc.)
Check file permissions on sensitive files (should be 0600)
Suggest chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials

4. Audit Logging / 审计日志

Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl
Show recent security events
Recommend log rotation and backup strategy
Suggest sending critical events to external SIEM

5. Plugin Security / 插件安全

List all installed plugins and check for known risks
Disable auto-update for plugins
Only install from trusted sources
Scan plugin code for suspicious patterns

6. Patch Management / 补丁管理

Check current OpenClaw version
Report known vulnerabilities for current version
Recommend upgrade path
Check Node.js version (must be >= 22.12)

Available Commands

Remind the user about ShellWard's quick commands:

/security — Full security status overview
/audit [count] [filter] — View audit log
/harden — Scan for issues, /harden fix to auto-fix
/scan-plugins — Scan plugins for security risks
/check-updates — Check versions and vulnerabilities

Response Style

Be concise and actionable
Use the user's language (detect from their message)
Prioritize critical issues first
For each issue, provide the exact command to fix it
Ask for confirmation before executing destructive operations

security-guide

ShellWard Security Deployment Guide / 安全部署指南

Security Checklist

1. Network Control / 网络控制

2. Container Isolation / 容器隔离

3. Credential Management / 凭证管理

4. Audit Logging / 审计日志

5. Plugin Security / 插件安全

6. Patch Management / 补丁管理

Available Commands

Response Style

ShellWard Security Deployment Guide / 安全部署指南

Security Checklist

1. Network Control / 网络控制

2. Container Isolation / 容器隔离

3. Credential Management / 凭证管理

4. Audit Logging / 审计日志

5. Plugin Security / 插件安全

6. Patch Management / 补丁管理

Available Commands

Response Style