How to install healthcheck
npx skills add https://github.com/steipete/clawdis --skill healthcheckFull instructions (SKILL.md)
Source of truth, from steipete/clawdis.
name: healthcheck description: "Audit/harden OpenClaw hosts: SSH, firewall, updates, exposure, backups, disk encryption, gateway security."
OpenClaw host healthcheck
Goal: assess host risk, run read-only checks, then propose staged hardening without breaking access.
Rules
- Ask before state-changing actions.
- Do not change SSH/firewall/remote access until access path is confirmed.
- Prefer reversible steps and rollback notes.
- Never claim OpenClaw manages OS firewall, SSH, or updates.
- If identity/role unknown, recommend only.
- User choices: numbered list.
- Never print secrets.
Context to infer first
- OS/version, container vs host.
- Privilege level.
- Access path: local, SSH, RDP, tailnet.
- Network exposure: public IP, reverse proxy, tunnel, LAN only.
- OpenClaw gateway status, bind, auth.
- Backup status.
- Disk encryption.
- Automatic security updates.
- Usage mode: personal workstation, local assistant box, remote server, other.
Ask only for missing facts. Simple phrasing preferred.
Read-only checks
Ask once for permission to run read-only checks. Then run relevant commands.
Common:
openclaw security audit --deep
openclaw gateway status --deep
openclaw doctor
macOS:
sw_vers
lsof -nP -iTCP -sTCP:LISTEN
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
pfctl -s info
tmutil status
fdesetup status
softwareupdate --schedule
Linux:
cat /etc/os-release
ss -ltnup || ss -ltnp
ufw status || firewall-cmd --state || nft list ruleset
systemctl status ssh sshd
lsblk -f
Windows:
systeminfo
Get-NetFirewallProfile
Get-BitLockerVolume
Risk profile
After context is known, ask desired posture:
- Convenience: local/private, minimal prompts.
- Balanced: secure defaults, low friction.
- Strict: remote/public/sensitive data, more lock-down.
Report shape
- Current posture: one paragraph.
- Findings: severity + evidence + why it matters.
- Recommended plan: staged, reversible.
- Commands: read-only first; write actions only after approval.
- Gaps: what could not be checked.
Hardening menu
Offer only relevant items:
- Bind gateway to loopback/LAN/tailnet intentionally.
- Require auth for remote access.
- Close public ports or restrict by firewall.
- Enable OS security updates.
- Enable disk encryption.
- Verify backups and restore path.
- Disable password SSH or require keys/MFA where appropriate.
- Add scheduled
openclaw security audit --deep.
Confirm exact action before applying.
Related skills
More from steipete/clawdis and the wider catalog.
summarize
Fast CLI to summarize or transcribe URLs, videos, podcasts, articles, PDFs, and local files.
weather
Current weather and forecasts with web_fetch, falling back to wttr.in curl for locations, rain, temperature, travel planning.
tmux
Control tmux sessions/panes for interactive CLIs: list, capture output, send keys, paste text, monitor prompts.
gog
Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.
nano-pdf
Edit PDFs with natural-language instructions using the nano-pdf CLI.
openai-whisper
Local speech-to-text with the Whisper CLI (no API key).