steipete/node-connect
skills/node-connect/SKILL.md
Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl.
$ install --global
skillsauthnpx skillsauth add steipete/clawdis node-connectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 1:54 PM22.5s1 file scanned
SKILL.md
- name:
- node-connect
- description:
- Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl.
Node Connect
Goal: find the one real route from node -> gateway, verify OpenClaw is advertising that route, then fix pairing/auth.
Topology first
Decide which case you are in before proposing fixes:
- same machine / emulator / USB tunnel
- same LAN / local Wi-Fi
- same Tailscale tailnet
- public URL / reverse proxy
Do not mix them.
- Local Wi-Fi problem: do not switch to Tailscale unless remote access is actually needed.
- VPS / remote gateway problem: do not keep debugging
localhostor LAN IPs.
If ambiguous, ask first
If the setup is unclear or the failure report is vague, ask short clarifying questions before diagnosing.
Ask for:
- which route they intend: same machine, same LAN, Tailscale tailnet, or public URL
- whether they used QR/setup code or manual host/port
- the exact app text/status/error, quoted exactly if possible
- whether
openclaw devices listshows a pending pairing request
Do not guess from can't connect.
Canonical checks
Prefer openclaw qr --json. It uses the same setup-code payload Android scans.
openclaw config get gateway.mode
openclaw config get gateway.bind
openclaw config get gateway.tailscale.mode
openclaw config get gateway.remote.url
openclaw config get gateway.auth.mode
openclaw config get gateway.auth.allowTailscale
openclaw config get plugins.entries.device-pair.config.publicUrl
openclaw qr --json
openclaw devices list
openclaw nodes status
If this OpenClaw instance is pointed at a remote gateway, also run:
openclaw qr --remote --json
If Tailscale is part of the story:
tailscale status --json
Read the result, not guesses
openclaw qr --json success means:
gatewayUrl: this is the actual endpoint the app should use.urlSource: this tells you which config path won.
Common good sources:
gateway.bind=lan: same Wi-Fi / LAN onlygateway.bind=tailnet: direct tailnet accessgateway.tailscale.mode=serveorgateway.tailscale.mode=funnel: Tailscale routeplugins.entries.device-pair.config.publicUrl: explicit public/reverse-proxy routegateway.remote.url: remote gateway route
Root-cause map
If openclaw qr --json says Gateway is only bound to loopback:
- remote node cannot connect yet
- fix the route, then generate a fresh setup code
gateway.bind=autois not enough if the effective QR route is still loopback- same LAN: use
gateway.bind=lan - same tailnet: prefer
gateway.tailscale.mode=serveor usegateway.bind=tailnet - public internet: set a real
plugins.entries.device-pair.config.publicUrlorgateway.remote.url
If gateway.bind=tailnet set, but no tailnet IP was found:
- gateway host is not actually on Tailscale
If qr --remote requires gateway.remote.url:
- remote-mode config is incomplete
If the app says pairing required:
- network route and auth worked
- approve the pending device
openclaw devices list
openclaw devices approve --latest
If the app says bootstrap token invalid or expired:
- old setup code
- generate a fresh one and rescan
- do this after any URL/auth fix too
If the app says unauthorized:
- wrong token/password, or wrong Tailscale expectation
- for Tailscale Serve,
gateway.auth.allowTailscalemust match the intended flow - otherwise use explicit token/password
Fast heuristics
- Same Wi-Fi setup + gateway advertises
127.0.0.1,localhost, or loopback-only config: wrong. - Remote setup + setup/manual uses private LAN IP: wrong.
- Tailnet setup + gateway advertises LAN IP instead of MagicDNS / tailnet route: wrong.
- Public URL set but QR still advertises something else: inspect
urlSource; config is not what you think. openclaw devices listshows pending requests: stop changing network config and approve first.
Fix style
Reply with one concrete diagnosis and one route.
If there is not enough signal yet, ask for setup + exact app text instead of guessing.
Good:
The gateway is still loopback-only, so a node on another network can never reach it. Enable Tailscale Serve, restart the gateway, run openclaw qr again, rescan, then approve the pending device pairing.
Bad:
Maybe LAN, maybe Tailscale, maybe port forwarding, maybe public URL.
Related Skills
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026
steipete/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,588SKILL.mdUpdated Apr 13, 2026
steipete/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,588SKILL.mdUpdated Apr 13, 2026
steipete/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,588SKILL.mdUpdated Apr 13, 2026