From agi-super-team
Manages and troubleshoots Tailscale tailnet devices: resolve device aliases, test reachability, fix SSH auth failures, and restore remote access.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agi-super-team:tailscale-operatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Author:** Daniel Li
Author: Daniel Li
Copyright © Daniel Li. All rights reserved.
Use this skill for fast path tailnet ops: find the device, get connected, recover SSH, then solve permissions.
The goal is not to produce a long diagnosis. The goal is to restore a working remote path as fast as possible.
Check these first:
/home/aa/.openclaw/shared/tailnet/README.md/home/aa/.openclaw/shared/tailnet/devices/*.md/home/aa/.openclaw/workspace-ops/TOOLS.mdTreat the shared tailnet inventory as the source of truth for:
If the user gives a nickname like 小m, studio, aa, or a human name tied to a device, first map it to a documented device record. If multiple matches are plausible, confirm before acting.
If the target device is not documented, say so clearly and ask for one of:
When speed matters, default to this sequence:
# 1) find the documented device record first
# 2) test tailnet reachability
tailscale ping 100.x.y.z
# 3) try the known-good SSH path
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected]
# 4) verify identity once in
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected] 'hostname; whoami; uname -a'
If step 2 fails, fix Tailscale first. If step 2 works but step 3 fails, fix SSH auth / sshd / Tailscale SSH.
Resolve the target device first
shared/tailnet/devices/*.mdTest Tailscale reachability before deep SSH debugging
tailscale ping <ip-or-name> when availableping -c 1 100.x.y.znc -vz 100.x.y.z 22Try the simplest known-good SSH command
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected]If SSH fails, classify fast by exact error text
Permission denied (publickey) → key/auth problemOperation timed out / No route to host → device offline, Tailscale broken, ACL, firewall, wrong IPHost key verification failed → stale known_hosts entry or rebuilt machineConnection refused → sshd not listening, Tailscale SSH not enabled, firewall, wrong portsudo: a password is required → account has sudo but needs passwordnot in the sudoers file → privilege problem; need another admin pathApply the fastest safe fix
Verify and leave a stable path
hostname; whoami; uname -a| Failure mode | Likely cause | Fastest next command |
|---|---|---|
Host key verification failed | stale host key | ssh-keygen -R 100.x.y.z |
Permission denied (publickey) | wrong user/key or missing public key | ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected] |
timeout / No route to host | node offline / Tailscale broken / wrong IP | tailscale ping 100.x.y.z |
Connection refused | SSH service closed / disabled | nc -vz 100.x.y.z 22 |
| asks for password unexpectedly | key auth not working | cat ~/.ssh/id_ed25519.pub |
sudo: a password is required | sudo works but needs password | stop and ask for the admin password |
not in the sudoers file | wrong account / no admin rights | switch to an existing admin account |
Then follow the detailed branch below.
Host key verification failedUse:
ssh-keygen -R 100.x.y.z
ssh-keygen -R hostname
Then reconnect.
Permission denied (publickey)Try, in order:
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected]
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo 'YOUR_PUBLIC_KEY' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chown -R "$USER":$(id -gn) ~/.ssh
Connection refusedCheck whether the host is up but SSH is closed.
Useful checks on the remote side (if you have console/another path):
sudo systemctl status ssh
sudo systemctl status sshd
sudo ss -ltnp | grep ':22'
On macOS:
sudo systemsetup -getremotelogin
sudo systemsetup -setremotelogin on
sudo launchctl list | grep ssh
Suspect Tailscale before SSH.
From the local side, prefer these checks first:
tailscale ping 100.x.y.z
ping -c 1 100.x.y.z
nc -vz 100.x.y.z 22
If you have another path onto the remote side, check:
tailscale status
tailscale ip -4
tailscale whois 100.x.y.z
If deeper Tailscale diagnosis is needed on the node itself, use:
tailscale netcheck
tailscale status --json
If the node is missing/offline, ask the user to wake it, log in, or open Tailscale.
Set up public-key auth or Tailscale SSH.
Display local public key if needed:
cat ~/.ssh/id_ed25519.pub
Install it on the target account's ~/.ssh/authorized_keys.
Use when normal sshd management is painful and Tailscale policy allows it.
Prefer this branch when:
sshdUseful checks:
tailscale status --json
tailscale ping 100.x.y.z
tailscale up
Decision rule:
sshdsshd + authorized_keyssudo dseditgroup -o edit -a username -t user admin
sudo usermod -aG sudo username
# or on some distros
sudo usermod -aG wheel username
Check:
ls -ld ~/.ssh
ls -l ~/.ssh
Typical safe permissions:
~/.ssh = 700authorized_keys = 600600ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected]
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 [email protected] 'hostname; whoami; uname -a'
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
If ssh-copy-id is unavailable, append manually.
For Macs, check these early:
Common commands:
scutil --get ComputerName
whoami
systemsetup -getremotelogin
Use the fastest likely fix, not a long generic checklist.
tailscale ip -4 on the remote node or ask the user for the new IP.tailscale ping fails, stop deep SSH debugging and fix tailnet reachability first.tailscale ping works but TCP 22 fails, focus on SSH/Tailscale SSH rather than general network theory.shared/tailnet/devices/*.md file with the working command/path.When new durable facts are discovered, write them back to the relevant device note when appropriate:
Do not write uncertain guesses back into the inventory.
~/.ssh directory to "fix" login.When helping the user:
A good outcome is not just “I diagnosed it”. A good outcome is one of:
npx claudepluginhub aaaaqwq/agi-super-team --plugin agi-super-teamManages SSH connections to remote hosts via Tailscale, including dynamic IP resolution, proxy bypass, port forwarding, and host diagnostics.
Manages Tailscale mesh VPN networks via CLI and API: check status/peers, ping devices, list tailnet devices, send files, expose services with serve/funnel, create auth keys.
Manages Tailscale tailnet via CLI and API. Use for status checks, device listing, file transfer, funnel, auth keys, and network diagnostics.