This skill should be used when the user asks to "deploy OpenClaw for personal use", "set up a secure personal agent", "create my own Claude agent", "deploy isolated OpenClaw", "set up personal AI assistant", or mentions personal OpenClaw deployment, secure agent setup, private AI assistant, or self-hosted agent. Executes the complete deployment of a secure, isolated OpenClaw for personal use with hardened defaults, Docker isolation, tool authorization, and audit logging. Use this skill whenever a personal OpenClaw deployment is needed, even if they don't explicitly ask for "openclaw-personal-deploy". [EXPLICIT]
From jm-adknpx claudepluginhub javimontano/jm-adk-alfaThis skill is limited to using the following tools:
agents/guardian.mdagents/lead.mdagents/specialist.mdagents/support.mdevals/evals.jsonknowledge/body-of-knowledge.mdknowledge/knowledge-graph.mdprompts/meta.mdprompts/primary.mdprompts/variations/deep.mdprompts/variations/quick.mdreferences/deployment-templates.mdtemplates/output.docx.mdtemplates/output.htmlDeploy a production-grade, security-hardened OpenClaw instance for personal use in a single session. This skill orchestrates the full pipeline: project scaffold, security configuration, Docker isolation, tool authorization hooks, and launch verification — producing a complete, runnable deployment, not documentation. [EXPLICIT]
Tu agente, tus reglas, tu infraestructura. Un despliegue personal no significa un despliegue inseguro — aplica los mismos controles que una empresa pero optimizados para un solo operador.
| Need | Use Instead | Why |
|---|---|---|
| Security architecture design (no deployment) | 5022-open-claude-security | Designs the architecture; this skill executes it |
| Container isolation patterns only | 5023-openclaw-isolation | Isolation theory; this skill applies it |
| Tool authorization design only | 5024-openclaw-tool-auth | Auth design; this skill implements it |
| Building OpenClaw agent logic | 9081-open-claw-builder | Agent code; this skill deploys infrastructure |
| Team or enterprise deployment | 5022-open-claude-security --team | Multi-user requires different isolation model |
| General app deployment | 7001-hostinger-deployment | Not agent-specific |
Parse $ARGUMENTS: $1 = project name, $2 = platform (telegram | http | slack). [EXPLICIT]
Parameters:
{PROJECT_NAME}: kebab-case project identifier. Used for directory name, Docker container name, and compose project name. [EXPLICIT]{PLATFORM}: Gateway adapter — telegram (default), http, or slack. Determines which adapter template is scaffolded. [EXPLICIT]{MODO}: piloto-auto (default) | paso-a-paso [EXPLICIT]Defaults when not provided:
my-openclaw [EXPLICIT]telegram [EXPLICIT]piloto-auto — executes all phases automatically with confirmation at launch [EXPLICIT]Run these checks before any deployment action. Fail fast if critical prerequisites are missing. [EXPLICIT]
Bash docker --version 2>/dev/null || echo "MISSING: Docker"
Bash docker compose version 2>/dev/null || echo "MISSING: Docker Compose"
Bash node --version 2>/dev/null || echo "MISSING: Node.js"
Bash npm --version 2>/dev/null || echo "MISSING: npm"
Hard requirements (deployment blocks without these):
docker compose plugin, not legacy docker-compose) [EXPLICIT]Soft requirements (deployment proceeds with warnings):
Secrets the user must provide (never generate, never hardcode):
ANTHROPIC_API_KEY — Claude API access [EXPLICIT]TELEGRAM_BOT_TOKEN, SLACK_BOT_TOKEN, or none for HTTP [EXPLICIT]ALLOWED_CHAT_IDS for Telegram user restriction [EXPLICIT]Load reference materials:
Read ${CLAUDE_SKILL_DIR}/references/deployment-templates.md
Create the complete directory structure for a deployable OpenClaw project. [EXPLICIT]
Directory tree to generate:
{PROJECT_NAME}/
├── .claude/
│ ├── hooks/
│ │ ├── pre-tool-use.sh
│ │ └── post-tool-use.sh
│ ├── settings.json
│ └── settings.local.json
├── .mcp.json
├── CLAUDE.md
├── Dockerfile
├── docker-compose.yml
├── .dockerignore
├── .env.example
├── .gitignore
├── package.json
├── tsconfig.json
├── src/
│ ├── index.ts
│ ├── gateway/
│ │ └── {PLATFORM}-adapter.ts
│ └── utils/
│ └── logger.ts
├── logs/
│ └── .gitkeep
└── README.md
Actions:
Bash mkdir -p {PROJECT_NAME} [EXPLICIT]package.json with pinned dependency versions — no floating ranges (^ or ~). Pin @anthropic-ai/sdk, platform-specific SDK, dotenv, winston. [EXPLICIT]tsconfig.json with strict: true, noImplicitAny: true, target ES2022. [EXPLICIT].gitignore from template in references/deployment-templates.md. Must include .env, node_modules/, logs/*.log, .claude/settings.local.json. [EXPLICIT].env.example from template — all secrets as placeholder values, never real keys. [EXPLICIT]src/ structure with minimal gateway adapter for the selected platform. [EXPLICIT]Validation: Confirm all files exist with Glob {PROJECT_NAME}/**/*. [EXPLICIT]
Generate security-first configuration files that control agent behavior. [EXPLICIT]
The most critical security artifact. This file directly controls what the agent can and cannot do. [EXPLICIT]
Generate from template in references/deployment-templates.md with these requirements:
Write {PROJECT_NAME}/.claude/settings.json
Requirements:
permissions.allow — empty array. Nothing pre-approved. [EXPLICIT]permissions.deny — block Bash(rm -rf*), Bash(curl*), Bash(wget*), Write(~/.*), Write(/etc/*). [EXPLICIT]hooks.PreToolUse — point to .claude/hooks/pre-tool-use.sh [EXPLICIT]hooks.PostToolUse — point to .claude/hooks/post-tool-use.sh [EXPLICIT]Requirements:
stdio only. Never sse or http for personal deploy — removes network attack surface. [EXPLICIT]env restrictions to prevent secret leakage. [INFERRED]Validation: Read back each file and verify no dangerouslySkipPermissions, no wildcard allows, no remote MCP transports. [EXPLICIT]
Generate container configuration that enforces process, network, and filesystem isolation. [EXPLICIT]
Generate from multi-stage template in references/deployment-templates.md:
node:20-alpine, install deps, compile TypeScript [EXPLICIT]node:20-alpine, copy only compiled output and production deps [EXPLICIT]openclaw, UID 1001) [EXPLICIT]apt-get, apk add, or package manager calls in runtime stage [EXPLICIT]HEALTHCHECK instruction for container orchestration [EXPLICIT]Generate from template with these security defaults:
| Setting | Value | Rationale |
|---|---|---|
read_only: true | Root filesystem is read-only | Prevents runtime file modification [EXPLICIT] |
tmpfs: ["/tmp:size=64m"] | Writable temp with size cap | Agent needs temp space but capped [EXPLICIT] |
security_opt: ["no-new-privileges:true"] | Block privilege escalation | Standard container hardening [EXPLICIT] |
cap_drop: ["ALL"] | Drop all Linux capabilities | Minimal capability set [EXPLICIT] |
networks: [internal] | Internal-only network | No direct internet access from container [EXPLICIT] |
mem_limit: "512m" | Memory ceiling | Prevent resource exhaustion [EXPLICIT] |
cpus: "1.0" | CPU ceiling | Prevent runaway compute [EXPLICIT] |
restart: "unless-stopped" | Auto-restart on crash | Availability for personal assistant [EXPLICIT] |
logging.driver: "json-file" | Structured logs | Audit trail with rotation [EXPLICIT] |
logging.options.max-size: "10m" | Log rotation | Prevent disk exhaustion [EXPLICIT] |
Network configuration:
Must exclude: .env, .git/, node_modules/, *.log, .claude/settings.local.json. [EXPLICIT]
Validation: Bash docker compose -f {PROJECT_NAME}/docker-compose.yml config to verify syntax. [EXPLICIT]
Generate hook scripts that intercept every tool invocation with allow/deny decisions. [EXPLICIT]
Behavior:
Bash tool: validate command against regex denylist (no rm -rf, curl, wget, nc, chmod 777, eval, pipe to sh) [EXPLICIT]Write tool: validate target path is within project directory [EXPLICIT]Read tool: validate path is not in sensitive locations (~/.ssh, ~/.aws, /etc/passwd) [EXPLICIT]logs/tool-audit.log [EXPLICIT]Behavior:
logs/tool-audit.log [EXPLICIT]Hook scripts must be:
chmod +x) [EXPLICIT]#!/usr/bin/env bash) [EXPLICIT]Validation: Test each hook with mock input: echo '{"tool":"Bash","args":{"command":"ls"}}' | bash pre-tool-use.sh should exit 0. [EXPLICIT]
Execute a systematic verification before declaring the deployment ready. [EXPLICIT]
Run automated checks against the generated project:
# 1. No hardcoded secrets
Grep -r "(sk-ant-|xoxb-|xoxp-|ghp_|AKIA)" {PROJECT_NAME}/
# 2. No dangerous permissions
Grep "dangerouslySkipPermissions" {PROJECT_NAME}/
# 3. Docker security options present
Grep "no-new-privileges" {PROJECT_NAME}/docker-compose.yml
Grep "read_only" {PROJECT_NAME}/docker-compose.yml
Grep "cap_drop" {PROJECT_NAME}/docker-compose.yml
# 4. Hooks are executable
Bash test -x {PROJECT_NAME}/.claude/hooks/pre-tool-use.sh && echo "OK" || echo "FAIL"
Bash test -x {PROJECT_NAME}/.claude/hooks/post-tool-use.sh && echo "OK" || echo "FAIL"
# 5. .env not tracked
Grep "\.env" {PROJECT_NAME}/.gitignore
# 6. No wildcard allows in settings
Grep -c '"allow": \[\]' {PROJECT_NAME}/.claude/settings.json
If any check fails: STOP. Fix before proceeding. [EXPLICIT]
Bash cd {PROJECT_NAME} && docker compose build --no-cache
Verify clean build with no warnings about security-relevant items. [EXPLICIT]
Bash cd {PROJECT_NAME} && docker compose up -d
Bash sleep 5 && docker compose ps
Bash docker compose logs --tail=20
Confirm: container running, health check passing, no error logs. [EXPLICIT]
curl -X POST http://localhost:3000/message -d '{"text":"hello"}' [EXPLICIT]Confirm agent responds and tool audit log shows the interaction. [EXPLICIT]
Present deployment summary to user:
## Deployment Complete: {PROJECT_NAME}
| Component | Status | Location |
|-----------|--------|----------|
| Project scaffold | OK | ./{PROJECT_NAME}/ |
| CLAUDE.md security | OK | ./{PROJECT_NAME}/CLAUDE.md |
| Docker isolation | OK | ./{PROJECT_NAME}/docker-compose.yml |
| Tool auth hooks | OK | ./{PROJECT_NAME}/.claude/hooks/ |
| Health check | OK | Container running |
| Test message | OK | Response received |
### Quick Commands
- Start: `cd {PROJECT_NAME} && docker compose up -d`
- Stop: `cd {PROJECT_NAME} && docker compose down`
- Logs: `cd {PROJECT_NAME} && docker compose logs -f`
- Audit: `cat {PROJECT_NAME}/logs/tool-audit.log`
- Rebuild: `cd {PROJECT_NAME} && docker compose build --no-cache && docker compose up -d`
5022 --team. [EXPLICIT].env file is the secret store for personal deploy. For production or team use, a proper secrets manager (Vault, AWS SSM, GCP Secret Manager) should replace it. [INFERRED]If Docker is not installed or the user cannot install it:
start.sh that runs the Node.js process directly [EXPLICIT]| Concern | Windows | macOS | Linux |
|---|---|---|---|
| Docker runtime | Docker Desktop (WSL2 backend) | Docker Desktop | Docker Engine native [EXPLICIT] |
| Hook scripts | Git Bash or WSL required for .sh hooks | Native bash | Native bash [EXPLICIT] |
| File permissions | NTFS ACLs — chmod has no effect | Standard POSIX | Standard POSIX [EXPLICIT] |
| Path separators | Backslash in host, forward slash in container | Forward slash | Forward slash [EXPLICIT] |
| Line endings | Generate with LF, not CRLF — add .gitattributes | LF native | LF native [EXPLICIT] |
On Windows: generate .gitattributes with * text=auto eol=lf to prevent CRLF corruption in hook scripts. [EXPLICIT]
If the user wants to add OpenClaw to an existing project rather than creating a new one:
Glob package.json tsconfig.json docker-compose.yml CLAUDE.md [EXPLICIT]*.openclaw.example and instruct the user to merge. [EXPLICIT]package.json: add OpenClaw deps to existing deps, warn on version conflicts. [EXPLICIT]docker-compose.yml: add OpenClaw service alongside existing services, create shared network. [EXPLICIT]CLAUDE.md: append security section, do not modify existing instructions. [EXPLICIT]User: "Deploy OpenClaw for personal use — my-assistant telegram"
Result:
- my-assistant/ directory with 15+ files
- CLAUDE.md with deny-by-default policy and injection defense
- settings.json with empty allow list and explicit deny patterns
- Docker isolation: read-only FS, no-new-privileges, 512MB cap
- Hooks: pre-tool-use blocks rm/curl/wget, post-tool-use scans for secrets
- .env.example with placeholders (user fills in real keys)
- docker compose build succeeds
- docker compose up starts healthy container
- Test message gets response with audit log entry
- All security checks pass
User: "Deploy OpenClaw for personal use"
Result:
- Single directory with index.js
- No CLAUDE.md — agent has unrestricted behavior
- No Docker — runs as user's own process with full system access
- No hooks — every tool use is unaudited
- API key hardcoded in source file
- No .gitignore — secrets committed to git
- Bash tool unrestricted — agent can rm -rf /
- No health check — silent failures
- No audit log — no forensic capability
Why the bad example is dangerous: A personal agent with unrestricted Bash access and no audit logging is equivalent to giving an autonomous process full control of your machine with no accountability. The agent could delete files, exfiltrate data via curl, or modify system configuration — and you would have no record of what happened. [EXPLICIT]
Before marking deployment complete, ALL must be checked:
rm -rf / test case [EXPLICIT].env is in .gitignore and not tracked by git [EXPLICIT]| Skill | Relationship | When to Chain |
|---|---|---|
5022-open-claude-security | Architecture parent | Before this skill — when designing the security model first [EXPLICIT] |
5023-openclaw-isolation | Isolation patterns | Reference during Phase 3 for advanced isolation options [EXPLICIT] |
5024-openclaw-tool-auth | Auth patterns | Reference during Phase 4 for custom authorization logic [EXPLICIT] |
9081-open-claw-builder | Agent builder | After this skill — when building the agent's conversation logic [EXPLICIT] |
9038-hook-creator | Hook engineering | When hooks need custom behavior beyond the templates [EXPLICIT] |
| File | Contents |
|---|---|
references/deployment-templates.md | Complete templates: .env.example, Dockerfile, docker-compose.yml, CLAUDE.md, settings.json, .gitignore, hook scripts, verification script |
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.