healthcheck
Host security hardening and risk-tolerance configuration for OpenClaw deployments. Use when a user asks for security audits, firewall/SSH/update hardening, risk posture, exposure review, OpenClaw cron scheduling for periodic checks, or version status checks on a machine running OpenClaw (laptop, workstation, Pi, VPS).
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/mohdalhashemi98-hue/mh-healthcheckOpenClaw Host Hardening
Overview
Assess and harden the host running OpenClaw, then align it to a user-defined risk tolerance without breaking access. Use OpenClaw security tooling as a first-class signal, but treat OS hardening as a separate, explicit set of steps.
Core rules
- Recommend running this skill with a state-of-the-art model (e.g., Opus 4.5, GPT 5.2+). The agent should self-check the current model and suggest switching if below that level; do not block execution.
- Require explicit approval before any state-changing action.
- Do not modify remote access settings without confirming how the user connects.
- Prefer reversible, staged changes with a rollback plan.
- Never claim OpenClaw changes the host firewall, SSH, or OS updates; it does not.
- If role/identity is unknown, provide recommendations only.
- Formatting: every set of user choices must be numbered so the user can reply with a single digit.
- System-level backups are recommended; try to verify status.
Workflow (follow in order)
0) Model self-check (non-blocking)
Before starting, check the current model. If it is below state-of-the-art (e.g., Opus 4.5, GPT 5.2+), recommend switching. Do not block execution.
1) Establish context (read-only)
Try to infer 1–5 from the environment before asking. Prefer simple, non-technical questions if you need confirmation.
Determine (in order):
- OS and version (Linux/macOS/Windows), container vs host.
- Privilege level (root/admin vs user).
- Access path (local console, SSH, RDP, tailnet).
- Network exposure (public IP, reverse proxy, tunnel).
- OpenClaw gateway status and bind address.
- Backup system and status (e.g., Time Machine, system images, snapshots).
- Deployment context (local mac app, headless gateway host, remote gateway, container/CI).
- Disk encryption status (FileVault/LUKS/BitLocker).
- OS automatic security updates status. Note: these are not blocking items, but are highly recommended, especially if OpenClaw can access sensitive data.
- Usage mode for a personal assistant with full access (local workstation vs headless/remote vs other).
First ask once for permission to run read-only checks. If granted, run them by default and only ask questions for items you cannot infer or verify. Do not ask for information already visible in runtime or command output. Keep the permission ask as a single sentence, and list follow-up info needed as an unordered list (not numbered) unless you are presenting selectable choices.
If you must ask, use non-technical prompts:
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-mohdalhashemi98-hue-mh-healthcheck": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
blogwatcher
Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.
1password
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.