bagelhole/openclaw-deployment-hardening
security/hardening/openclaw-deployment-hardening/SKILL.md
Secure OpenClaw deployments with preflight hardening checks, CI/CD guardrails, container runtime restrictions, and post-deploy verification. Use when shipping OpenClaw with Docker, Kubernetes, or automated release pipelines.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills openclaw-deployment-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:06 PM5.2s1 file scanned
SKILL.md
- name:
- openclaw-deployment-hardening
- description:
- Secure OpenClaw deployments with preflight hardening checks, CI/CD guardrails, container runtime restrictions, and post-deploy verification. Use when shipping OpenClaw with Docker, Kubernetes, or automated release pipelines.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
OpenClaw Deployment Hardening
Use this skill to add repeatable security gates around OpenClaw build and deployment workflows.
Enforce a Secure Build Pipeline
Add mandatory controls to CI before artifacts are promoted:
- Dependency and lockfile vulnerability scan (fail on critical CVEs).
- Image scan for OS/package vulnerabilities.
- Secret scanning across source and build context.
- SBOM generation and artifact signing.
- Policy check that blocks deploy when controls fail.
Example CI step order:
# Build
npm ci
npm run build
# Security gates
trivy fs .
trivy image my-registry/openclaw:${GIT_SHA}
syft my-registry/openclaw:${GIT_SHA} -o spdx-json > sbom.json
cosign sign --key cosign.key my-registry/openclaw:${GIT_SHA}
Lock Down Container Runtime
Run OpenClaw with restrictive defaults:
- Non-root user in container
- Read-only root filesystem where possible
- Drop all Linux capabilities, add back only required
no-new-privilegesenabled- Constrained CPU/memory limits to reduce abuse impact
- Seccomp/AppArmor (or equivalent) profile enforced
Kubernetes-oriented expectations:
runAsNonRoot: trueallowPrivilegeEscalation: falsereadOnlyRootFilesystem: true- network policy deny-all baseline with explicit allow rules
Gate Production Promotion
Require explicit promotion checks:
- Security sign-off on CVE exceptions.
- Signed artifact verification in deployment stage.
- Drift check between expected and live manifest values.
- Deployment only from immutable tags or digests.
Avoid mutable latest tags for production OpenClaw services.
Protect Data and Session Surfaces
- Minimize prompt/response retention by policy.
- Mask secrets and PII in logs before shipping to SIEM.
- Encrypt persistent volumes and backups.
- Isolate tenant/session data boundaries when serving multiple teams.
Post-Deploy Verification
Run a hardening smoke test immediately after rollout:
kubectl get pods -n openclaw
kubectl auth can-i --as=system:serviceaccount:openclaw:default list secrets -n openclaw
kubectl get networkpolicy -n openclaw
kubectl logs deploy/openclaw -n openclaw --tail=200
Verify:
- Pod security context matches policy.
- Service account permissions are least privilege.
- Ingress auth/rate limits are effective.
- No plaintext secrets appear in logs.
Incident-Ready Rollback Pattern
Maintain a hardened rollback workflow:
- Freeze further rollouts.
- Revoke suspect tokens and rotate secrets.
- Roll back to last signed known-good image digest.
- Re-run post-deploy hardening verification.
- Capture timeline and artifacts for forensics.
Related Skills
- container-hardening - Container security baseline controls
- kubernetes-hardening - Pod and cluster hardening patterns
- sbom-supply-chain - SBOM, signing, and provenance controls
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026