openclaw-secure-linux-cloudlisted

# OpenClaw Secure Linux Cloud ## Overview Use this skill for the conservative "deploy first, expose later" pattern for OpenClaw on a cloud server. Default to a private control plane: - Harden the Linux host before exposing anything. - Keep the gateway bound to `127.0.0.1`. - Reach the Control UI through an SSH tunnel first. - Keep token authentication, pairing, and sandboxing enabled. - Start with a narrow tool profile and loosen only with an explicit need. This skill is for secure Linux cloud hosting. If the user only wants the fastest generic OpenClaw install on a local machine, prefer the official OpenClaw onboarding docs instead of forcing this flow. Open [`references/REFERENCE.md`](./references/REFERENCE.md) when you need the command matrix, baseline config shape, checklist, or access-path comparison. ## When To Use Use this skill when the user mentions any of the following: - OpenClaw on a cloud server, VM, or other Linux host - Secure self-hosting, hardening, or "run it privately" - Podman, loopback binding, SSH tunneling, or remote Control UI access - Tailscale vs reverse proxy for OpenClaw - Pairing, sandboxing, token auth, or locked-down tool permissions - Reviewing whether an existing OpenClaw host is too exposed Do not use this skill for: - General Linux hardening with no OpenClaw component - Local single-machine onboarding where remote access is irrelevant - Pure local onboarding with no remote-host hardening questions - Non-Linux hosting unless the us