← Back to Skills Marketplace
marcusgraetsch

Vps Openclaw Security Hardening

by MarcusGraetsch · GitHub ↗ · v1.0.6
cross-platform ⚠ suspicious
618
Downloads
2
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install vps-openclaw-security-hardening
Description
Production-ready security hardening for VPS running OpenClaw AI agents. Includes SSH hardening (custom port), firewall, audit logging, credential management,...
Usage Guidance
Do not run this on machines that hold sensitive personal or production data — the package explicitly warns that too. Before installing: (1) Test in a throwaway VM with the same OS (Ubuntu/Debian). (2) Inspect/correct packaging gaps: the installer expects rules/audit.rules and a config/alerting.env template but those files are not present in the manifest — add or create those files before running. (3) Keep an administrative console (existing SSH session) open while you change SSH port and verify you can reconnect; understand rollback-ssh.sh behavior. (4) If you enable alerts, store alert tokens (Telegram/Discord/Slack/Webhook) securely and be aware that audit outputs (ausearch results) may be transmitted verbatim to external endpoints — avoid enabling remote delivery on systems containing sensitive data. (5) Review the install.sh changes to /etc/ssh/sshd_config (note some oddities in the script's file-write approach) and confirm the package list behavior (fail2ban installation despite 'optional' messaging). If you are unsure about any of these points, mark this skill for further review or run it only in a well-isolated test environment.
Capability Analysis
Type: OpenClaw Skill Name: vps-openclaw-security-hardening Version: 1.0.6 The skill bundle is designed for VPS security hardening, including SSH, firewall, audit logging, and alerting. All scripts and documentation align with this stated purpose, implementing standard security practices like disabling root login, using key-only SSH, configuring UFW, and monitoring with auditd. The use of `curl` for sending alerts and reports to user-configured endpoints (Telegram, Discord, etc.) is a legitimate function of a monitoring tool, not unauthorized data exfiltration. The `SKILL.md` and `README.md` files contain clear instructions and critical warnings for the user/agent, demonstrating responsible security disclosure rather than prompt injection attempts. No evidence of intentional malicious behavior such as backdoors, unauthorized data theft, or stealthy execution was found.
Capability Assessment
Purpose & Capability
Name/description align with what the included scripts perform (SSH hardening, UFW, auditd, cron jobs, alerting). Required binaries (ssh, ufw, auditd, systemctl, apt-get) are appropriate for the stated purpose. Minor mismatch: SKILL metadata marks fail2ban as optional but install.sh installs fail2ban unconditionally.
Instruction Scope
Installer and helper scripts run as root and modify systemwide configuration (sshd_config, /etc/cron.d, /etc/audit, UFW, systemctl). They read system logs (/var/log/auth.log, /var/log/audit) and audit output (ausearch) and may send snippets via external alert channels (Telegram/Discord/Slack/Webhook/Email). That alerting/reporting may expose audit/log contents to external endpoints if you enable them — the SKILL.md does warn not to run on machines with sensitive data, but the scripts do not sanitize content beyond simple grep/head. Also the SKILL.md and scripts reference config/alerting.env and rules/audit.rules, but those files are not present in the provided file manifest, which would cause the installer to fail or behave unexpectedly.
Install Mechanism
No external download/install spec in registry (the bundle contains scripts). This reduces supply-chain risk, but the installer will make destructive system changes when run as root. No remote archives/URLs are downloaded by the installer itself. Because it's an instruction-driven install, you must review and run the scripts locally in a controlled environment first.
Credentials
The skill declares no required environment variables; it expects you to set SSH_PORT and optionally populate config/alerting.env with alert-channel credentials. It does not request unrelated cloud/provider credentials. Scripts inspect credential files in /root/.openclaw/.env and /root/.env (for verification) — that is consistent with a hardening/monitoring tool, but you should confirm where you store any secrets and protect alert-channel tokens.
Persistence & Privilege
The installer enables system services (auditd, unattended-upgrades, fail2ban), installs cron jobs under /etc/cron.d/agent-security, and writes to /etc (ssh, audit rules). It does not set always:true or modify other skills' configs, but it does create long-lived system changes and scheduled tasks — appropriate for a hardening tool but high-privilege, so run only on a dedicated/test machine.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install vps-openclaw-security-hardening
  3. After installation, invoke the skill by name or use /vps-openclaw-security-hardening
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
- Added audit log monitoring and weekly report scripts for enhanced monitoring. - Updated dependency requirements: fail2ban now optional. - Improved warnings and install advice in documentation. - Minor script and documentation updates for consistency and usability.
v1.0.5
- Improved documentation outlining installation, verification, and rollback steps. - Critical warnings and requirements are clarified for safe deployment. - Lists all implemented security features in a clear protection matrix. - Emphasizes user-selected custom SSH port for enhanced SSH security. - Adds tables for resource usage and file descriptions. - Highlights adherence to BSI IT-Grundschutz and NIST guidelines.
Metadata
Slug vps-openclaw-security-hardening
Version 1.0.6
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Vps Openclaw Security Hardening?

Production-ready security hardening for VPS running OpenClaw AI agents. Includes SSH hardening (custom port), firewall, audit logging, credential management,... It is an AI Agent Skill for Claude Code / OpenClaw, with 618 downloads so far.

How do I install Vps Openclaw Security Hardening?

Run "/install vps-openclaw-security-hardening" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Vps Openclaw Security Hardening free?

Yes, Vps Openclaw Security Hardening is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Vps Openclaw Security Hardening support?

Vps Openclaw Security Hardening is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Vps Openclaw Security Hardening?

It is built and maintained by MarcusGraetsch (@marcusgraetsch); the current version is v1.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments