Host Healthcheck

Host security hardening and risk-tolerance configuration for OpenClaw deployments. Security audits, firewall/SSH/update hardening, and risk posture review.

The Healthcheck skill is OpenClaw's built-in security hardening and risk assessment tool. It audits your host system — whether it's a laptop, workstation, Raspberry Pi, or VPS — for common security misconfigurations and provides actionable fixes. Think of it as a security-conscious sysadmin that runs on demand or via cron. The skill covers the key hardening areas: firewall configuration (is it enabled? are ports properly restricted?), SSH hardening (password auth disabled? root login blocked? key-based auth?), system updates (are packages current? are automatic updates configured?), and general exposure review (open ports, running services, unnecessary daemons). What makes the healthcheck skill practical is its risk-tolerance model. Not every environment needs the same level of hardening — a home lab has different requirements than a production VPS. The skill adapts its recommendations based on the deployment context, flagging critical issues while noting acceptable tradeoffs. For OpenClaw users, this is peace of mind. Schedule a weekly cron job that runs the healthcheck and reports findings to your Telegram. It's especially important since OpenClaw runs as a persistent service with access to your system — keeping the host hardened reduces the attack surface. The skill works on macOS and Linux, covering platform-specific tools: macOS Firewall, pfctl, ufw, iptables, nftables, and cloud-provider security groups. It checks for OpenClaw-specific concerns too, like whether the gateway is bound to localhost vs. a public interface. Best suited for: anyone self-hosting OpenClaw (especially on a VPS), security-conscious users wanting regular audits, MSPs managing multiple OpenClaw deployments, developers who want automated security checks without becoming security experts.

Tags: security, hardening, audit, firewall, devops

Category: Security

Use Cases

  • Post-install security audit on a new OpenClaw host
  • Weekly automated security scan via cron with Telegram reports
  • Pre-deployment checklist for VPS or cloud instances
  • SSH hardening verification after configuration changes
  • Firewall audit to ensure no unnecessary ports are exposed
  • Version status checks for OpenClaw and system packages

Tips

  • Run a healthcheck immediately after first OpenClaw install on a new machine
  • Schedule weekly healthchecks via OpenClaw cron for continuous monitoring
  • Use `--fix` flag cautiously — review findings first without auto-fix
  • On VPS deployments, always check that SSH key auth works before disabling password auth
  • Combine with the gateway bind mode check — ensure it's not exposed on a public interface unnecessarily
  • Keep a backup SSH key or console access before applying firewall changes
  • For MSP deployments, centralize healthcheck reports to a shared channel

Known Issues & Gotchas

  • Some fixes require elevated (sudo) permissions — the skill will ask before making changes
  • Firewall changes can lock you out of SSH if misconfigured — always keep a backup access method
  • macOS and Linux have different firewall tools — recommendations are platform-specific
  • The skill checks host security, not OpenClaw application security (auth, API keys, etc.)
  • Auto-fix mode should be used carefully on production servers — review changes first with dry-run
  • Cloud-hosted instances may have security groups that override local firewall rules

Alternatives

  • Lynis
  • CIS Benchmarks (manual)
  • OpenSCAP
  • fail2ban

Community Feedback

Run a Security Audit with Auto Fix. The first step toward security is visibility. For an MSP, this functions as a critical health check.

— Guardz Blog

If you just ran the install command, hardened everything with openclaw security audit --fix, and are now staring at a working setup — here's what to do next.

— Reddit r/OpenClawCentral

This is a comprehensive, deep-dive technical guide designed for security engineers, DevSecOps professionals, and AI researchers. The healthcheck skill focuses on host security hardening.

— Penligent AI

The existing healthcheck skill focuses on host security hardening, not gateway self-healing. A separate openclaw-doctor skill was proposed for runtime diagnostics.

— GitHub Issues

Configuration Examples

Run a security audit

# Interactive audit (review findings)
openclaw security audit

# Auto-fix common issues
openclaw security audit --fix

# Check specific areas
openclaw security audit --check firewall,ssh,updates

Scheduled healthcheck via cron

# OpenClaw cron job: weekly security audit
{
  "schedule": { "kind": "cron", "expr": "0 9 * * 1", "tz": "Asia/Calcutta" },
  "payload": { "kind": "agentTurn", "message": "Run a full healthcheck security audit on this host. Report findings." },
  "sessionTarget": "isolated",
  "delivery": { "mode": "announce" }
}

Installation

# Built-in (bundled with OpenClaw)

Source: bundled