openclaw-secure-linux-cloud
Installation
Summary
Secure self-hosted OpenClaw deployment on Linux cloud servers with conservative access controls.
- Guides fresh deployments, hardening reviews, and access-model decisions (SSH tunneling, Tailscale, reverse proxy) for remote OpenClaw instances
- Recommends a "deploy private, expose later" baseline: loopback-only gateway, SSH tunnel access, token auth, pairing, and minimal tool permissions by default
- Separates local machine actions (tunnel setup, browser access) from server actions (Linux hardening, Podman setup, config permissions) to avoid execution confusion
- Includes distro-specific hardening steps, rootless Podman setup, baseline config templates, pre-launch checklists, and access-escalation guidance with explicit red flags for unsafe patterns
SKILL.md
Overview
Use this skill for the conservative "deploy first, expose later" pattern for OpenClaw on a cloud server.
Default to a private control plane:
- Harden the Linux host before exposing anything.
- Keep the gateway bound to
127.0.0.1. - Reach the Control UI through an SSH tunnel first.
- Keep token authentication, pairing, and sandboxing enabled.
- Start with a narrow tool profile and loosen only with an explicit need.
This skill is for secure Linux cloud hosting. If the user only wants the fastest generic OpenClaw install on a local machine, prefer the official OpenClaw onboarding docs instead of forcing this flow.
Open references/REFERENCE.md when you need the
command matrix, baseline config shape, checklist, or access-path comparison.