security-guidelisted

# ShellWard Security Deployment Guide / 安全部署指南 When the user invokes this skill, provide a complete security deployment checklist based on the following best practices. Check the current system state using available tools and give actionable recommendations. ## Security Checklist ### 1. Network Control / 网络控制 - Check if OpenClaw gateway port (19000/19001) is exposed to public network - Recommend binding to 127.0.0.1 or using a reverse proxy with authentication - Suggest firewall rules: `ufw allow from 127.0.0.1 to any port 19000` - For cloud servers: check security group rules ### 2. Container Isolation / 容器隔离 - Recommend running OpenClaw in Docker with restricted capabilities: ``` docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \ --read-only --tmpfs /tmp \ -u 1000:1000 \ openclaw ``` - Suggest resource limits: `--memory=2g --cpus=1` - Mount only necessary directories ### 3. Credential Management / 凭证管理 - Scan for plaintext secrets in .env, .bashrc, environment variables - Recommend using a secret manager (Vault, doppler, etc.) - Check file permissions on sensitive files (should be 0600) - Suggest `chmod 600 ~/.env ~/.ssh/* ~/.aws/credentials` ### 4. Audit Logging / 审计日志 - Verify ShellWard audit log is active at ~/.openclaw/shellward/audit.jsonl - Show recent security events - Recommend log rotation and backup strategy - Suggest sending critical events to external SIEM ### 5. Plugin Security / 插件安全 - List all installed plugins and check for known