feat: skill expansion — browser, security, SQL, files (16 skills total)

Novas skills instaladas:
- openclaw-agent-browser   v1.0.0  CLI Chromium — navegação, login, screenshots, state
- skill-security-audit    v1.0.0  SAST scanning, prompt injection, secrets audit
- sql-toolkit             v1.0.0  PostgreSQL/MySQL/SQLite — schema, query, otimização
- file                    v1.0.0  Organização de arquivos por contexto
- file-summary            v1.0.0  Extração e resumo de PDFs, Word, Excel

Workspace expandido:
- TOOLS.md: +Browser automation, Security audit, SQL, File management
- AGENTS.md: +Linux Analyst section (comandos, logs, rede, scripts) + Full-stack strategy
- MEMORY.md: 16 skills indexadas, stack map, comandos Linux ref
- SESSION-STATE.md: atualizado com contexto completo
- lock.json: sincronizado com 16 skills instaladas

skills/openclaw-power-ops/.clawhub/origin.json

@@ -0,0 +1,8 @@
+{
+  "version": 1,
+  "registry": "https://clawhub.ai",
+  "slug": "openclaw-power-ops",
+  "installedVersion": "1.0.0",
+  "installedAt": 1779234237641,
+  "fingerprint": "b4057eb506d2fb1c66094ee79c3cfc41a3c826854542cb89c9fe4393793318e7"
+}

skills/openclaw-power-ops/SKILL.md

@@ -0,0 +1,72 @@
+---
+name: openclaw-ops
+description: Operate and maintain OpenClaw installations — CLI commands, config management, channel/agent/model setup, security auditing, troubleshooting, and gateway administration. Use when adding Telegram bots, managing agents, changing models, editing config, running security audits, debugging gateway issues, rotating logs, managing cron, or any OpenClaw administrative task. Also use when asked to "set up OpenClaw," "add a channel," "fix the gateway," "audit security," or "check OpenClaw status."
+---
+
+# OpenClaw Operations
+
+Comprehensive reference for administering OpenClaw via CLI. Covers channels, agents, models, config, gateway, security, and maintenance.
+
+## Golden Rules
+
+1. **Never edit `openclaw.json` directly.** Use `openclaw config set/get/unset` or dedicated subcommands.
+2. **Always restart gateway after config changes:** `openclaw gateway restart`
+3. **Telegram accounts: NO `agent` field inside account config.** Route via `bindings` array instead.
+4. **Telegram `streaming`: must be string `"off"`, not boolean `false`.**
+5. **JSON values in `config set` need `--strict-json`.**
+6. **Verify after every change.** Run `openclaw status` or the relevant status command.
+
+## Quick Diagnostics
+
+```bash
+openclaw status              # overview
+openclaw status --deep       # detailed
+openclaw doctor              # find problems
+openclaw doctor --fix        # auto-fix what it can
+openclaw gateway health      # gateway health check
+openclaw security audit      # security scan
+openclaw security audit --deep --fix  # deep scan + auto-fix
+```
+
+## Deep Audit with Claude Code
+
+Load the docs *before* turning it loose — the difference is night and day.
+
+```bash
+cd ~/.openclaw
+claude
+# "Read https://docs.openclaw.ai/cli — the full CLI reference.
+#  Now read the config and architecture pages too."
+# Then: "Audit this workspace for security issues."
+```
+
+## CLI Reference
+
+For the full CLI cheatsheet covering all commands, config paths, and examples:
+→ Read [references/cli-cheatsheet.md](references/cli-cheatsheet.md)
+
+## Security Audit Reference
+
+For security findings, applied fixes, and remaining remediation items:
+→ Read [references/security-audit.md](references/security-audit.md)
+
+## Common Pitfalls
+
+| Mistake | Fix |
+|---------|-----|
+| Put `agent` field in Telegram account config | Use `bindings` array at top level |
+| Set `streaming: false` (boolean) | Must be `streaming: "off"` (string) |
+| Edited openclaw.json directly | Use CLI commands; `openclaw config set` |
+| Forgot gateway restart after config | Always `openclaw gateway restart` |
+| Used `jared@` for VPS SSH | Must use `root@clawdbot` |
+| Set `dmPolicy: "open"` with `allowFrom: ["*"]` | Use `"pairing"` or explicit user IDs |
+| Set `controlUi.allowedOrigins: ["*"]` | Restrict to `["http://localhost:PORT"]` |
+
+## Online Docs
+
+- Full docs: https://docs.openclaw.ai
+- CLI: https://docs.openclaw.ai/cli
+- Channels: https://docs.openclaw.ai/cli/channels
+- Agents: https://docs.openclaw.ai/cli/agents
+- Models: https://docs.openclaw.ai/cli/models
+- Config: https://docs.openclaw.ai/cli/config

skills/openclaw-power-ops/_meta.json

@@ -0,0 +1,6 @@
+{
+  "ownerId": "kn7bacwm69n7tcpt07tpp918z181n6tf",
+  "slug": "openclaw-power-ops",
+  "version": "1.0.0",
+  "publishedAt": 1772138086605
+}

skills/openclaw-power-ops/references/cli-cheatsheet.md

@@ -0,0 +1,257 @@
+# OpenClaw CLI Cheat Sheet
+*Created 2026-02-23. Reference: https://docs.openclaw.ai/cli*
+
+## ⚠️ GOLDEN RULE
+**Do NOT edit openclaw.json directly.** Use the CLI commands below. If unsure about a config key, ask Jared.
+
+---
+
+## Telegram Bots / Channels
+
+### Add a new Telegram bot
+```bash
+openclaw channels add --channel telegram --token <bot-token>
+```
+Then add a **binding** (routes messages to the right agent):
+```bash
+openclaw config set bindings '[...existing, {"agentId":"<agent-id>","match":{"channel":"telegram","accountId":"<account-id>"}}]' --strict-json
+```
+
+### List channels
+```bash
+openclaw channels list
+openclaw channels status
+```
+
+### Remove a channel
+```bash
+openclaw channels remove --channel telegram --delete
+```
+
+### Channel config keys to know
+- `dmPolicy`: "open" | "closed"
+- `groupPolicy`: "open" | "disabled"
+- `groupTrigger`: "all" | "mention" (whether bot responds to all group messages or only @mentions)
+- `streaming`: "off" (STRING, not boolean false!)
+- `allowFrom`: ["*"] or list of user IDs
+
+**Docs:** https://docs.openclaw.ai/cli/channels
+
+---
+
+## Agents
+
+### List agents
+```bash
+openclaw agents list
+```
+
+### Add a new agent
+```bash
+openclaw agents add <agent-id> --workspace <path>
+```
+
+### Set agent identity
+```bash
+openclaw agents set-identity --agent <id> --name "Name" --emoji "🏹" --avatar path/to/avatar.png
+# Or from IDENTITY.md:
+openclaw agents set-identity --workspace <path> --from-identity
+```
+
+### Delete an agent
+```bash
+openclaw agents delete <agent-id>
+```
+
+**Docs:** https://docs.openclaw.ai/cli/agents
+
+---
+
+## Models
+
+### Check current model status
+```bash
+openclaw models status
+openclaw models status --agent <id>  # per-agent
+openclaw models status --probe       # live auth check (uses tokens!)
+```
+
+### Set default model
+```bash
+openclaw models set <model-or-alias>
+# Examples:
+openclaw models set anthropic/claude-opus-4-6
+openclaw models set minimax/MiniMax-M2.5-Lightning
+openclaw models set Minimax  # alias
+```
+
+### List available models
+```bash
+openclaw models list
+```
+
+### Manage aliases
+```bash
+openclaw models aliases list
+openclaw models aliases add <alias> <provider/model>
+openclaw models aliases remove <alias>
+```
+
+### Manage fallbacks
+```bash
+openclaw models fallbacks list
+openclaw models fallbacks add <provider/model>
+openclaw models fallbacks remove <provider/model>
+openclaw models fallbacks clear
+```
+
+### Auth profiles
+```bash
+openclaw models auth add
+openclaw models auth login --provider <id>
+openclaw models auth setup-token
+openclaw models auth paste-token
+```
+
+### Scan for available models
+```bash
+openclaw models scan
+```
+
+**Docs:** https://docs.openclaw.ai/cli/models
+
+---
+
+## Config (get/set/unset)
+
+### Read a value
+```bash
+openclaw config get agents.defaults.workspace
+openclaw config get agents.list[0].id
+openclaw config get channels.telegram.accounts
+```
+
+### Set a value
+```bash
+openclaw config set <path> <value>
+# JSON values need --strict-json:
+openclaw config set agents.defaults.heartbeat.every "2h"
+openclaw config set gateway.port 19001 --strict-json
+openclaw config set channels.whatsapp.groups '["*"]' --strict-json
+```
+
+### Unset a value
+```bash
+openclaw config unset tools.web.search.apiKey
+```
+
+### Agent-specific config (by list index)
+```bash
+openclaw config get agents.list        # see all agents and their indices
+openclaw config set agents.list[1].tools.exec.node "node-id"
+```
+
+**Always restart gateway after config edits:**
+```bash
+openclaw gateway restart
+```
+
+**Docs:** https://docs.openclaw.ai/cli/config
+
+---
+
+## Gateway
+
+```bash
+openclaw gateway status
+openclaw gateway start
+openclaw gateway stop
+openclaw gateway restart
+openclaw gateway health
+```
+
+---
+
+## Sessions
+
+```bash
+openclaw sessions                  # list all
+openclaw sessions --active 120     # active in last 120 min
+openclaw sessions --json
+```
+
+---
+
+## Other Useful Commands
+
+### Status & diagnostics
+```bash
+openclaw status
+openclaw status --deep
+openclaw doctor
+openclaw doctor --fix
+```
+
+### Security
+```bash
+openclaw security audit
+openclaw security audit --deep
+openclaw security audit --fix
+```
+
+### Logs
+```bash
+openclaw logs
+openclaw channels logs --channel all
+```
+
+### Skills
+```bash
+openclaw skills list
+openclaw skills info <name>
+openclaw skills check
+```
+
+### Cron
+```bash
+openclaw cron list
+openclaw cron status
+openclaw cron add
+openclaw cron edit <id>
+openclaw cron rm <id>
+```
+
+### Memory
+```bash
+openclaw memory status
+openclaw memory index
+openclaw memory search "<query>"
+```
+
+---
+
+## Key Config Paths (for `config get/set`)
+
+| Path | What it controls |
+|------|-----------------|
+| `agents.list` | All agent definitions |
+| `agents.list[N].id` | Agent ID |
+| `agents.list[N].model` | Agent's model |
+| `agents.list[N].workspace` | Agent workspace path |
+| `agents.list[N].thinking` | Reasoning display ("off"/"on"/"stream") |
+| `agents.defaults.model.primary` | Default model for all agents |
+| `agents.defaults.model.fallbacks` | Fallback model list |
+| `agents.defaults.subagents` | Subagent config (maxConcurrent, maxSpawnDepth, etc.) |
+| `agents.defaults.heartbeat.every` | Heartbeat interval |
+| `channels.telegram.accounts` | All Telegram bot accounts |
+| `bindings` | Agent ↔ channel routing rules |
+| `tools.sessions.visibility` | Cross-agent messaging ("all"/"none") |
+| `gateway.port` | Gateway port |
+
+---
+
+## Reminders
+- **Restart gateway** after any config change
+- **Use CLI** for config changes, not direct JSON editing
+- Telegram accounts: NO `agent` field inside account config — use `bindings` array
+- Telegram `streaming`: must be string `"off"`, not boolean `false`

skills/openclaw-power-ops/references/security-audit.md

@@ -0,0 +1,66 @@
+# OpenClaw Security Audit Reference
+
+This combines findings, applied changes, and remaining remediation from a comprehensive security audit. Use as a template for auditing any OpenClaw installation.
+
+## Severity Levels & Common Findings
+
+### Critical
+
+1. **Plaintext secrets in openclaw.json** — API keys, bot tokens, passwords stored in cleartext. Migrate to credential store, env vars, or `tokenFile` references.
+2. **Gateway auth disabled** (`gateway.auth.mode: "none"`) — Anyone on the network can access the full gateway API. Set to `"token"` with a strong bearer token.
+3. **Open DM policies** (`dmPolicy: "open"` + `allowFrom: ["*"]`) — Anyone can message your bots. Change to `"pairing"` or explicit allowlists.
+
+### High
+
+4. **Control UI wildcard origins** (`allowedOrigins: ["*"]`) — CSRF risk. Restrict to localhost.
+5. **World-readable credentials** — WhatsApp session files at 644. Fix: `chmod 600`.
+6. **Unencrypted node communication** — Set `tls: true` in `node.json`.
+
+### Medium
+
+7. **Permissive directory modes** — `credentials/`, `identity/`, `logs/`, `browser/`, `skills/` at 755. Fix: `chmod 700`.
+8. **Unrestricted subagent access** — `allowAgents: ["*"]` lets any agent spawn as any other. Scope to specific lists.
+9. **Group bots not requiring @mention** — Responds to every message, wasting tokens.
+
+### Low
+
+10. **Config backup proliferation** — Multiple `.bak` files containing secrets.
+11. **Orphaned agent directories** — Stale data from deleted agents.
+12. **Unrotated logs** — Gateway logs growing unbounded.
+13. **Stale cron run logs** and temp files.
+
+## Remediation Checklist Template
+
+### Immediate (Critical)
+
+- [ ] Enable gateway auth: `openclaw config set gateway.auth.mode "token" && openclaw config set gateway.auth.token "$(openssl rand -base64 32)"`
+- [ ] Lock Telegram DMs: change each account to `dmPolicy: "pairing"`, remove `allowFrom: ["*"]`
+- [ ] Fix credential permissions: `chmod 600` on all credential files, `chmod 700` on credential directories
+- [ ] Migrate bot tokens to `tokenFile` references (create `credentials/telegram/<bot>.token` files at 600)
+
+### High Priority
+
+- [ ] Restrict control UI origins to localhost
+- [ ] Enable node TLS
+- [ ] Fix directory permissions (700 for sensitive dirs)
+
+### Medium Priority
+
+- [ ] Scope subagent access per agent
+- [ ] Enable `requireMention` on group bots
+- [ ] Run `openclaw security audit --deep --fix`
+
+### Maintenance
+
+- [ ] Delete stale config backups
+- [ ] Remove orphaned agent directories
+- [ ] Set up log rotation
+- [ ] Clean cron run logs periodically
+- [ ] Remove `.DS_Store` and temp files
+
+## Post-Change Actions
+
+1. `openclaw gateway restart`
+2. Test all Telegram bots (existing paired users still work; new users need pairing codes)
+3. Verify node connectivity if TLS was changed
+4. Update backup after confirming new config works