OpenClaw主机安全加固指南：评估风险、制定计划、分步执行

healthcheck by steipete/clawdis

526 周安装量

334,400 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/steipete/clawdis --skill healthcheck

自动化开发运维安全

🇨🇳中文介绍

OpenClaw 主机加固

概述

评估并加固运行 OpenClaw 的主机，然后将其调整至用户定义的风险承受度，同时不中断访问。将 OpenClaw 安全工具作为首要信号，但将操作系统加固视为一套独立、明确的步骤。

核心规则

建议使用最先进的模型（例如，Opus 4.5、GPT 5.2+）运行此技能。代理应自检当前模型，若低于该级别则建议切换；不要阻止执行。
任何会改变状态的操作都需要明确的批准。
在未确认用户连接方式的情况下，不得修改远程访问设置。
优先采用可逆、分阶段的更改，并制定回滚计划。
切勿声称 OpenClaw 会更改主机防火墙、SSH 或操作系统更新；它不会。
如果角色/身份未知，仅提供建议。
格式要求：每组用户选项必须编号，以便用户可以用单个数字回复。
建议进行系统级备份；尝试验证备份状态。

工作流程（按顺序执行）

0) 模型自检（非阻塞性）

开始前，检查当前模型。如果低于最先进水平（例如，Opus 4.5、GPT 5.2+），建议切换。不要阻止执行。

1) 建立上下文（只读）

在询问之前，尝试从环境中推断 1-5 项。如果需要确认，优先使用简单、非技术性的问题。

确定（按顺序）：

操作系统和版本（Linux/macOS/Windows），容器与主机。
权限级别（root/admin 与 user）。
访问路径（本地控制台、SSH、RDP、tailnet）。
网络暴露情况（公网 IP、反向代理、隧道）。
OpenClaw 网关状态和绑定地址。
备份系统及状态（例如，Time Machine、系统映像、快照）。
部署上下文（本地 Mac 应用、无头网关主机、远程网关、容器/CI）。
磁盘加密状态（FileVault/LUKS/BitLocker）。
操作系统自动安全更新状态。注意：这些不是阻塞项，但强烈建议启用，特别是当 OpenClaw 可以访问敏感数据时。
具有完全访问权限的个人助理的使用模式（本地工作站 vs 无头/远程 vs 其他）。

首先询问一次是否允许运行只读检查。如果获得许可，默认运行它们，并且只针对无法推断或验证的项目提问。不要询问运行时或命令输出中已可见的信息。将权限询问保持为单个句子，并将后续所需信息列为无序列表（非编号），除非您正在呈现可选择的选项。

如果必须提问，请使用非技术性提示：

“您使用的是 Mac、Windows PC 还是 Linux？”
“您是直接登录到这台机器，还是从另一台计算机连接？”
“这台机器可以从公共互联网访问，还是只能在您的家庭/内部网络访问？”
“您是否启用了备份（例如 Time Machine），并且它们是最新的吗？”

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

2) 运行 OpenClaw 安全审计（只读）

作为默认只读检查的一部分，运行 openclaw security audit --deep。仅在用户要求时提供替代方案：

openclaw security audit（更快，非探测性）
openclaw security audit --json（结构化输出）

提供应用 OpenClaw 安全默认设置的选项（编号）：

openclaw security audit --fix

明确说明 --fix 仅收紧 OpenClaw 默认设置和文件权限。它不会更改主机防火墙、SSH 或操作系统更新策略。

如果启用了浏览器控制，建议在所有重要账户上启用双因素认证，优先使用硬件密钥，短信认证不足够。

3) 检查 OpenClaw 版本/更新状态（只读）

作为默认只读检查的一部分，运行 openclaw update status。

报告当前渠道以及是否有可用更新。

4) 确定风险承受度（在了解系统上下文后）

请用户选择或确认风险承受度以及任何必需开放的服务/端口（以下编号选项）。不要将其硬塞入固定配置文件；如果用户愿意，捕获需求而非选择配置文件。提供建议的配置文件作为可选默认值（编号）。请注意，大多数用户选择家庭/工作站平衡型：

家庭/工作站平衡型（最常见）：防火墙开启并采用合理的默认设置，远程访问限制在局域网或 tailnet。
VPS 加固型：默认拒绝入站防火墙，开放端口最少，仅密钥 SSH，禁止 root 登录，自动安全更新。
开发者便利型：允许更多本地服务，有明确的暴露警告，但仍经过审计。
自定义型：用户定义的约束（服务、暴露程度、更新频率、访问方法）。

5) 制定修复计划

提供一个包含以下内容的计划：

目标配置文件
当前状态摘要
与目标的差距
包含确切命令的分步修复步骤
访问保持策略和回滚方案
风险和潜在锁定场景
最小权限说明（例如，避免使用管理员权限，在安全的情况下收紧所有权/权限）
凭据卫生说明（OpenClaw 凭据的位置，优先使用磁盘加密）

在进行任何更改之前始终展示计划。

6) 提供执行选项

提供以下选项之一（编号以便用户可以用单个数字回复）：

为我执行（引导式，逐步批准）
仅显示计划
仅修复关键问题
导出命令供以后使用

对于每个步骤：

显示确切的命令
解释影响和回滚方法
确认访问将保持可用
在出现意外输出时停止并请求指导

防火墙状态
监听端口
远程访问是否仍然有效
OpenClaw 安全审计（重新运行）

交付最终状态报告并注明任何延期项目。

必需确认项（始终）

以下操作需要明确批准：

防火墙规则更改
打开/关闭端口
SSH/RDP 配置更改
安装/移除软件包
启用/禁用服务
用户/组修改
计划任务或启动持久化
更新策略更改
访问敏感文件或凭据

如果不确定，请询问。

在 OpenClaw 安装或首次加固完成后，至少运行一次基线审计和版本检查：

openclaw security audit
openclaw security audit --deep
openclaw update status

建议进行持续监控。使用 OpenClaw cron 工具/CLI 来安排定期审计（网关调度器）。未经明确批准，不要创建计划任务。将输出存储在用户批准的位置，避免在日志中包含秘密信息。在安排无头 cron 运行时，输出中应包含一条说明，指示用户调用 healthcheck 以便修复问题。

安排计划时的必需提示（始终）

在任何审计或加固运行后，明确提供安排计划的选项并要求直接回应。使用简短的提示，例如（编号）：

“您是否希望我通过 openclaw cron add 安排定期审计（例如，每日/每周）？”

如果用户同意，询问：

频率（每日/每周）、首选时间窗口和输出位置
是否同时安排 openclaw update status

使用稳定的 cron 作业名称，以便更新是确定性的。优先使用确切的名称：

healthcheck:security-audit
healthcheck:update-status

创建之前，运行 openclaw cron list 并精确匹配 name。如果找到，则 openclaw cron edit <id> ...。如果未找到，则 openclaw cron add --name <name> ...。

同时提供定期版本检查选项，以便用户决定何时更新（编号）：

openclaw update status（适用于源码检出和渠道检查）
npm view openclaw version（发布的 npm 版本）

OpenClaw 命令准确性

仅使用受支持的命令和标志：

openclaw security audit [--deep] [--fix] [--json]
openclaw status / openclaw status --deep
openclaw health --json
openclaw update status
openclaw cron add|list|runs|run

不要发明 CLI 标志或暗示 OpenClaw 强制执行主机防火墙/SSH 策略。

日志记录和审计跟踪

网关身份和角色
计划 ID 和时间戳
批准的步骤和确切命令
退出代码和修改的文件（尽力而为）

对秘密信息进行编辑。切勿记录令牌或完整的凭据内容。

内存写入（有条件）

仅当用户明确选择加入且会话是私有/本地工作空间（根据 docs/reference/templates/AGENTS.md）时，才写入内存文件。否则，提供一个经过编辑、可供粘贴的摘要，供用户决定保存到其他地方。

遵循 OpenClaw 压缩使用的持久内存提示格式：

将持久性笔记写入 memory/YYYY-MM-DD.md。

每次审计/加固运行后，如果用户选择加入，将一个简短的、带日期的摘要追加到 memory/YYYY-MM-DD.md（检查了什么、关键发现、采取的措施、任何计划的 cron 作业、关键决策以及所有执行的命令）。仅追加：切勿覆盖现有条目。编辑敏感主机详细信息（用户名、主机名、IP、序列号、服务名称、令牌）。如果有持久的偏好或决策（风险承受度、允许的端口、更新策略），也更新 MEMORY.md（长期内存是可选的，仅在私有会话中使用）。

如果会话无法写入工作空间，请求权限或提供确切的条目供用户粘贴到内存文件中。

🇺🇸English

OpenClaw Host Hardening

Overview

Assess and harden the host running OpenClaw, then align it to a user-defined risk tolerance without breaking access. Use OpenClaw security tooling as a first-class signal, but treat OS hardening as a separate, explicit set of steps.

Core rules

Recommend running this skill with a state-of-the-art model (e.g., Opus 4.5, GPT 5.2+). The agent should self-check the current model and suggest switching if below that level; do not block execution.
Require explicit approval before any state-changing action.
Do not modify remote access settings without confirming how the user connects.
Prefer reversible, staged changes with a rollback plan.
Never claim OpenClaw changes the host firewall, SSH, or OS updates; it does not.
If role/identity is unknown, provide recommendations only.
Formatting: every set of user choices must be numbered so the user can reply with a single digit.
System-level backups are recommended; try to verify status.

Workflow (follow in order)

0) Model self-check (non-blocking)

Before starting, check the current model. If it is below state-of-the-art (e.g., Opus 4.5, GPT 5.2+), recommend switching. Do not block execution.

1) Establish context (read-only)

Try to infer 1–5 from the environment before asking. Prefer simple, non-technical questions if you need confirmation.

Determine (in order):

OS and version (Linux/macOS/Windows), container vs host.
Privilege level (root/admin vs user).
Access path (local console, SSH, RDP, tailnet).
Network exposure (public IP, reverse proxy, tunnel).
OpenClaw gateway status and bind address.
Backup system and status (e.g., Time Machine, system images, snapshots).
Deployment context (local mac app, headless gateway host, remote gateway, container/CI).
Disk encryption status (FileVault/LUKS/BitLocker).
OS automatic security updates status. Note: these are not blocking items, but are highly recommended, especially if OpenClaw can access sensitive data.
Usage mode for a personal assistant with full access (local workstation vs headless/remote vs other).

First ask once for permission to run read-only checks. If granted, run them by default and only ask questions for items you cannot infer or verify. Do not ask for information already visible in runtime or command output. Keep the permission ask as a single sentence, and list follow-up info needed as an unordered list (not numbered) unless you are presenting selectable choices.

If you must ask, use non-technical prompts:

“Are you using a Mac, Windows PC, or Linux?”
“Are you logged in directly on the machine, or connecting from another computer?”
“Is this machine reachable from the public internet, or only on your home/network?”
“Do you have backups enabled (e.g., Time Machine), and are they current?”
“Is disk encryption turned on (FileVault/BitLocker/LUKS)?”
“Are automatic security updates enabled?”
“How do you use this machine?” Examples:
- Personal machine shared with the assistant
- Dedicated local machine for the assistant
- Dedicated remote machine/server accessed remotely (always on)
- Something else?

Only ask for the risk profile after system context is known.

If the user grants read-only permission, run the OS-appropriate checks by default. If not, offer them (numbered). Examples:

OS: uname -a, sw_vers, cat /etc/os-release.
Listening ports:
- Linux: ss -ltnup (or ss -ltnp if -u unsupported).
- macOS: lsof -nP -iTCP -sTCP:LISTEN.
Firewall status:
- Linux: ufw status, firewall-cmd --state, nft list ruleset (pick what is installed).

2) Run OpenClaw security audits (read-only)

As part of the default read-only checks, run openclaw security audit --deep. Only offer alternatives if the user requests them:

openclaw security audit (faster, non-probing)
openclaw security audit --json (structured output)

Offer to apply OpenClaw safe defaults (numbered):

openclaw security audit --fix

Be explicit that --fix only tightens OpenClaw defaults and file permissions. It does not change host firewall, SSH, or OS update policies.

If browser control is enabled, recommend that 2FA be enabled on all important accounts, with hardware keys preferred and SMS not sufficient.

3) Check OpenClaw version/update status (read-only)

As part of the default read-only checks, run openclaw update status.

Report the current channel and whether an update is available.

4) Determine risk tolerance (after system context)

Ask the user to pick or confirm a risk posture and any required open services/ports (numbered choices below). Do not pigeonhole into fixed profiles; if the user prefers, capture requirements instead of choosing a profile. Offer suggested profiles as optional defaults (numbered). Note that most users pick Home/Workstation Balanced:

Home/Workstation Balanced (most common): firewall on with reasonable defaults, remote access restricted to LAN or tailnet.
VPS Hardened: deny-by-default inbound firewall, minimal open ports, key-only SSH, no root login, automatic security updates.
Developer Convenience: more local services allowed, explicit exposure warnings, still audited.
Custom: user-defined constraints (services, exposure, update cadence, access methods).

5) Produce a remediation plan

Provide a plan that includes:

Target profile
Current posture summary
Gaps vs target
Step-by-step remediation with exact commands
Access-preservation strategy and rollback
Risks and potential lockout scenarios
Least-privilege notes (e.g., avoid admin usage, tighten ownership/permissions where safe)
Credential hygiene notes (location of OpenClaw creds, prefer disk encryption)

Always show the plan before any changes.

6) Offer execution options

Offer one of these choices (numbered so users can reply with a single digit):

Do it for me (guided, step-by-step approvals)
Show plan only
Fix only critical issues
Export commands for later

7) Execute with confirmations

For each step:

Show the exact command
Explain impact and rollback
Confirm access will remain available
Stop on unexpected output and ask for guidance

8) Verify and report

Re-check:

Firewall status
Listening ports
Remote access still works
OpenClaw security audit (re-run)

Deliver a final posture report and note any deferred items.

Required confirmations (always)

Require explicit approval for:

Firewall rule changes
Opening/closing ports
SSH/RDP configuration changes
Installing/removing packages
Enabling/disabling services
User/group modifications
Scheduling tasks or startup persistence
Update policy changes
Access to sensitive files or credentials

If unsure, ask.

Periodic checks

After OpenClaw install or first hardening pass, run at least one baseline audit and version check:

openclaw security audit
openclaw security audit --deep
openclaw update status

Ongoing monitoring is recommended. Use the OpenClaw cron tool/CLI to schedule periodic audits (Gateway scheduler). Do not create scheduled tasks without explicit approval. Store outputs in a user-approved location and avoid secrets in logs. When scheduling headless cron runs, include a note in the output that instructs the user to call healthcheck so issues can be fixed.

Required prompt to schedule (always)

After any audit or hardening pass, explicitly offer scheduling and require a direct response. Use a short prompt like (numbered):

“Do you want me to schedule periodic audits (e.g., daily/weekly) via openclaw cron add?”

If the user says yes, ask for:

cadence (daily/weekly), preferred time window, and output location
whether to also schedule openclaw update status

Use a stable cron job name so updates are deterministic. Prefer exact names:

healthcheck:security-audit
healthcheck:update-status

Before creating, openclaw cron list and match on exact name. If found, openclaw cron edit <id> .... If not found, openclaw cron add --name <name> ....

Also offer a periodic version check so the user can decide when to update (numbered):

openclaw update status (preferred for source checkouts and channels)
npm view openclaw version (published npm version)

OpenClaw command accuracy

Use only supported commands and flags:

openclaw security audit [--deep] [--fix] [--json]
openclaw status / openclaw status --deep
openclaw health --json
openclaw update status
openclaw cron add|list|runs|run

Do not invent CLI flags or imply OpenClaw enforces host firewall/SSH policies.

Logging and audit trail

Record:

Gateway identity and role
Plan ID and timestamp
Approved steps and exact commands
Exit codes and files modified (best effort)

Redact secrets. Never log tokens or full credential contents.

Memory writes (conditional)

Only write to memory files when the user explicitly opts in and the session is a private/local workspace (per docs/reference/templates/AGENTS.md). Otherwise provide a redacted, paste-ready summary the user can decide to save elsewhere.

Follow the durable-memory prompt format used by OpenClaw compaction:

Write lasting notes to memory/YYYY-MM-DD.md.

After each audit/hardening run, if opted-in, append a short, dated summary to memory/YYYY-MM-DD.md (what was checked, key findings, actions taken, any scheduled cron jobs, key decisions, and all commands executed). Append-only: never overwrite existing entries. Redact sensitive host details (usernames, hostnames, IPs, serials, service names, tokens). If there are durable preferences or decisions (risk posture, allowed ports, update policy), also update MEMORY.md (long-term memory is optional and only used in private sessions).

If the session cannot write to the workspace, ask for permission or provide exact entries the user can paste into the memory files.

Weekly Installs

526

Repository

steipete/clawdis

GitHub Stars

334.4K

First Seen

Feb 3, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

opencode494

codex491

gemini-cli491

openclaw487

github-copilot486

cursor486

macOS: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate and pfctl -s info.

Backups (macOS): tmutil status (if Time Machine is used).