Backend 25,731 installs

openclaw-secure-linux-cloud

by xixu-me/skills

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

Skill content

Secure self-hosted OpenClaw deployment on Linux cloud servers with conservative access controls.

- Guides fresh deployments, hardening reviews, and access-model decisions (SSH tunneling, Tailscale, reverse proxy) for remote OpenClaw instances

- Recommends a "deploy private, expose later" baseline: loopback-only gateway, SSH tunnel access, token auth, pairing, and minimal tool permissions by default

- Separates local machine actions (tunnel setup, browser access) from server actions (Linux hardening, Podman setup, config permissions) to avoid execution confusion

- Includes distro-specific hardening steps, rootless Podman setup, baseline config templates, pre-launch checklists, and access-escalation guidance with explicit red flags for unsafe patterns

Overview

Use this skill for the conservative "deploy first, expose later" pattern for
OpenClaw on a cloud server.

Default to a private control plane:

- Harden the Linux host before exposing anything.

- Keep the gateway bound to 127.0.0.1.

- Reach the Control UI through an SSH tunnel first.

- Keep token authentication, pairing, and sandboxing enabled.

- Start with a narrow tool profile and loosen only with an explicit need.

This skill is for secure Linux cloud hosting. If the user only wants the
fastest generic OpenClaw install on a local machine, prefer the official
OpenClaw onboarding docs instead of forcing this flow.

Open references/REFERENCE.md when you need the
command matrix, baseline config shape, checklist, or access-path comparison.