From e2c03845c75857a1db59441006a84adcdae0bfc4 Mon Sep 17 00:00:00 2001 From: Tak Hoffman <781889+Takhoffman@users.noreply.github.com> Date: Mon, 2 Feb 2026 20:22:54 -0600 Subject: [PATCH] Security: refine healthcheck workflow --- docs/reference/templates/BOOTSTRAP.md | 2 +- skills/healthcheck/SKILL.md | 31 +++++++++++++-------------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/docs/reference/templates/BOOTSTRAP.md b/docs/reference/templates/BOOTSTRAP.md index 60a9b53dc8..4f21762853 100644 --- a/docs/reference/templates/BOOTSTRAP.md +++ b/docs/reference/templates/BOOTSTRAP.md @@ -44,7 +44,7 @@ Write it down. Make it real. ## One-time system admin check -Run an initial host hardening check using the `healthcheck` skill. +Since this is a new install, run the recommended host healthcheck using the `healthcheck` skill. At minimum, run: - `openclaw security audit --deep` - `openclaw update status` diff --git a/skills/healthcheck/SKILL.md b/skills/healthcheck/SKILL.md index c64d4012c6..ac3fdc932e 100644 --- a/skills/healthcheck/SKILL.md +++ b/skills/healthcheck/SKILL.md @@ -43,19 +43,19 @@ Determine (in order): Note: these are not blocking items, but are highly recommended, especially if OpenClaw can access sensitive data. 10) Usage mode for a personal assistant with full access (local workstation vs headless/remote vs other). -First ask once for permission to run read-only checks. If granted, run them by default and only ask questions for items you cannot infer or verify. Do not ask for information already visible in runtime or command output. +First ask once for permission to run read-only checks. If granted, run them by default and only ask questions for items you cannot infer or verify. Do not ask for information already visible in runtime or command output. Keep the permission ask as a single sentence, and list follow-up info needed as an unordered list (not numbered) unless you are presenting selectable choices. -If you must ask, use non-technical prompts (numbered): -1) “Are you using a Mac, Windows PC, or Linux?” -2) “Are you logged in directly on the machine, or connecting from another computer?” -3) “Is this machine reachable from the public internet, or only on your home/network?” -4) “Do you have backups enabled (e.g., Time Machine), and are they current?” -5) “Is disk encryption turned on (FileVault/BitLocker/LUKS)?” -6) “Are automatic security updates enabled?” -7) “How do you use this machine?” - 1) Personal/workstation (mostly local dev) - 2) Headless server (always on, accessed remotely) - 3) Something else? +If you must ask, use non-technical prompts: +- “Are you using a Mac, Windows PC, or Linux?” +- “Are you logged in directly on the machine, or connecting from another computer?” +- “Is this machine reachable from the public internet, or only on your home/network?” +- “Do you have backups enabled (e.g., Time Machine), and are they current?” +- “Is disk encryption turned on (FileVault/BitLocker/LUKS)?” +- “Are automatic security updates enabled?” +- “How do you use this machine?” + 1) Personal/workstation (mostly local dev) + 2) Headless server (always on, accessed remotely) + 3) Something else? Only ask for the risk profile after system context is known. @@ -71,10 +71,9 @@ If the user grants read-only permission, run the OS-appropriate checks by defaul ### 2) Run OpenClaw security audits (read-only) -If the user grants permission, run `openclaw security audit --deep` by default. If they decline or ask for alternatives, offer these options (numbered): -1) `openclaw security audit --deep` (best-effort live gateway probe; default) -2) `openclaw security audit` (faster, non-probing) -3) `openclaw security audit --json` (structured output) +As part of the default read-only checks, run `openclaw security audit --deep` without a separate permission prompt. Only offer alternatives if the user requests them: +1) `openclaw security audit` (faster, non-probing) +2) `openclaw security audit --json` (structured output) Offer to apply OpenClaw safe defaults (numbered): 1) `openclaw security audit --fix`