How should opnsense-admin be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

opnsense-admin answer-first brief

Manage OPNsense firewall, DNS, IDS/IPS, and network configuration via API and SSH. Use when administering OPNsense firewall, configuring Suricata IDS/IPS, managing Unbound DNS, creating firewall rules, backing up configurations, monitoring traffic, or troubleshooting network issues. Supports both API-based automation and SSH command execution for OPNsense 26.1+. --- name: opnsense-admin description: Manage OPNsense firewall, DNS, IDS/IPS, and network configuration via API and SSH. Use when administering OPNsense firewall, configuring Suricata IDS/IPS, managing Unbound DNS, creating firewall rules, backing up configurations, monitoring traffic, or troubleshooting network issues. Supports both API-based automation and SSH command execution for OPNsense 26.1+. --- OPNsense Admi Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Freshness

Last checked 4/15/2026

Best For

opnsense-admin is best for modify, render workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 94/100

opnsense-admin

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Apr 15, 2026

Verifiededitorial-contentNo verified compatibility signals

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Trust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Apr 15, 2026

Vendor

Transcendenceia

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

View Source

Setup snapshot

git clone https://github.com/Transcendenceia/opnsense-admin-skill.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Transcendenceia

profilemedium

Observed Apr 15, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Apr 15, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

text

System → Access → Users → API

bash

export OPNSENSE_HOST="192.168.1.1"
   export OPNSENSE_KEY="your_api_key"
   export OPNSENSE_SECRET="your_api_secret"

bash

mkdir -p ~/.opnsense
   cat > ~/.opnsense/credentials << EOF
   OPNSENSE_HOST=192.168.1.1
   OPNSENSE_PORT=443
   OPNSENSE_KEY=your_api_key
   OPNSENSE_SECRET=your_api_secret
   EOF
   chmod 600 ~/.opnsense/credentials

bash

# Check system status
./scripts/opnsense-api.sh status

# Get firmware information
./scripts/opnsense-api.sh firmware-status

# Check Suricata status
./scripts/opnsense-api.sh suricata-status

# Custom API request
./scripts/opnsense-api.sh get /api/core/system/status
./scripts/opnsense-api.sh post /api/core/firmware/update '{"upgrade":true}'

bash

# Full backup (with RRD data)
./scripts/backup-config.sh

# Config-only backup (smaller)
./scripts/backup-config.sh --config-only

# Custom directory and retention
./scripts/backup-config.sh --dir /mnt/backups --keep 90

bash

# Restart DNS resolver
./scripts/service-control.sh unbound restart

# Check Suricata status
./scripts/service-control.sh suricata status

# Reload DHCP configuration
./scripts/service-control.sh dhcpd reload

# Check all services
./scripts/service-control.sh all status

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: opnsense-admin description: Manage OPNsense firewall, DNS, IDS/IPS, and network configuration via API and SSH. Use when administering OPNsense firewall, configuring Suricata IDS/IPS, managing Unbound DNS, creating firewall rules, backing up configurations, monitoring traffic, or troubleshooting network issues. Supports both API-based automation and SSH command execution for OPNsense 26.1+.

OPNsense Admin

⚠️ DISCLAIMER

This tool grants HIGH PRIVILEGE access to your firewall and network. It can modify firewall rules, block traffic, and restart critical services.

By using this skill, you declare that:

You are a responsible adult

You have authorization to administer this firewall

You understand that a mistake can render your network inoperable

You will use this tool ethically and legally

The author is not responsible for misconfigurations, access lockouts, or damages resulting from the use of this skill.

Complete OPNsense firewall administration via API and SSH. Automate backups, monitor security, manage services, and troubleshoot network issues.

Features

🔥 Firewall Management - Rules, NAT, aliases, and diagnostics
🛡️ IDS/IPS (Suricata) - Monitor and manage intrusion detection/prevention
🌐 DNS (Unbound) - DNS resolver, blocklists, forwarding, DNS over TLS
📊 Monitoring - Service status, traffic analysis, system health
💾 Automated Backups - Scheduled configuration backups with retention
🔧 Service Control - Start/stop/restart services via SSH
🔌 API Integration - RESTful API wrapper for automation

Installation

Prerequisites

OPNsense 26.1 or later
API key with appropriate permissions
SSH access (optional, for service management)

Quick Setup

Generate API credentials in OPNsense:
```
System → Access → Users → API
```

Configure credentials (choose one method):

Option A: Environment variables

export OPNSENSE_HOST="192.168.1.1"
export OPNSENSE_KEY="your_api_key"
export OPNSENSE_SECRET="your_api_secret"

Option B: Credentials file (recommended)

mkdir -p ~/.opnsense
cat > ~/.opnsense/credentials << EOF
OPNSENSE_HOST=192.168.1.1
OPNSENSE_PORT=443
OPNSENSE_KEY=your_api_key
OPNSENSE_SECRET=your_api_secret
EOF
chmod 600 ~/.opnsense/credentials

Usage

API Helper Script

# Check system status
./scripts/opnsense-api.sh status

# Get firmware information
./scripts/opnsense-api.sh firmware-status

# Check Suricata status
./scripts/opnsense-api.sh suricata-status

# Custom API request
./scripts/opnsense-api.sh get /api/core/system/status
./scripts/opnsense-api.sh post /api/core/firmware/update '{"upgrade":true}'

Configuration Backup

# Full backup (with RRD data)
./scripts/backup-config.sh

# Config-only backup (smaller)
./scripts/backup-config.sh --config-only

# Custom directory and retention
./scripts/backup-config.sh --dir /mnt/backups --keep 90

Service Control

# Restart DNS resolver
./scripts/service-control.sh unbound restart

# Check Suricata status
./scripts/service-control.sh suricata status

# Reload DHCP configuration
./scripts/service-control.sh dhcpd reload

# Check all services
./scripts/service-control.sh all status

Configuration Reference

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | OPNSENSE_HOST | 192.168.1.1 | OPNsense IP or hostname | | OPNSENSE_PORT | 443 | HTTPS port | | OPNSENSE_KEY | - | API key | | OPNSENSE_SECRET | - | API secret | | SSH_PORT | 22 | SSH port for service control | | BACKUP_DIR | ./backups | Default backup directory | | KEEP_DAYS | 30 | Backup retention period |

Common API Endpoints

| Endpoint | Method | Purpose | |----------|--------|---------| | /api/core/system/status | GET | System health | | /api/core/firmware/status | GET | Firmware info | | /api/ids/service/status | GET | Suricata status | | /api/unbound/diagnostics/stats | GET | DNS statistics | | /api/diagnostics/interface/getInterfaceConfig | GET | Interface config | | /api/diagnostics/firewall/pfstatists | GET | Firewall stats | | /api/core/backup/backup | GET | Download backup |

Security Best Practices

SSL Certificate Validation - Enabled by default. Use --insecure or OPNSENSE_INSECURE=true ONLY for development or self-signed certificates in internal networks
Restrict API permissions - Create dedicated API users with minimal required permissions
Secure credential storage - Use file permissions (600) and environment variables
Backup before changes - Always backup configuration before making changes
Test IDS rules first - Run Suricata in IDS mode before enabling IPS blocking

SSL/TLS Configuration

By default, all API calls validate SSL certificates. For production deployments with valid certificates, no changes needed.

For development or self-signed certificates:

# Option 1: Command line flag
./scripts/opnsense-api.sh --insecure status

# Option 2: Environment variable
export OPNSENSE_INSECURE=true
./scripts/opnsense-api.sh status

Key Concepts

Firewall Rules

Stateful filtering - Connection tracking enabled by default
Processing order: Floating → Interface Groups → Interface Rules
Actions: Pass (allow), Block (drop silently), Reject (drop with notice)
NAT: Processed BEFORE filter rules

Suricata IDS/IPS

IDS Mode: Detection only (alerts, no blocking)
IPS Mode: Detection + blocking (requires inline setup)
Best Practice: Monitor on LAN interface to see real client IPs
Rules: Emerging Threats, Abuse.ch feeds, app detection

Unbound DNS

Recursive resolver - Queries root servers directly by default
DNSSEC validation - Enabled by default for security
Blocklists - DNS-based ad/tracker blocking via plugin
DNS over TLS - Encrypted upstream queries

Troubleshooting

API Connection Issues

# Test connectivity
curl -k -u "key:secret" https://opnsense/api/core/system/status

# Check API is enabled in OPNsense
# System → Access → Settings → Enable API

SSH Connection Issues

# Test SSH connectivity
ssh -p 22 root@opnsense "echo OK"

# Check SSH is enabled
# System → Administration → Secure Shell

Permission Denied

Verify API key has required permissions
Check user is member of appropriate groups
Ensure API is enabled in System → Access → Settings

Version Compatibility

| OPNsense Version | Skill Version | Status | |------------------|---------------|--------| | 26.1+ | 1.x | ✅ Supported | | 25.x | 1.x | ⚠️ May work | | 24.x | 1.x | ❌ Not tested |

Reference Documentation

API Guide - Complete API authentication guide
Firewall Rules - Rule structure and examples
Suricata IPS - IDS/IPS configuration
Unbound DNS - DNS resolver setup
Quick Reference - Commands and file locations

License

MIT - See LICENSE file for details.

Contributing

Issues and pull requests welcome at the GitHub repository.

Disclaimer: This is an unofficial skill. Not affiliated with Deciso B.V. or the OPNsense project.

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/snapshot"

curl -s "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/contract"

curl -s "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-17T02:15:37.525Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "modify",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "render",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:modify|supported|profile capability:render|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Transcendenceia",
    "href": "https://github.com/Transcendenceia/opnsense-admin-skill",
    "sourceUrl": "https://github.com/Transcendenceia/opnsense-admin-skill",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-04-15T02:13:47.144Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-04-15T02:13:47.144Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/transcendenceia-opnsense-admin-skill/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]