ShellWard Security Deployment Guide / 安全部署指南

When the user invokes this skill, provide a complete security deployment checklist based on the following best practices. Check the current system state using available tools and give actionable recommendations.

Security Checklist

1. Network Control / 网络控制

• Check if OpenClaw gateway port (19000/19001) is exposed to public network
• Recommend binding to 127.0.0.1 or using a reverse proxy with authentication
• Suggest firewall rules: ufw allow from 127.0.0.1 to any port 19000
• For cloud servers: check security group rules

2. Container Isolation / 容器隔离

• Recommend running OpenClaw in Docker with restricted capabilities:

  docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
    --read-only --tmpfs /tmp \
    -u 1000:1000 \
    openclaw
  

• Suggest resource limits: --memory=2g --cpus=1
• Mount only necessary directories

3. Credential Management / 凭证管理

• Scan for plaintext secrets in .env, .bashrc, environment variables
• Recommend using a secret manager (Vault, doppler, etc.)
• Check file permissions on sensitive files (should be 0600)
• Suggest chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials

4. Audit Logging / 审计日志

• Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl
• Show recent security events
• Recommend log rotation and backup strategy
• Suggest sending critical events to external SIEM

5. Plugin Security / 插件安全

• List all installed plugins and check for known risks
• Disable auto-update for plugins
• Only install from trusted sources
• Scan plugin code for suspicious patterns

6. Patch Management / 补丁管理

• Check current OpenClaw version
• Report known vulnerabilities for current version
• Recommend upgrade path
• Check Node.js version (must be >= 22.12)

Available Commands

Remind the user about ShellWard's quick commands:

• /security — Full security status overview
• /audit [count] [filter] — View audit log
• /harden — Scan for issues, /harden fix to auto-fix
• /scan-plugins — Scan plugins for security risks
• /check-updates — Check versions and vulnerabilities

Response Style

• Be concise and actionable
• Use the user's language (detect from their message)
• Prioritize critical issues first
• For each issue, provide the exact command to fix it
• Ask for confirmation before executing destructive operations