← Back to Skills Marketplace
OpenClaw VPS Server Hardening
by
maverick-software
· GitHub ↗
· v1.0.0
383
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-vps-hardening
Description
Harden a Hostinger VPS running OpenClaw agents against unauthorized access, brute force, and exposure. Use when securing a publicly-deployed OpenClaw instanc...
Usage Guidance
This skill appears to be what it says: a system hardening workflow plus a script that should be run as root on the target VPS. Before installing/running: 1) Test in a snapshot or staging VM first (hardening changes, especially SSH port and firewall rules, can lock you out). 2) Always run the script with --dry-run first and verify Cloudflare Tunnel is active; the script itself warns and asks for confirmation if cloudflared is not running. 3) Manually verify SSH key presence and test SSH on the new port from a new terminal before closing the old session. 4) Review the script for small implementation issues (Fail2Ban config uses a literal ${SSH_PORT} which may not expand; backup/revert of sshd_config depends on date-based file names and can be brittle) and adjust if necessary. 5) Confirm OpenClaw's actual config directory and service name on your system (defaults point to /root/.openclaw and systemd unit openclaw) and pass --openclaw-dir / --openclaw-user if different. 6) Review Cloudflare Access/service-token guidance and ensure you rotate/revoke any service tokens and secure the Cloudflare account with MFA. If you are not comfortable with root-level changes, have an experienced sysadmin review and run these steps.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-vps-hardening
Version: 1.0.0
The skill bundle's stated purpose is benign, focusing on VPS security hardening. However, the `scripts/harden.sh` file contains a critical shell injection vulnerability. The `run()` helper function uses `eval "$@"`, which allows arbitrary command execution if an attacker can control the script's arguments (e.g., `--ssh-port` or `--openclaw-dir`). While there is no evidence of intentional malicious behavior, this vulnerability poses a significant remote code execution risk.
Capability Assessment
Purpose & Capability
Name/description match the included artifacts: the SKILL.md documents a Cloudflare-based hardening workflow and the repository contains a harden.sh script that implements UFW, SSH, Fail2Ban, OpenClaw binding, unattended upgrades, and file-permission changes. All requested actions are consistent with server hardening.
Instruction Scope
Instructions are focused on hardening and explicitly warn about lockout risk and the need to verify Cloudflare Tunnel before closing ports. The script runs as root and modifies system services and config files (expected). Minor issues: some configuration templates (Fail2Ban heredoc) include an unexpanded ${SSH_PORT} token (so the generated jail file may not contain the numeric port), and the sshd_config backup/revert logic uses the same date expression which can make automated revert brittle. These are operational bugs rather than evidence of malicious behavior, but they increase lockout risk if not tested.
Install Mechanism
No install spec; this is instruction-only with an included script. The script uses apt-get to install packages (ufw, fail2ban, unattended-upgrades) which is appropriate for the stated task. There are no downloads from untrusted URLs or archive extraction steps.
Credentials
The skill declares no environment variables or credentials. The SKILL.md and script do reference local files (OpenClaw config, cloudflared credentials) which is appropriate for a hardening tool. No external secrets or unrelated service credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modify other skills' configurations. It makes system-level changes on the host when run as root (normal for a hardening script).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-vps-hardening - After installation, invoke the skill by name or use
/openclaw-vps-hardening - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — 7-layer Cloudflare-based hardening strategy for OpenClaw VPS deployments. Includes automated harden.sh script, Cloudflare Access setup guide with phone app service tokens, and full threat model.
Metadata
Frequently Asked Questions
What is OpenClaw VPS Server Hardening?
Harden a Hostinger VPS running OpenClaw agents against unauthorized access, brute force, and exposure. Use when securing a publicly-deployed OpenClaw instanc... It is an AI Agent Skill for Claude Code / OpenClaw, with 383 downloads so far.
How do I install OpenClaw VPS Server Hardening?
Run "/install openclaw-vps-hardening" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw VPS Server Hardening free?
Yes, OpenClaw VPS Server Hardening is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw VPS Server Hardening support?
OpenClaw VPS Server Hardening is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw VPS Server Hardening?
It is built and maintained by maverick-software (@maverick-software); the current version is v1.0.0.
More Skills