healthcheck

The skill follows a strict, ordered workflow designed to be safe and non-destructive:Model self-check — Recommends a state-of-the-art model for best results; never blocks execution.Context gathering (read-only) — Infers OS, privilege level, network exposure, disk encryption, backup status, and OpenClaw gateway configuration before asking any questions.OpenClaw security audit — Runs openclaw security audit --deep and optionally applies safe defaults with --fix.Version check — Runs openclaw update status and reports channel and update availability.Risk profile selection — Offers preset profiles (Home/Workstation Balanced, VPS Hardened, Developer Convenience, Custom) or captures custom requirements.Remediation plan — Produces a full plan with commands, rollback steps, lockout risks, and least-privilege notes before touching anything.Guided execution — Every state-changing step requires explicit approval; unexpected output triggers a pause.Verification & report — Re-checks firewall, listening ports, and remote access, then delivers a final posture report.

Approval-gated execution — Every state-changing action (firewall rules, SSH config, services, packages, cron jobs) requires explicit user confirmation before proceeding.OS-aware diagnostics — Runs the correct commands for Linux (ufw, nft, ss), macOS (pfctl, lsof, tmutil), and Windows environments automatically.OpenClaw-native audit integration — Uses openclaw security audit --deep and openclaw update status as first-class signals alongside OS-level checks.Risk profile alignment — Choose from Home/Workstation Balanced, VPS Hardened, Developer Convenience, or define a fully custom posture.Rollback-first remediation — Every plan includes access-preservation strategies and rollback steps to prevent lockout.Periodic cron scheduling — Offers to schedule recurring audits and version checks via openclaw cron add with deterministic, named jobs.Audit trail & memory — Optionally appends redacted, dated summaries to workspace memory files; never logs tokens or credentials.Non-destructive by design — Clearly distinguishes what OpenClaw can and cannot change; never implies the tool modifies host firewall, SSH, or OS update policies.

OpenClaw Installation — This skill is designed for hosts running an active OpenClaw deployment. The openclaw CLI must be available in the environment for audit and update commands to execute. (Required)Privilege Level — Root or administrator access is needed to apply hardening changes (firewall rules, SSH config, service management). Read-only audits and plan generation work without elevated privileges. (Required for changes; optional for audits)No External API Keys Required — This skill operates entirely through local system inspection and OpenClaw's built-in CLI. No third-party API keys are needed.

First-time server hardening — Just spun up a VPS or Raspberry Pi running OpenClaw? Run this skill to lock down SSH, configure a deny-by-default firewall, enable automatic updates, and get a baseline posture report.Workstation security review — Running OpenClaw on a personal Mac or Linux workstation? Use the Home/Workstation Balanced profile to harden without sacrificing convenience or breaking local development tooling.Scheduled ongoing monitoring — Set up recurring openclaw security audit and openclaw update status cron jobs so drift is caught automatically and the skill is triggered to remediate when issues are found.Pre-deployment exposure review — Before exposing a machine to the public internet, use this skill to audit listening ports, review firewall rules, and confirm remote access is locked down to keys-only with no root login.