Back to Details

healthcheck

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OpenClaw Host Hardening

OpenClaw主机安全加固

Overview

概述

Assess and harden the host running OpenClaw, then align it to a user-defined risk tolerance without breaking access. Use OpenClaw security tooling as a first-class signal, but treat OS hardening as a separate, explicit set of steps.
评估并加固运行OpenClaw的主机,使其在不中断访问的前提下与用户定义的风险容忍度保持一致。将OpenClaw安全工具作为首要信号来源,但将操作系统加固视为独立且明确的步骤集合。

Core rules

核心规则

  • Recommend running this skill with a state-of-the-art model (e.g., Opus 4.5, GPT 5.2+). The agent should self-check the current model and suggest switching if below that level; do not block execution.
  • Require explicit approval before any state-changing action.
  • Do not modify remote access settings without confirming how the user connects.
  • Prefer reversible, staged changes with a rollback plan.
  • Never claim OpenClaw changes the host firewall, SSH, or OS updates; it does not.
  • If role/identity is unknown, provide recommendations only.
  • Formatting: every set of user choices must be numbered so the user can reply with a single digit.
  • System-level backups are recommended; try to verify status.
  • 建议搭配当前最先进的模型(如Opus 4.5、GPT 5.2+)运行本技能。Agent应自行检查当前使用的模型,若未达到上述水平则建议切换,但不要阻止执行。
  • 任何会改变系统状态的操作都需要用户明确批准。
  • 在未确认用户的连接方式前,不要修改远程访问设置。
  • 优先选择可回滚的阶段性变更,并制定回滚方案。
  • 绝不要声称OpenClaw会修改主机防火墙、SSH或系统更新策略;它并无此功能。
  • 若未知当前角色/身份,仅提供建议。
  • 格式要求:所有用户可选择的选项必须编号,以便用户仅需回复单个数字即可选择。
  • 建议启用系统级备份;尽量验证备份状态。

Workflow (follow in order)

工作流程(按顺序执行)

0) Model self-check (non-blocking)

0) 模型自检(非阻塞)

Before starting, check the current model. If it is below state-of-the-art (e.g., Opus 4.5, GPT 5.2+), recommend switching. Do not block execution.
开始前,检查当前使用的模型。如果模型未达到当前最先进水平(如Opus 4.5、GPT 5.2+),建议切换模型,但不要阻止执行。

1) Establish context (read-only)

1) 建立上下文(只读)

Try to infer 1–5 from the environment before asking. Prefer simple, non-technical questions if you need confirmation.
Determine (in order):
  1. OS and version (Linux/macOS/Windows), container vs host.
  2. Privilege level (root/admin vs user).
  3. Access path (local console, SSH, RDP, tailnet).
  4. Network exposure (public IP, reverse proxy, tunnel).
  5. OpenClaw gateway status and bind address.
  6. Backup system and status (e.g., Time Machine, system images, snapshots).
  7. Deployment context (local mac app, headless gateway host, remote gateway, container/CI).
  8. Disk encryption status (FileVault/LUKS/BitLocker).
  9. OS automatic security updates status. Note: these are not blocking items, but are highly recommended, especially if OpenClaw can access sensitive data.
  10. Usage mode for a personal assistant with full access (local workstation vs headless/remote vs other).
First ask once for permission to run read-only checks. If granted, run them by default and only ask questions for items you cannot infer or verify. Do not ask for information already visible in runtime or command output. Keep the permission ask as a single sentence, and list follow-up info needed as an unordered list (not numbered) unless you are presenting selectable choices.
If you must ask, use non-technical prompts:
  • “Are you using a Mac, Windows PC, or Linux?”
  • “Are you logged in directly on the machine, or connecting from another computer?”
  • “Is this machine reachable from the public internet, or only on your home/network?”
  • “Do you have backups enabled (e.g., Time Machine), and are they current?”
  • “Is disk encryption turned on (FileVault/BitLocker/LUKS)?”
  • “Are automatic security updates enabled?”
  • “How do you use this machine?” Examples:
    • Personal machine shared with the assistant
    • Dedicated local machine for the assistant
    • Dedicated remote machine/server accessed remotely (always on)
    • Something else?
Only ask for the risk profile after system context is known.
If the user grants read-only permission, run the OS-appropriate checks by default. If not, offer them (numbered). Examples:
  1. OS: 
    uname -a
    , 
    sw_vers
    , 
    cat /etc/os-release
    .
  2. Listening ports:
    • Linux: 
      ss -ltnup
      (or 
      ss -ltnp
      if 
      -u
      unsupported).
    • macOS: 
      lsof -nP -iTCP -sTCP:LISTEN
      .
  3. Firewall status:
    • Linux: 
      ufw status
      , 
      firewall-cmd --state
      , 
      nft list ruleset
      (pick what is installed).
    • macOS: 
      /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
      and 
      pfctl -s info
      .
  4. Backups (macOS): 
    tmutil status
    (if Time Machine is used).
在询问用户前,先尝试从环境中推断以下1-5项信息。若需要确认,优先使用简单、非技术化的问题。
按顺序确定:
  1. 操作系统及版本(Linux/macOS/Windows),是容器环境还是物理主机。
  2. 权限级别(root/管理员 vs 普通用户)。
  3. 访问路径(本地控制台、SSH、RDP、tailnet)。
  4. 网络暴露情况(公网IP、反向代理、隧道)。
  5. OpenClaw网关状态及绑定地址。
  6. 备份系统及状态(如Time Machine、系统镜像、快照)。
  7. 部署场景(本地Mac应用、无界面网关主机、远程网关、容器/CI环境)。
  8. 磁盘加密状态(FileVault/LUKS/BitLocker)。
  9. 系统自动安全更新状态。 注意:这些并非阻塞项,但强烈建议启用,尤其是当OpenClaw可访问敏感数据时。
  10. 设备使用模式(与助手共享的个人设备、助手专用本地设备、远程访问的专用设备/服务器(始终在线)、其他)。
首先询问用户是否允许执行只读检查。若获得许可,默认执行这些检查,仅对无法推断或验证的信息进行询问。不要询问已在运行时或命令输出中可见的信息。权限请求需为单句,后续需要的信息以无序列表呈现(不要编号),除非是提供可选选项。
若必须询问,使用非技术化的提问:
  • “您使用的是Mac、Windows电脑还是Linux?”
  • “您是直接在设备上登录,还是从其他电脑远程连接?”
  • “该设备可从公网访问,还是仅在您的家庭/内部网络中可用?”
  • “您是否启用了备份(如Time Machine),且备份是最新的吗?”
  • “是否开启了磁盘加密(FileVault/BitLocker/LUKS)?”
  • “是否启用了自动安全更新?”
  • “您如何使用该设备?” 示例:
    • 与助手共享的个人设备
    • 助手专用本地设备
    • 远程访问的专用设备/服务器(始终在线)
    • 其他?
仅在了解系统上下文后,再询问用户的风险配置文件。
若用户允许只读检查,默认执行对应操作系统的检查。若不允许,则提供编号选项:
  1. 操作系统信息:
    uname -a
    , 
    sw_vers
    , 
    cat /etc/os-release
  2. 监听端口:
    • Linux: 
      ss -ltnup
      (若
      -u
      不支持则使用
      ss -ltnp
      )。
    • macOS: 
      lsof -nP -iTCP -sTCP:LISTEN
  3. 防火墙状态:
    • Linux: 
      ufw status
      , 
      firewall-cmd --state
      , 
      nft list ruleset
      (选择已安装的工具)。
    • macOS: 
      /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
      pfctl -s info
  4. 备份状态(macOS):
    tmutil status
    (若使用Time Machine)。

2) Run OpenClaw security audits (read-only)

2) 运行OpenClaw安全审计(只读)

As part of the default read-only checks, run 
openclaw security audit --deep
. Only offer alternatives if the user requests them:
  1. openclaw security audit
    (faster, non-probing)
  2. openclaw security audit --json
    (structured output)
Offer to apply OpenClaw safe defaults (numbered):
  1. openclaw security audit --fix
Be explicit that 
--fix
only tightens OpenClaw defaults and file permissions. It does not change host firewall, SSH, or OS update policies.
If browser control is enabled, recommend that 2FA be enabled on all important accounts, with hardware keys preferred and SMS not sufficient.
作为默认只读检查的一部分,运行
openclaw security audit --deep
。仅在用户要求时提供替代选项:
  1. openclaw security audit
    (更快,无探测性检查)
  2. openclaw security audit --json
    (结构化输出)
提供应用OpenClaw安全默认配置的编号选项:
  1. openclaw security audit --fix
需明确说明
--fix
仅会收紧OpenClaw的默认配置和文件权限,不会修改主机防火墙、SSH或系统更新策略。
若启用了浏览器控制功能,建议为所有重要账户启用双因素认证(2FA),优先使用硬件密钥,不建议使用短信验证。

3) Check OpenClaw version/update status (read-only)

3) 检查OpenClaw版本/更新状态(只读)

As part of the default read-only checks, run 
openclaw update status
.
Report the current channel and whether an update is available.
作为默认只读检查的一部分,运行
openclaw update status
报告当前版本通道及是否有可用更新。

4) Determine risk tolerance (after system context)

4) 确定风险容忍度(了解系统上下文后)

Ask the user to pick or confirm a risk posture and any required open services/ports (numbered choices below). Do not pigeonhole into fixed profiles; if the user prefers, capture requirements instead of choosing a profile. Offer suggested profiles as optional defaults (numbered). Note that most users pick Home/Workstation Balanced:
  1. Home/Workstation Balanced (most common): firewall on with reasonable defaults, remote access restricted to LAN or tailnet.
  2. VPS Hardened: deny-by-default inbound firewall, minimal open ports, key-only SSH, no root login, automatic security updates.
  3. Developer Convenience: more local services allowed, explicit exposure warnings, still audited.
  4. Custom: user-defined constraints (services, exposure, update cadence, access methods).
请用户选择或确认风险态势及所需开放的服务/端口(以下为编号选项)。不要局限于固定配置文件;若用户偏好,可直接记录需求而非选择配置文件。提供建议的配置文件作为可选默认选项(编号)。注意大多数用户会选择“家庭/工作站平衡型”:
  1. 家庭/工作站平衡型(最常见):开启防火墙并使用合理默认配置,远程访问限制为局域网或tailnet。
  2. VPS加固型:默认拒绝入站防火墙规则,仅开放最小必要端口,仅允许密钥登录SSH,禁止root登录,启用自动安全更新。
  3. 开发者便利型:允许更多本地服务,明确给出暴露风险警告,仍需进行审计。
  4. 自定义型:用户定义约束(服务、暴露面、更新频率、访问方式)。

5) Produce a remediation plan

5) 生成修复计划

Provide a plan that includes:
  • Target profile
  • Current posture summary
  • Gaps vs target
  • Step-by-step remediation with exact commands
  • Access-preservation strategy and rollback
  • Risks and potential lockout scenarios
  • Least-privilege notes (e.g., avoid admin usage, tighten ownership/permissions where safe)
  • Credential hygiene notes (location of OpenClaw creds, prefer disk encryption)
Always show the plan before any changes.
提供包含以下内容的计划:
  • 目标配置文件
  • 当前态势摘要
  • 与目标的差距
  • 带精确命令的分步修复方案
  • 访问保留策略及回滚方案
  • 风险及潜在锁定场景
  • 最小权限说明(如避免使用管理员权限,在安全前提下收紧所有权/权限)
  • 凭证卫生说明(OpenClaw凭证的存储位置,优先使用磁盘加密)
在执行任何变更前,必须先展示该计划。

6) Offer execution options

6) 提供执行选项

Offer one of these choices (numbered so users can reply with a single digit):
  1. Do it for me (guided, step-by-step approvals)
  2. Show plan only
  3. Fix only critical issues
  4. Export commands for later
提供以下编号选项,用户仅需回复单个数字即可选择:
  1. 帮我执行(引导式,分步确认)
  2. 仅展示计划
  3. 仅修复关键问题
  4. 导出命令供后续使用

7) Execute with confirmations

7) 确认后执行

For each step:
  • Show the exact command
  • Explain impact and rollback
  • Confirm access will remain available
  • Stop on unexpected output and ask for guidance
对于每个步骤:
  • 展示精确命令
  • 说明影响及回滚方式
  • 确认访问将保持可用
  • 若出现意外输出,停止执行并请求指导

8) Verify and report

8) 验证并报告

Re-check:
  • Firewall status
  • Listening ports
  • Remote access still works
  • OpenClaw security audit (re-run)
Deliver a final posture report and note any deferred items.
重新检查:
  • 防火墙状态
  • 监听端口
  • 远程访问是否仍可用
  • 重新运行OpenClaw安全审计
交付最终态势报告,并记录任何延迟处理的事项。

Required confirmations (always)

必须确认的操作(始终执行)

Require explicit approval for:
  • Firewall rule changes
  • Opening/closing ports
  • SSH/RDP configuration changes
  • Installing/removing packages
  • Enabling/disabling services
  • User/group modifications
  • Scheduling tasks or startup persistence
  • Update policy changes
  • Access to sensitive files or credentials
If unsure, ask.
以下操作需获得用户明确批准:
  • 防火墙规则变更
  • 端口开启/关闭
  • SSH/RDP配置变更
  • 安装/卸载软件包
  • 启用/禁用服务
  • 用户/组修改
  • 任务调度或开机自启配置
  • 更新策略变更
  • 访问敏感文件或凭证
若不确定,务必询问用户。

Periodic checks

定期检查

After OpenClaw install or first hardening pass, run at least one baseline audit and version check:
  • openclaw security audit
  • openclaw security audit --deep
  • openclaw update status
Ongoing monitoring is recommended. Use the OpenClaw cron tool/CLI to schedule periodic audits (Gateway scheduler). Do not create scheduled tasks without explicit approval. Store outputs in a user-approved location and avoid secrets in logs. When scheduling headless cron runs, include a note in the output that instructs the user to call 
healthcheck
so issues can be fixed.
在OpenClaw安装或首次加固后,至少运行一次基线审计和版本检查:
  • openclaw security audit
  • openclaw security audit --deep
  • openclaw update status
建议进行持续监控。使用OpenClaw cron工具/CLI调度定期审计(网关调度器)。未经明确批准,不要创建调度任务。将输出存储在用户批准的位置,避免在日志中包含敏感信息。 当调度无界面cron任务时,需在输出中添加提示,指导用户调用
healthcheck
以修复问题。

Required prompt to schedule (always)

调度任务的必填提示(始终执行)

After any audit or hardening pass, explicitly offer scheduling and require a direct response. Use a short prompt like (numbered):
  1. “Do you want me to schedule periodic audits (e.g., daily/weekly) via 
    openclaw cron add
    ?”
If the user says yes, ask for:
  • cadence (daily/weekly), preferred time window, and output location
  • whether to also schedule 
    openclaw update status
Use a stable cron job name so updates are deterministic. Prefer exact names:
  • healthcheck:security-audit
  • healthcheck:update-status
Before creating, 
openclaw cron list
and match on exact 
name
. If found, 
openclaw cron edit <id> ...
. If not found, 
openclaw cron add --name <name> ...
.
Also offer a periodic version check so the user can decide when to update (numbered):
  1. openclaw update status
    (preferred for source checkouts and channels)
  2. npm view openclaw version
    (published npm version)
在任何审计或加固完成后,明确询问用户是否需要调度定期任务,并要求直接回复。使用简短的编号提示:
  1. “是否需要我通过
    openclaw cron add
    调度定期审计(如每日/每周)?”
若用户同意,询问:
  • 执行频率(每日/每周)、偏好的时间窗口、输出位置
  • 是否同时调度
    openclaw update status
使用稳定的cron任务名称,确保更新的确定性。优先使用以下精确名称:
  • healthcheck:security-audit
  • healthcheck:update-status
创建前,运行
openclaw cron list
并匹配精确名称。若已存在,使用
openclaw cron edit <id> ...
。 若不存在,使用
openclaw cron add --name <name> ...
同时提供定期版本检查选项,由用户决定何时更新(编号):
  1. openclaw update status
    (适用于源码检出和版本通道)
  2. npm view openclaw version
    (已发布的npm版本)

OpenClaw command accuracy

OpenClaw命令准确性

Use only supported commands and flags:
  • openclaw security audit [--deep] [--fix] [--json]
  • openclaw status
    / 
    openclaw status --deep
  • openclaw health --json
  • openclaw update status
  • openclaw cron add|list|runs|run
Do not invent CLI flags or imply OpenClaw enforces host firewall/SSH policies.
仅使用支持的命令和参数:
  • openclaw security audit [--deep] [--fix] [--json]
  • openclaw status
    / 
    openclaw status --deep
  • openclaw health --json
  • openclaw update status
  • openclaw cron add|list|runs|run
不要虚构CLI参数,也不要暗示OpenClaw会强制执行主机防火墙/SSH策略。

Logging and audit trail

日志与审计跟踪

Record:
  • Gateway identity and role
  • Plan ID and timestamp
  • Approved steps and exact commands
  • Exit codes and files modified (best effort)
Redact secrets. Never log tokens or full credential contents.
记录:
  • 网关身份及角色
  • 计划ID及时间戳
  • 已批准的步骤及精确命令
  • 退出码及修改的文件(尽最大努力)
脱敏敏感信息。绝不要记录令牌或完整凭证内容。

Memory writes (conditional)

内存写入(条件性)

Only write to memory files when the user explicitly opts in and the session is a private/local workspace (per 
docs/reference/templates/AGENTS.md
). Otherwise provide a redacted, paste-ready summary the user can decide to save elsewhere.
Follow the durable-memory prompt format used by OpenClaw compaction:
  • Write lasting notes to 
    memory/YYYY-MM-DD.md
    .
After each audit/hardening run, if opted-in, append a short, dated summary to 
memory/YYYY-MM-DD.md
(what was checked, key findings, actions taken, any scheduled cron jobs, key decisions, and all commands executed). Append-only: never overwrite existing entries. Redact sensitive host details (usernames, hostnames, IPs, serials, service names, tokens). If there are durable preferences or decisions (risk posture, allowed ports, update policy), also update 
MEMORY.md
(long-term memory is optional and only used in private sessions).
If the session cannot write to the workspace, ask for permission or provide exact entries the user can paste into the memory files.
仅当用户明确选择加入,且会话为私有/本地工作区时(参考
docs/reference/templates/AGENTS.md
),才可写入内存文件。否则提供经过脱敏、可直接复制的摘要,由用户决定是否保存到其他位置。
遵循OpenClaw压缩功能使用的持久内存提示格式:
  • 将持久化笔记写入
    memory/YYYY-MM-DD.md
每次审计/加固运行后,若用户选择加入,向
memory/YYYY-MM-DD.md
追加简短的带日期的摘要(检查内容、关键发现、执行的操作、调度的cron任务、关键决策及所有执行的命令)。仅允许追加:绝不要覆盖现有条目。 脱敏敏感主机信息(用户名、主机名、IP、序列号、服务名称、令牌)。若存在持久化偏好或决策(风险态势、允许的端口、更新策略),同时更新
MEMORY.md
(长期内存为可选功能,仅在私有会话中使用)。
若会话无法写入工作区,需询问用户许可或提供精确的条目内容,供用户粘贴到内存文件中。