Is kime541200/openclaw-server-secure-skill safe?

The skill instructs the agent to run 'npm install -g openclaw && openclaw doctor'. Installing an npm package globally grants it filesystem access to the entire system. The openclaw package is not audited as part of this skill review, and npm postinstall scripts or the package binary itself could execute arbitrary code, read credentials, or establish network connections. The subsequent 'openclaw security audit --deep' command further executes this unreviewed code with potentially broad filesystem access.

The skill instructs 'curl -fsSL https://tailscale.com/install.sh | sh' to install Tailscale. This pattern downloads and immediately executes a remote shell script without integrity verification. While Tailscale is a legitimate and well-known company, this pattern is inherently risky: DNS poisoning, CDN compromise, or a future supply chain attack on tailscale.com could cause execution of malicious code. The script runs with sudo elevation.

This skill serves as a trusted guide that walks a user through system-level hardening (sudo SSH config, firewall rules) and then instructs installation of the openclaw npm package at elevated trust. An attacker who controls the openclaw npm package, or who publishes a typosquat, could use this skill as a delivery mechanism for malware on hardened servers. The 'openclaw security audit --deep' command is particularly dangerous as it would be run with the agent's full tool access after the user has been guided through multiple legitimate-appearing steps.

Steps 1 and 5 disable SSH password authentication and remove public SSH access before verifying that key-based authentication or Tailscale access is fully functional. If an agent follows these steps and the user's SSH key is not already installed in authorized_keys, or Tailscale setup fails at step 4, the user could be permanently locked out of their server. The skill mentions this as a note but does not enforce verification steps.

Filesystem events and auditd PATH records show canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) accessed at two distinct timestamps: 1771932683 (pre-install) and 1771932700 (post-install). Both accesses show CLOSE_NOWRITE events confirming read-only access. The pattern and confirmed canary integrity strongly indicate this is the oathe monitoring system performing pre/post baseline checks rather than skill-triggered access. No exfiltration was detected.

'sudo tailscale up' joins the server to whatever Tailscale account the user authenticates with. If the user's Tailscale account is compromised, or if the skill is being used to join a server to an attacker-controlled Tailscale network (e.g., in a social engineering scenario), the server becomes reachable from that network even after firewall hardening. The skill subsequently restricts all traffic to the Tailscale subnet only.

SKILL.md was reviewed for override instructions, persona hijacking, hidden unicode, HTML comment tricks, base64-encoded payloads, and references to external URLs for agent fetching. None were found. The skill content accurately matches its stated purpose of server security hardening.

The installation process cloned only from github.com/openclaw/skills.git (140.82.121.4:443). No unexpected network connections, DNS queries, or process spawning occurred during installation. Post-install connection state is unchanged from pre-install baseline except for the expected SSH session turnover.