Healthcheck
Run read-only OpenClaw host risk checks, then choose staged hardening for SSH, firewall, gateway auth, backups, and disk encryption without locking yourself out.
Overview
Healthcheck is an agent skill for the Operate phase that audits and hardens OpenClaw hosts with read-only checks first, then staged SSH, firewall, gateway, backup, and encryption recommendations.
Install
npx skills add https://github.com/steipete/clawdis --skill healthcheckWhat is this skill?
- Infers OS, privilege, access path, exposure, gateway bind/auth, backups, and encryption before recommending changes
- Runs read-only probes including openclaw security audit --deep, gateway status --deep, and doctor
- macOS and Linux command recipes for listeners, firewall state, Time Machine/FileVault, and update schedules
- Staged hardening with ask-first rules, numbered user choices, rollback notes, and never printing secrets
- Explicit that OpenClaw does not manage OS firewall, SSH, or system updates
- Three core read-only OpenClaw commands: security audit --deep, gateway status --deep, and doctor
Adoption & trust: 2.1k installs on skills.sh; 378k GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You run OpenClaw on a real machine but do not know whether SSH, open ports, missing backups, or weak gateway auth quietly expose your assistant stack.
Who is it for?
Solo builders self-hosting OpenClaw on macOS or Linux who want audit-then-harden workflows before exposing a gateway on the public internet or a tailnet.
Skip if: Teams that only need application-level test coverage or who want fully automated OS patching without human approval on every state change.
When should I use this skill?
Assessing OpenClaw host risk, running read-only checks, or planning staged hardening without breaking SSH or remote access.
What do I get? / Deliverables
You get a risk-informed, consent-driven hardening plan with reversible steps and explicit rollback notes instead of blind firewall or SSH changes.
- Risk summary from read-only host and gateway checks
- Numbered hardening options with rollback notes
- Staged change plan that preserves confirmed access paths
Recommended Skills
Journey fit
Host exposure, gateway binding, and backup posture are production-operation concerns after you ship an assistant or gateway stack. Infra is the canonical shelf for machine-level hardening, network exposure review, and reversible security changes on the box running OpenClaw.
How it compares
Use for host and OpenClaw gateway posture reviews instead of generic linter or dependency-only security scans.
Common Questions / FAQ
Who is healthcheck for?
It is for indie builders and small-team operators who administer the machine running OpenClaw—workstation, homelab, or VPS—and need structured host security checks tied to the gateway.
When should I use healthcheck?
Use it in Operate when you first deploy a gateway, after opening new ports or reverse proxies, when backups or encryption status is unknown, or before enabling stricter SSH or firewall rules.
Is healthcheck safe to install?
The skill is designed to ask before destructive changes and to avoid printing secrets, but you should still review the Security Audits panel on this Prism page and treat proposed shell commands as privileged operations you approve explicitly.
SKILL.md
READMESKILL.md - Healthcheck
# OpenClaw host healthcheck Goal: assess host risk, run read-only checks, then propose staged hardening without breaking access. ## Rules - Ask before state-changing actions. - Do not change SSH/firewall/remote access until access path is confirmed. - Prefer reversible steps and rollback notes. - Never claim OpenClaw manages OS firewall, SSH, or updates. - If identity/role unknown, recommend only. - User choices: numbered list. - Never print secrets. ## Context to infer first - OS/version, container vs host. - Privilege level. - Access path: local, SSH, RDP, tailnet. - Network exposure: public IP, reverse proxy, tunnel, LAN only. - OpenClaw gateway status, bind, auth. - Backup status. - Disk encryption. - Automatic security updates. - Usage mode: personal workstation, local assistant box, remote server, other. Ask only for missing facts. Simple phrasing preferred. ## Read-only checks Ask once for permission to run read-only checks. Then run relevant commands. Common: ```bash openclaw security audit --deep openclaw gateway status --deep openclaw doctor ``` macOS: ```bash sw_vers lsof -nP -iTCP -sTCP:LISTEN /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate pfctl -s info tmutil status fdesetup status softwareupdate --schedule ``` Linux: ```bash cat /etc/os-release ss -ltnup || ss -ltnp ufw status || firewall-cmd --state || nft list ruleset systemctl status ssh sshd lsblk -f ``` Windows: ```powershell systeminfo Get-NetFirewallProfile Get-BitLockerVolume ``` ## Risk profile After context is known, ask desired posture: 1. Convenience: local/private, minimal prompts. 2. Balanced: secure defaults, low friction. 3. Strict: remote/public/sensitive data, more lock-down. ## Report shape - Current posture: one paragraph. - Findings: severity + evidence + why it matters. - Recommended plan: staged, reversible. - Commands: read-only first; write actions only after approval. - Gaps: what could not be checked. ## Hardening menu Offer only relevant items: - Bind gateway to loopback/LAN/tailnet intentionally. - Require auth for remote access. - Close public ports or restrict by firewall. - Enable OS security updates. - Enable disk encryption. - Verify backups and restore path. - Disable password SSH or require keys/MFA where appropriate. - Add scheduled `openclaw security audit --deep`. Confirm exact action before applying.