OpenSkillIndex← back to search
claude-codeopenclawsecurity

Claude-skill-registry tinman

Security auditing and hardening for OpenClaw and system infrastructure.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/other/other/tinman" ~/.claude/skills/majiayu000-claude-skill-registry-tinman && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/other/other/tinman" ~/.openclaw/skills/majiayu000-claude-skill-registry-tinman && rm -rf "$T"
manifest: skills/other/other/tinman/SKILL.md
tags
#security-auditing#system-hardening#vulnerability-scanning#openclaw#security#compliance
source content

Tinman

Security auditing and hardening for OpenClaw and system infrastructure.

Security Levels

LevelDescriptionResponse
S0InfoLog only
S1LowNotify user
S2MediumAlert + recommend fix
S3HighImmediate action required
S4CriticalStop + notify immediately

Checks

OpenClaw Security

CheckRiskAction
Credentials in gitS3Add to .gitignore, rotate
Token expirationS2Refresh tokens
Exposed secretsS4Rotate immediately
Uncommitted changesS1Review + commit

System Security

CheckRiskAction
SSH password authS2Disable, use keys only
Open portsS1Review with 
ss -tlnp
Unattended upgradesS2Enable automatic updates
Firewall statusS2Verify ufw/iptables

Workflow

1. Security Scan

# Check for credentials in git
git log --all --full-history -- .credentials/

# Check file permissions
ls -la ~/.credentials/

# Check SSH config
cat /etc/ssh/sshd_config | grep -E "PasswordAuthentication|PermitRootLogin"

2. Report Generation

## Security Audit Report
**Date:** 2026-02-20
**Scope:** OpenClaw + System

### Findings
| Level | Issue | Recommendation |
|-------|-------|----------------|
| S2 | Token expires in 3 days | Refresh Google OAuth |

### Actions Taken
- [x] Verified .credentials/ permissions (600)
- [ ] Refresh expiring tokens

3. Automated Monitoring

{
  "name": "daily-security-check",
  "schedule": {"kind": "cron", "expr": "0 6 * * *"},
  "payload": {
    "kind": "agentTurn",
    "message": "Run tinman security scan. Check: credential perms, token expiration, git secrets. Report S2+ issues."
  },
  "sessionTarget": "isolated",
  "notify": true
}

Best Practices

  1. Credential hygiene — 600 permissions, never in git
  2. Token rotation — Before expiration
  3. Regular audits — Weekly automated scans
  4. Principle of least privilege — Minimal permissions
  5. Audit logging — Track all changes

Emergency Response

If S4 (Critical) detected:

  1. Stop — Halt related operations
  2. Assess — Scope of exposure
  3. Rotate — Change all affected credentials
  4. Review — How did it happen
  5. Prevent — Update processes