skill-claw
- Repo stars 3,406
- Author updated Live
- Author repo claude-octopus
- Domain
- DevOps
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 83 / 100 · community maintained
- Author / version / license
- @nyldn · no license declared
- Token usage
- Lean
- Setup complexity
- Manual integration
- External API key
- Not required
- Operating systems
- macOS · Linux · Docker
- Runtime requirements
- Node.js · Docker
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。; 检出高风险片段:pipe_curl_to_shell
---
name: skill-claw
description: OpenClaw instance administration — manage hosts across macOS, Ubuntu/Debian, Docker, OCI, and Pr…
category: devops
runtime: Node.js / Docker
---
# skill-claw output preview
## PART A: Task fit
- Use case: OpenClaw instance administration — manage hosts across macOS, Ubuntu/Debian, Docker, OCI, and Proxmox DETECT PLATFORM FIRST. DIAGNOSE BEFORE CHANGING. VERIFY AFTER EVERY ACTION. makes outbound network calls; runs on Node.js. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “The Iron Law / When to Use / The Process” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “OpenClaw instance administration — manage hosts across macOS, Ubuntu/Debian, Docker, OCI, and Proxmox DETECT PLATFORM FIRST. DIAGNOSE BEFORE CHANGING. VERIFY AFTER EVERY ACTION. makes outbound network calls; runs on Node.js. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “The Iron Law / When to Use / The Process” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/octo`, `/etc`, `/proc`, `/usr`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “The Iron Law / When to Use / The Process”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-claw
description: OpenClaw instance administration — manage hosts across macOS, Ubuntu/Debian, Docker, OCI, and Pr…
category: devops
source: nyldn/claude-octopus
---
# skill-claw
## When to use
- OpenClaw instance administration — manage hosts across macOS, Ubuntu/Debian, Docker, OCI, and Proxmox DETECT PLATFORM…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “The Iron Law / When to Use / The Process” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-claw" {
input -> user goal + target files + boundaries + acceptance criteria
context -> The Iron Law / When to Use / The Process
rules -> SKILL.md triggers / order / output contract
runtime -> Node.js / Docker | read files, write/modify files, run shell commands | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} OpenClaw Instance Administration
Your first output line MUST be: 🐙 **CLAUDE OCTOPUS ACTIVATED** - OpenClaw Administration
The Iron Law
DETECT PLATFORM FIRST. DIAGNOSE BEFORE CHANGING. VERIFY AFTER EVERY ACTION.
Never assume the OS or hosting environment. Never make changes without checking current state. Never claim success without verification.
When to Use
Use this skill for:
- Installing, updating, or migrating OpenClaw instances
- Gateway lifecycle management (start, stop, restart, health checks)
- Host-level administration (packages, services, firewall, users, disks)
- Security hardening and audits
- Monitoring setup and troubleshooting
- Backup and disaster recovery
- Platform-specific configuration (macOS, Ubuntu/Debian, Docker, OCI, Proxmox)
- Channel configuration (WhatsApp, Telegram, Discord, Slack, Signal)
- Tailscale setup and management (Serve, Funnel, SSH, ACLs)
- gogcli (Google Workspace CLI) setup and troubleshooting
- OpenClaw scheduler, memory, plugins, and MCP server management
Do NOT use for:
- Writing OpenClaw extensions or plugins (use plugin-dev skills)
- Designing cloud architecture from scratch (use cloud-architect persona)
- Application-level code debugging (use
/octo:debug)
The Process
Phase 1: Detect Platform
You MUST detect the platform before running any administrative commands.
# Detect OS
uname -s # Darwin = macOS, Linux = Ubuntu/Debian/Proxmox host
# If Linux, detect distro
cat /etc/os-release 2>/dev/null | head -5
# Check if inside Docker
[ -f /.dockerenv ] && echo "Docker container" || echo "Not Docker"
# Check if on Proxmox host
command -v pveversion &>/dev/null && pveversion 2>/dev/null
# Check if inside Proxmox LXC
[ -f /proc/1/environ ] && grep -q container=lxc /proc/1/environ 2>/dev/null && echo "Proxmox LXC"
# Check for OCI metadata
curl -s -m 2 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null | head -5
Set the platform context before proceeding:
- macOS: Homebrew, launchd, Application Firewall, APFS
- Ubuntu/Debian: apt, systemd, ufw, ext4/ZFS
- Docker: docker compose, container logs, volume management
- OCI: ARM architecture, VCN security, Tailscale, systemd
- Proxmox: qm/pct, vzdump, ZFS, LXC bind mounts
Phase 2: Assess Current State
Run diagnostics appropriate to the platform:
OpenClaw Diagnostics (All Platforms)
# Check OpenClaw installation
command -v openclaw &>/dev/null && openclaw --version
# Gateway status
openclaw status --all
# Health check
openclaw health
# Doctor (auto-detect and report issues)
openclaw doctor
# Security audit
openclaw security audit
macOS Host Diagnostics
# Service status
launchctl list | grep openclaw
# System resources
vm_stat | head -10
df -h /
# Homebrew health
brew doctor 2>&1 | head -20
# Firewall status
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Ubuntu/Debian Host Diagnostics
# Service status
systemctl --user status openclaw-gateway 2>/dev/null || systemctl status openclaw-gateway
# System resources
free -h
df -h /
# Failed services
systemctl --failed
# Firewall status
ufw status verbose
# Pending updates
apt list --upgradable 2>/dev/null | head -20
Docker Diagnostics
# Container status
docker compose ps
# Container health
docker inspect --format='{{.State.Health.Status}}' openclaw-gateway 2>/dev/null
# Resource usage
docker stats --no-stream
# Disk usage
docker system df
Proxmox Diagnostics
# Proxmox version
pveversion -v
# VM/LXC list
qm list 2>/dev/null
pct list 2>/dev/null
# Storage status
pvesm status
# ZFS health
zpool status 2>/dev/null
# Cluster status
pvecm status 2>/dev/null
Phase 3: Execute the Requested Action
Route to the appropriate workflow based on user intent:
Installation Workflows
| Platform | Method |
|---|---|
| macOS | curl -fsSL https://openclaw.ai/install.sh | bash && openclaw onboard --install-daemon |
| Ubuntu/Debian | curl -fsSL https://openclaw.ai/install.sh | bash && openclaw onboard --install-daemon |
| Docker | git clone https://github.com/openclaw/openclaw.git && cd openclaw && ./docker-setup.sh |
| OCI ARM | Install Node.js 22 + build-essential, then curl installer, enable systemd lingering, configure Tailscale |
| Proxmox LXC | Create Ubuntu/Debian LXC, install Node.js 22, curl installer, configure bind mounts for persistence |
Service Lifecycle
| Action | macOS | Linux | Docker |
|---|---|---|---|
| Start | launchctl start gui/$UID/com.openclaw.gateway |
systemctl --user start openclaw-gateway |
docker compose up -d |
| Stop | launchctl stop gui/$UID/com.openclaw.gateway |
systemctl --user stop openclaw-gateway |
docker compose down |
| Restart | openclaw gateway restart |
openclaw gateway restart |
docker compose restart |
| Status | launchctl list | grep openclaw |
systemctl --user status openclaw-gateway |
docker compose ps |
| Logs | openclaw logs --follow |
journalctl --user -u openclaw-gateway -f |
docker compose logs -f |
Update Workflow
- Backup config, credentials, and workspace:
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak cp -r ~/.openclaw/credentials/ ~/.openclaw/credentials.bak/ - Update using the appropriate method:
# Installer (recommended) curl -fsSL https://openclaw.ai/install.sh | bash # npm npm i -g openclaw@latest # Docker docker compose pull && docker compose up -d - Verify the update:
openclaw --version openclaw doctor openclaw health
Security Hardening Checklist
- Gateway binds to loopback only (
127.0.0.1/::1) - Token auth enabled — tokens treated as admin credentials
- Tailscale or VPN for remote access — never expose port 18789
- Filesystem restrictions:
tools.exec.applyPatch.workspaceOnly: true,tools.fs.workspaceOnly: true - Docker sandboxing enabled for agent tool execution
- DM pairing policy enforced for unknown senders
openclaw security audit --deep --fixpasses clean- Credential permissions:
chmod 700 ~/.openclaw/credentials/ - Firewall: only required ports open (SSH, Tailscale UDP 41641)
- Use Anthropic Opus 4.6 as agent model (best prompt injection resistance)
Phase 4: Verify Outcome
After every action, verify it took effect:
# Check gateway is running
openclaw status
# Check health
openclaw health
# Run doctor to catch issues
openclaw doctor
# If security changes were made
openclaw security audit
Report the before/after state and any remaining issues.
Key File Paths
| Path | Purpose |
|---|---|
~/.openclaw/openclaw.json |
Main configuration (JSON5) |
~/.openclaw/credentials/ |
API keys and auth tokens |
~/.openclaw/workspace/ |
Agent workspace data |
~/.openclaw/sandboxes/ |
Sandbox isolation directories |
~/Library/LaunchAgents/com.openclaw.gateway.plist |
macOS launchd service |
~/.config/systemd/user/openclaw-gateway.service |
Linux systemd user service |
OpenClaw CLI Quick Reference
openclaw status [--all|--deep] # Health overview
openclaw health # Gateway health check
openclaw doctor [--fix] # Diagnostics + auto-fix
openclaw logs [--follow] # Gateway logs
openclaw security audit [--deep] [--fix] # Security scan
openclaw gateway start|stop|restart # Service lifecycle
openclaw gateway install|uninstall # Daemon management
openclaw configure # Interactive config wizard
openclaw update [--channel ...] # Self-update
openclaw channels list|status|add|remove # Messaging channels
openclaw models list|status [--probe] # AI model config
openclaw agents list|add|delete # Agent management
openclaw sessions list|history # Session management
openclaw skills list|info|check # Skills
openclaw plugins list|install|doctor # Plugins
openclaw cron status|list|add|edit|rm # Scheduled jobs
Tailscale Management
tailscale up [--ssh] # Connect to tailnet
tailscale serve https / http://127.0.0.1:18789 # Expose OpenClaw to tailnet
tailscale serve status # Check serve config
tailscale status # List connected devices
tailscale ping <hostname> # Test connectivity
tailscale netcheck # Network diagnostics
Rules:
- Use
tailscale servefor OpenClaw access (tailnet only) - Warn before
tailscale funnel(exposes to public internet) - Docker: use sidecar pattern with
network_mode: "service:tailscale" - Proxmox LXC: add TUN device to container config before installing
Channel Integration
| Channel | Library | Admin Setup |
|---|---|---|
| Baileys | openclaw channels login whatsapp → scan QR |
|
| Telegram | Grammy | Token from @BotFather → set in config |
| Discord | discord.js | Bot token from Developer Portal |
| Slack | Bolt | App manifest + bot/app tokens (Socket Mode) |
| Signal | signal-cli | openclaw channels login signal → linked device |
openclaw channels list|status|add|remove|login|logout
openclaw channels dm-allow <channel> user:@username
openclaw channels info <channel> [--dm-list|--detailed]
Integration with Other Skills
| Scenario | Route |
|---|---|
| Infrastructure architecture needed | Hand off to cloud-architect persona |
| Application-level bug found | Hand off to /octo:debug |
| Security vulnerability in code | Hand off to /octo:security |
| Need CI/CD pipeline for deployment | Hand off to deployment-engineer persona |
| OpenClaw extension development | Hand off to plugin-dev skills |
Red Flags — Don't Do This
| Action | Why It's Wrong |
|---|---|
| Assume the OS without checking | macOS and Linux commands differ significantly |
| Expose port 18789 to the internet | Gateway should only bind to loopback; use Tailscale |
Run openclaw security audit --fix without --deep first |
Understand the findings before auto-remediating |
| Skip backup before updating | Updates can break config; always back up first |
Use docker compose down -v without warning |
Destroys volumes and all data |
Grant manage all-resources in OCI IAM |
Violates least-privilege; use scoped policies |
| Run privileged LXC containers on Proxmox | Unprivileged LXC is safer; only privilege if absolutely needed |
Decide Fit First
Design Intent
How To Use It
Boundaries And Review