Display Name
LockClaw
Category
Tooling
Sub-Category
General
Primary Link
https://github.com/iwes247/LockClaw
Author Name
iwes247
Author Link
https://github.com/iwes247
License
MIT
Other License
No response
Description
Hardened, production-ready Docker container for self-hosting OpenClaw. Ships with deny-by-default nftables firewall, SSH key-only auth with modern ciphers (chacha20-poly1305, aes256-gcm), fail2ban brute-force protection, auditd monitoring, and claude-mem persistent memory pre-installed. One docker pull and the gateway is locked down — no manual hardening required. Automated smoke tests validate 14 security checks on every boot.
Validate Claims
docker pull ghcr.io/iwes247/lockclaw:latest
docker run -d --name lockclaw
--cap-add NET_ADMIN --cap-add AUDIT_WRITE
lockclaw:latest
Run the built-in security validation suite:
docker exec lockclaw /opt/lockclaw/scripts/test-smoke.sh
Verify firewall is deny-by-default:
docker exec lockclaw nft list ruleset | grep 'policy drop'
Verify SSH hardening:
docker exec lockclaw sshd -T | grep -i 'permitrootlogin no'
Verify only SSH is exposed publicly:
docker exec lockclaw ss -tlnp
Cleanup:
docker rm -f lockclaw
Specific Task(s)
Pull the container image, start it, and run the built-in smoke test suite. The suite validates 14 security checks including firewall policy, SSH cipher restrictions, fail2ban configuration, port exposure audit, and OpenClaw gateway health. Then manually inspect the firewall ruleset and SSH config to confirm deny-by-default posture.
Specific Prompt(s)
This is not a Claude Code skill/plugin — it is a Docker container that provides a hardened runtime environment for OpenClaw. To evaluate it, run the validation commands above in any terminal with Docker installed. No Claude Code interaction is needed to verify the claims.
Additional Comments
LockClaw is a security-first container layer for OpenClaw. It does not modify or limit OpenClaw's functionality — it hardens the OS environment around it. The gateway binds to loopback only (127.0.0.1:18789) and is accessed via SSH tunnel. The project includes CI that builds the image, starts a container, and runs the full smoke test suite on every push. First open source project — feedback welcome.
Recommendation Checklist
Display Name
LockClaw
Category
Tooling
Sub-Category
General
Primary Link
https://github.com/iwes247/LockClaw
Author Name
iwes247
Author Link
https://github.com/iwes247
License
MIT
Other License
No response
Description
Hardened, production-ready Docker container for self-hosting OpenClaw. Ships with deny-by-default nftables firewall, SSH key-only auth with modern ciphers (chacha20-poly1305, aes256-gcm), fail2ban brute-force protection, auditd monitoring, and claude-mem persistent memory pre-installed. One docker pull and the gateway is locked down — no manual hardening required. Automated smoke tests validate 14 security checks on every boot.
Validate Claims
docker pull ghcr.io/iwes247/lockclaw:latest
docker run -d --name lockclaw
--cap-add NET_ADMIN --cap-add AUDIT_WRITE
lockclaw:latest
Run the built-in security validation suite:
docker exec lockclaw /opt/lockclaw/scripts/test-smoke.sh
Verify firewall is deny-by-default:
docker exec lockclaw nft list ruleset | grep 'policy drop'
Verify SSH hardening:
docker exec lockclaw sshd -T | grep -i 'permitrootlogin no'
Verify only SSH is exposed publicly:
docker exec lockclaw ss -tlnp
Cleanup:
docker rm -f lockclaw
Specific Task(s)
Pull the container image, start it, and run the built-in smoke test suite. The suite validates 14 security checks including firewall policy, SSH cipher restrictions, fail2ban configuration, port exposure audit, and OpenClaw gateway health. Then manually inspect the firewall ruleset and SSH config to confirm deny-by-default posture.
Specific Prompt(s)
This is not a Claude Code skill/plugin — it is a Docker container that provides a hardened runtime environment for OpenClaw. To evaluate it, run the validation commands above in any terminal with Docker installed. No Claude Code interaction is needed to verify the claims.
Additional Comments
LockClaw is a security-first container layer for OpenClaw. It does not modify or limit OpenClaw's functionality — it hardens the OS environment around it. The gateway binds to loopback only (127.0.0.1:18789) and is accessed via SSH tunnel. The project includes CI that builds the image, starts a container, and runs the full smoke test suite on every push. First open source project — feedback welcome.
Recommendation Checklist