What does 'read-only' mean in this skill?

All checks run without modifying system state. Updates, firewall changes, or reboots are proposed only and require explicit user confirmation to execute.

Can this tool apply updates or restart services automatically?

No. It proposes such actions and will only perform them after explicit user confirmation and a defined plan.

What happens if critical issues are found?

The report ranks findings by severity and highlights those requiring confirmation. You can choose a targeted, minimal action plan to address critical issues during a maintenance window.

vps-checkup

Scanned

npx machina-cli add skill jmerta/codex-skills/vps-checkup --openclaw

Files (1)

SKILL.md

3.6 KB

VPS checkup (Ubuntu + Docker)

Goal

Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.

Inputs to ask for (if missing)

SSH target host alias (from ~/.ssh/config on Windows: $HOME\\.ssh\\config) or user@ip.
Confirm sudo access and whether running apt update is allowed (it modifies package lists).
Required open ports (e.g., 22, 80, 443) and any non-standard SSH port.
Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
If the local ssh client or required tools are missing, tell the user and ask whether to install them or provide command output manually.

Workflow (checklist)

Connect safely
- Keep a second SSH session open before any SSH/firewall changes.
- Record identity/time/host: whoami, hostname -f, date -Is, uptime.
Collect a read-only baseline (system)
- OS/kernel: lsb_release -a (or cat /etc/os-release), uname -a.
- CPU/mem/disk: top snapshot, free -h, df -hT, lsblk.
- Services: systemctl --failed, journalctl -p 3 -xb --no-pager (use sudo if needed).
Check security posture (read-only)
- SSH: prefer sudo sshd -T (fallback to sudo cat /etc/ssh/sshd_config + sshd_config.d/).
- Firewall: sudo ufw status verbose (and sudo ufw status numbered).
- Fail2ban: sudo fail2ban-client status (+ status sshd if present).
- Listening ports: ss -tulpn (use sudo if needed).
Check update posture (read-only by default)
- If user allows: run sudo apt update to ensure accurate results.
- Then collect: apt list --upgradable, ubuntu-security-status (if available), and /var/run/reboot-required presence.
- Check unattended upgrades: systemctl status unattended-upgrades --no-pager and /var/log/unattended-upgrades/.
Check Docker health (read-only)
- Daemon status: systemctl status docker --no-pager, docker info.
- Containers: docker ps, unhealthy/restarting containers, recent restarts, and docker stats --no-stream.
- Disk usage: docker system df and large log growth indicators.
- Compose overview: docker compose ls (then inspect key projects as needed).
Produce the report + recommendations
- Use references/report-template.md.
- Use references/ubuntu-docker-checkup-commands.md for a copy/paste command set.
- Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
Apply fixes (ONLY with explicit confirmation)
- Do not run apt upgrade, change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.

Safety gates (non-negotiable)

No restarts (Docker/system services) unless the user explicitly asks for restart.
No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
Never paste secrets (tokens, private keys) into chat or logs.

Deliverable

Provide:

A read-only report using references/report-template.md.
A prioritized list of recommended fixes and which ones require explicit confirmation.
The exact commands run (or requested if the user ran them manually).

Source

git clone https://github.com/jmerta/codex-skills/blob/main/vps-checkup/SKILL.mdView on GitHub

Overview

Performs a safe, read-only health and security assessment of an Ubuntu VPS running Docker. It generates a concise report focused on system health, UFW, fail2ban, and update posture, and it proposes fixes that are applied only after explicit confirmation. This helps you understand risks and plan changes without unintended disruptions.

How This Skill Works

The agent connects via SSH in a safe, dual-session workflow, collects a read-only baseline (OS, resources, services), and evaluates security posture (SSHD config, UFW, fail2ban) and update posture (apt, unattended upgrades). It inspects Docker health (docker info, container status, disk usage, compose projects) and then renders a structured report from templates, prioritizing findings by severity. All fixes are proposed with explicit confirmation and are not executed automatically.

When to Use It

You need a non-intrusive health/security snapshot of an Ubuntu VPS (Docker) before making changes.
You want to verify firewall, SSH security, and fail2ban statuses without applying changes.
You need an update posture assessment (available upgrades, reboot needs) reported rather than executed.
You want to audit Docker health and containers (health status, logs, disk usage) without restarts.
You’re planning a maintenance window and want a prioritized fixes list that requires explicit confirmation to apply.

Quick Start

Step 1: Establish a secure SSH session to the target VPS and confirm sudo access is available.
Step 2: Run the read-only health checks (OS, security posture, updates, Docker health) and collect outputs.
Step 3: Review the generated report and approved fixes; apply changes only after explicit confirmation.

Best Practices

Always start with a second SSH session open as a fallback before any checks or changes.
Run read-only commands first; avoid modifying firewall rules, SSH configs, or Docker state unless confirmed.
Use the provided report templates to ensure consistent findings and recommendations.
Clearly separate what can be done automatically from what requires user confirmation.
Save all command outputs and the final report for audit and rollback planning.

Example Use Cases

Baseline health collected: Ubuntu 22.04, Docker 23.x, no containers in an unhealthy state; recommended follow-up checks and confirmable fixes listed.
UFW shows SSH allowed from a broad range; report suggests restricting to admin IPs and enabling logging.
Fail2ban-active status shows bans are being enforced; recommended to tune bantime and maxretry with monitoring.
Docker health: docker info OK, several containers running; no restarts suggested, but image update cadence noted for manual review.
/var/run/reboot-required present; reboot recommended during a maintenance window, with explicit user confirmation to proceed.

Frequently Asked Questions

Add this skill to your agents