OpenClaw VPS Server Hardening

Harden a Hostinger VPS running OpenClaw agents against unauthorized access, brute force, and exposure. Use when securing a publicly-deployed OpenClaw instanc...

This skill appears to be what it says: a system hardening workflow plus a script that should be run as root on the target VPS. Before installing/running: 1) Test in a snapshot or staging VM first (hardening changes, especially SSH port and firewall rules, can lock you out). 2) Always run the script with --dry-run first and verify Cloudflare Tunnel is active; the script itself warns and asks for confirmation if cloudflared is not running. 3) Manually verify SSH key presence and test SSH on the new port from a new terminal before closing the old session. 4) Review the script for small implementation issues (Fail2Ban config uses a literal ${SSH_PORT} which may not expand; backup/revert of sshd_config depends on date-based file names and can be brittle) and adjust if necessary. 5) Confirm OpenClaw's actual config directory and service name on your system (defaults point to /root/.openclaw and systemd unit openclaw) and pass --openclaw-dir / --openclaw-user if different. 6) Review Cloudflare Access/service-token guidance and ensure you rotate/revoke any service tokens and secure the Cloudflare account with MFA. If you are not comfortable with root-level changes, have an experienced sysadmin review and run these steps.

Type: OpenClaw Skill Name: openclaw-vps-hardening Version: 1.0.0 The skill bundle's stated purpose is benign, focusing on VPS security hardening. However, the `scripts/harden.sh` file contains a critical shell injection vulnerability. The `run()` helper function uses `eval "$@"`, which allows arbitrary command execution if an attacker can control the script's arguments (e.g., `--ssh-port` or `--openclaw-dir`). While there is no evidence of intentional malicious behavior, this vulnerability poses a significant remote code execution risk.