chore(workspace): add hardened startup/security workflows and skill suite

TOOLS.md

@@ -37,4 +37,82 @@ Skills are shared. Your setup is yours. Keeping them apart means you can update
 
 ---
 
+## LAN Services (Will)
+
+- Host LAN IPs observed:
+  - `192.168.153.113` (wlan0)
+  - `192.168.153.117` (eth0)
+- Tailscale IP:
+  - `100.123.88.127`
+
+### Docker services
+
+- **searxng**
+  - Image: `searxng/searxng:latest`
+  - Container: `searxng`
+  - Port: `18803 -> 8080`
+  - URL(s):
+    - `http://192.168.153.113:18803`
+    - `http://192.168.153.117:18803`
+  - API: JSON enabled (`search.formats` includes `html,json`)
+  - Runtime env: `SEARXNG_URL=http://192.168.153.113:18803` (workspace `.env`)
+  - Smoke test:
+    - `skills/searxng-local-search/scripts/smoke.sh openclaw`
+
+- **whisper-server**
+  - Image: `ghcr.io/ggml-org/whisper.cpp:main`
+  - Container: `whisper-server`
+  - Port: `18801 -> 8080`
+  - Health: healthy
+  - URL(s):
+    - `http://192.168.153.113:18801`
+    - `http://192.168.153.117:18801`
+
+- **brave-search (MCP)**
+  - Image: `mcp/brave-search:latest`
+  - Container: `brave-search`
+  - Port: `18802 -> 8000`
+  - URL(s):
+    - `http://192.168.153.113:18802`
+    - `http://192.168.153.117:18802`
+
+### Embeddings (local)
+
+- Runtime: Ollama
+- Active model: `nomic-embed-text:latest`
+- Model id: `0a109f422b47`
+- Size: `595 MB`
+- Processor: `100% GPU`
+- Context: `2048`
+- Loaded until: `Forever`
+
+### Object storage (assistant bucket)
+
+- Provider: MinIO
+- Endpoint: `http://192.168.153.253:9000`
+- Bucket: `zap`
+- Credentials file: `~/.openclaw/credentials/minio-zap.env` (mode `600`)
+
+### Kubernetes (homelab)
+
+- Cluster access: available
+- Shared namespace: `swarm`
+- Kubeconfig: `~/.openclaw/credentials/kubeconfig-swarm.yaml` (mode `600`)
+- Usage note: deploy assistant workloads into `swarm`; namespace is shared with other agents
+- Cluster profile: small Raspberry Pi cluster — prefer lightweight images, low CPU/memory requests, and minimal replicas by default
+
+### Local custom skills (security-reviewed)
+
+- `skills/swarm-kubectl-safe`
+  - Purpose: safe kubectl operations scoped to `swarm`
+  - Script: `skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh`
+- `skills/whisper-local-safe`
+  - Purpose: local whisper-server transcription on LAN only
+  - Script: `skills/whisper-local-safe/scripts/transcribe-local.sh`
+
+Why local equivalents were built:
+- Candidate ClawHub skills `kubectl` and `faster-whisper-transcribe` were flagged as suspicious by ClawHub/VirusTotal checks.
+- We intentionally avoided force-installing flagged skills for safety.
+- Decision: use minimal local skills for now; revisit those ClawHub skills later if we perform a manual security review and explicitly approve.
+
 Add whatever helps you do your job. This is your cheat sheet.