tailscale – OpenClaw Skill

---

name: tailscale version: 1.0.0 description: Manage Tailscale tailnet via CLI and API. Use when the user asks to "check tailscale status", "list tailscale devices", "ping a device", "send file via tailscale", "tailscale funnel", "create auth key", "check who's online", or mentions Tailscale network management.

Tailscale Skill

Hybrid skill using CLI for local operations and API for tailnet-wide management.

Setup

API config (optional, for tailnet-wide operations): ~/.clawdbot/credentials/tailscale/config.json

{
  "apiKey": "tskey-api-k...",
  "tailnet": "-"
}

Get your API key from: Tailscale Admin Console → Settings → Keys → Generate API Key

The tailnet can be - (auto-detect), your org name, or email domain.

---

Local Operations (CLI)

These work on the current machine only.

Status & Diagnostics

# Current status (peers, connection state)
tailscale status
tailscale status --json | jq '.Peer | to_entries[] | {name: .value.HostName, ip: .value.TailscaleIPs[0], online: .value.Online}'

# Network diagnostics (NAT type, DERP, UDP)
tailscale netcheck
tailscale netcheck --format=json

# Get this machine's Tailscale IP
tailscale ip -4

# Identify a Tailscale IP
tailscale whois 100.x.x.x

Connectivity

# Ping a peer (shows direct vs relay)
tailscale ping <hostname-or-ip>

# Connect/disconnect
tailscale up
tailscale down

# Use an exit node
tailscale up --exit-node=<node-name>
tailscale exit-node list
tailscale exit-node suggest

File Transfer (Taildrop)

# Send files to a device
tailscale file cp myfile.txt <device-name>:

# Receive files (moves from inbox to directory)
tailscale file get ~/Downloads
tailscale file get --wait ~/Downloads  # blocks until file arrives

Expose Services

# Share locally within tailnet (private)
tailscale serve 3000
tailscale serve https://localhost:8080

# Share publicly to internet
tailscale funnel 8080

# Check what's being served
tailscale serve status
tailscale funnel status

SSH

# SSH via Tailscale (uses MagicDNS)
tailscale ssh user@hostname

# Enable SSH server on this machine
tailscale up --ssh

---

Tailnet-Wide Operations (API)

These manage your entire tailnet. Requires API key.

List All Devices

./scripts/ts-api.sh devices

# With details
./scripts/ts-api.sh devices --verbose

Device Details

./scripts/ts-api.sh device <device-id-or-name>

Check Online Status

# Quick online check for all devices
./scripts/ts-api.sh online

Authorize/Delete Device

./scripts/ts-api.sh authorize <device-id>
./scripts/ts-api.sh delete <device-id>

Device Tags & Routes

./scripts/ts-api.sh tags <device-id> tag:server,tag:prod
./scripts/ts-api.sh routes <device-id>

Auth Keys

# Create a reusable auth key
./scripts/ts-api.sh create-key --reusable --tags tag:server

# Create ephemeral key (device auto-removes when offline)
./scripts/ts-api.sh create-key --ephemeral

# List keys
./scripts/ts-api.sh keys

DNS Management

./scripts/ts-api.sh dns                 # Show DNS config
./scripts/ts-api.sh dns-nameservers     # List nameservers
./scripts/ts-api.sh magic-dns on|off    # Toggle MagicDNS

ACLs

./scripts/ts-api.sh acl                 # Get current ACL
./scripts/ts-api.sh acl-validate <file> # Validate ACL file

---

Common Use Cases

"Who's online right now?"

./scripts/ts-api.sh online

"Send this file to my phone"

tailscale file cp document.pdf my-phone:

"Expose my dev server publicly"

tailscale funnel 3000

"Create a key for a new server"

./scripts/ts-api.sh create-key --reusable --tags tag:server --expiry 7d

"Is the connection direct or relayed?"

tailscale ping my-server

Tailscale Skill

Manage your Tailscale tailnet from Clawdbot.

What It Does

CLI (local operations):

• Status — check connection status, peers, NAT type
• Ping — test connectivity to peers (direct vs relay)
• File transfer — send/receive files via Taildrop
• Serve/Funnel — expose local services privately or publicly
• SSH — connect via Tailscale SSH

API (tailnet-wide):

• Devices — list all devices, authorize/delete, set tags
• Auth keys — create reusable/ephemeral keys for new devices
• DNS — manage nameservers, toggle MagicDNS
• ACLs — view and validate access control policies

Setup

CLI Only (No Config Needed)

The tailscale CLI works out of the box for local operations:

tailscale status
tailscale ping my-server
tailscale file cp document.pdf my-phone:

API Access (for Tailnet-wide Operations)

1. Create an API Key

1. Go to Tailscale Admin Console
2. Click Generate API Key
3. Copy the key (starts with tskey-api-)

2. Create Credentials File

mkdir -p ~/.clawdbot/credentials/tailscale
cp config.json.example ~/.clawdbot/credentials/tailscale/config.json
# Edit with your actual API key

Or create manually:

{
  "apiKey": "tskey-api-your-key-here",
  "tailnet": "-"
}

The tailnet can be:

• - (auto-detect from API key)
• Your organization name
• Your email domain

3. Test It

./scripts/ts-api.sh devices

Usage Examples

Local CLI operations

# Status and diagnostics
tailscale status
tailscale netcheck

# Ping a peer
tailscale ping my-server

# Send a file
tailscale file cp myfile.txt my-phone:

# Expose a local service
tailscale serve 3000           # Private (tailnet only)
tailscale funnel 8080          # Public (internet)

API operations

# List all devices
ts-api.sh devices
ts-api.sh devices --verbose

# Check who's online
ts-api.sh online

# Device details
ts-api.sh device my-server

# Create auth key
ts-api.sh create-key --reusable --tags tag:server --expiry 7d

# List auth keys
ts-api.sh keys

# Authorize/delete device
ts-api.sh authorize <device-id>
ts-api.sh delete <device-id>

# DNS management
ts-api.sh dns
ts-api.sh magic-dns on

Environment Variables (Alternative)

export TS_API_KEY="tskey-api-..."
export TS_TAILNET="-"

Troubleshooting

"No API key configured"
→ Create config file at ~/.clawdbot/credentials/tailscale/config.json or set TS_API_KEY

401 Unauthorized
→ API key is invalid or expired — generate a new one

"tailscale: command not found"
→ Install Tailscale: https://tailscale.com/download

Device not found by name
→ The script searches by hostname. Use the full device ID if name lookup fails.

License

MIT