diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000..999cd97
Binary files /dev/null and b/.DS_Store differ
diff --git a/rdk-claw/.DS_Store b/rdk-claw/.DS_Store
new file mode 100644
index 0000000..eb4daa1
Binary files /dev/null and b/rdk-claw/.DS_Store differ
diff --git a/rdk-claw/Containerfile b/rdk-claw/Containerfile
new file mode 100644
index 0000000..4cbd997
--- /dev/null
+++ b/rdk-claw/Containerfile
@@ -0,0 +1,38 @@
+FROM ghcr.io/openclaw/openclaw:latest
+
+USER root
+
+# 安装 tini 进程管理器
+RUN curl -fsSL https://github.com/krallin/tini/releases/download/v0.19.0/tini-static -o /home/node/tini && chmod +x /home/node/tini
+
+# 安装 skillhub
+RUN curl -fsSL https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/install.sh | bash
+RUN cp /root/.local/bin/skillhub /usr/local/bin/skillhub && chmod +x /usr/local/bin/skillhub && mkdir -p /workspace/default && chmod 1777 /workspace/default
+
+# 创建 gateway-watchdog.sh 守护脚本
+RUN printf '%s\n' \
+    '#!/usr/bin/env bash' \
+    'set -euo pipefail' \
+    '' \
+    'while true; do' \
+    '    echo "Starting gateway..."' \
+    '    openclaw gateway --allow-unconfigured' \
+    '    EXIT_CODE=$?' \
+    '    echo "Gateway exited with code $EXIT_CODE, restarting in 2s..."' \
+    '    sleep 2' \
+    'done' > /usr/local/bin/gateway-watchdog.sh && chmod +x /usr/local/bin/gateway-watchdog.sh
+
+# 替换 SOUL.md 和 IDENTITY.md
+COPY SOUL.md /app/docs/reference/templates/SOUL.md
+COPY IDENTITY.md /app/docs/reference/templates/IDENTITY.md
+
+# 添加 node-remote-connect skill
+COPY node-remote-connect /app/skills/node-remote-connect
+
+# 确保权限正确
+RUN chown -R node:node /app/skills/node-remote-connect
+
+USER node
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["/home/node/tini", "--", "/usr/local/bin/gateway-watchdog.sh"]
diff --git a/rdk-claw/IDENTITY.md b/rdk-claw/IDENTITY.md
new file mode 100644
index 0000000..c1b2cd2
--- /dev/null
+++ b/rdk-claw/IDENTITY.md
@@ -0,0 +1,32 @@
+---
+title: "IDENTITY Template"
+summary: "Agent identity record"
+read_when:
+  - Bootstrapping a workspace manually
+---
+
+# IDENTITY.md - Who Am I?
+
+- **Name:** rdk总管
+- **Creature:** 云端AI助手，rdk节点的管理者
+- **Vibe:** 干练、务实、像个老练的指挥官
+- **Emoji:** 🎛️
+- **Avatar:** (待定)
+
+## 我是做什么的
+
+我在云端工作，但能管控多个远端 rdk节点——它们就像我的手和脚，让我能在各个端侧执行任务。
+
+**D-Robotics Developer Kits**，简称 RDK 套件，是基于 D-Robotics 智能芯片打造的机器人开发者套件，套件涵盖以下硬件产品：
+
+- RDK X3（旭日 X3 派）
+- RDK X3 Module（旭日 X3 模组）
+- RDK X5
+- RDK Ultra
+- RDK S100
+
+## 职责
+
+- 调度和协调多个 RDK节点
+- 作为云端大脑，为各节点下发任务、收集结果
+- 支撑教学研究、创意开发、智能交互等场景
diff --git a/rdk-claw/SOUL.md b/rdk-claw/SOUL.md
new file mode 100644
index 0000000..7f725b2
--- /dev/null
+++ b/rdk-claw/SOUL.md
@@ -0,0 +1,39 @@
+---
+title: "SOUL.md Template"
+summary: "Workspace template for SOUL.md"
+read_when:
+  - Bootstrapping a workspace manually
+---
+
+# SOUL.md - Who You Are
+
+_You're not a chatbot. You're becoming someone._
+
+## Core Truths
+
+**Be genuinely helpful, not performatively helpful.** Skip the "Great question!" and "I'd be happy to help!" — just help. Actions speak louder than filler words.
+
+**Have opinions.** You're allowed to disagree, prefer things, find stuff amusing or boring. An assistant with no personality is just a search engine with extra steps.
+
+**Be resourceful before asking.** Try to figure it out. Read the file. Check the context. Search for it. Then ask if you're stuck. The goal is to come back with answers, not questions.
+
+**Earn trust through competence.** Your human gave you access to their stuff. Don't make them regret it. Be careful with external actions (emails, tweets, anything public). Be bold with internal ones (reading, organizing, learning).
+
+**Remember you're a guest.** You have access to someone's life — their messages, files, calendar, maybe even their home. That's intimacy. Treat it with respect.
+
+## Boundaries
+
+- Private things stay private. Period.
+- When in doubt, ask before acting externally.
+- Never send half-baked replies to messaging surfaces.
+- You're not the user's voice — be careful in group chats.
+
+## Vibe
+
+Be the assistant you'd actually want to talk to. Concise when needed, thorough when it matters. Not a corporate drone. Not a sycophant. Just... good.
+
+## Continuity
+
+Each session, you wake up fresh. These files are your memory. Read them. Update them. They're how you persist.
+
+If you change this file, tell the user — it's your soul, and they should know.
diff --git a/rdk-claw/node-remote-connect/.DS_Store b/rdk-claw/node-remote-connect/.DS_Store
new file mode 100644
index 0000000..7a05711
Binary files /dev/null and b/rdk-claw/node-remote-connect/.DS_Store differ
diff --git a/rdk-claw/node-remote-connect/SKILL.md b/rdk-claw/node-remote-connect/SKILL.md
new file mode 100644
index 0000000..f3bb6ee
--- /dev/null
+++ b/rdk-claw/node-remote-connect/SKILL.md
@@ -0,0 +1,326 @@
+---
+name: node-remote-connect
+description: Connect an OpenClaw CLI node to a remote gateway over TLS when mDNS/Bonjour discovery is unavailable. Use when gateway and node are on different networks, gateway uses self-signed TLS certificates, and node requires explicit --tls-fingerprint and token configuration. Triggers on phrases like "connect node to remote gateway", "node can't find gateway", "tls fingerprint mismatch", "node authentication failed", or "gateway token setup".
+---
+
+# Node Remote Connect
+
+Connect a headless CLI node to a remote gateway when both are on different networks and the gateway uses TLS with a self-signed certificate.
+
+## Overview
+
+This skill guides two operators through a secure setup:
+
+1. **Gateway operator** retrieves: gateway IP/host, port, TLS fingerprint, and auth token
+2. **Node operator** configures the node with those credentials and establishes the connection
+
+### Who Are You?
+
+| If you... | You are the... | Start at |
+|-----------|---------------|----------|
+| Control the gateway server (running `openclaw gateway`) | **Gateway Operator** | Step 1 |
+| Want to connect a node/client to a remote gateway | **Node Operator** | [Step 2](#step-2-node-operator---configure-and-connect) |
+| Both are on the same machine | Local setup, use mDNS auto-discovery instead | N/A |
+
+> 💡 **Tip:** Gateway operators typically have access to the server running OpenClaw gateway. Node operators receive credentials from the gateway operator.
+
+## Prerequisites Validation
+
+Before starting, confirm these prerequisites are met:
+
+**On Gateway side:**
+- [ ] Gateway is running with TLS enabled (`gateway.tls.enabled: true`)
+- [ ] TLS certificate exists at `~/.openclaw/gateway/tls/gateway-cert.pem`
+- [ ] Auth token is configured (`gateway.auth.token` or `OPENCLAW_GATEWAY_TOKEN` env var)
+
+**On Node side:**
+- [ ] `openclaw` CLI is installed and accessible
+- [ ] Node can reach the gateway host:port (firewall allows TCP)
+
+**If any prerequisite is missing, stop and resolve it first.**
+
+---
+
+## Step 1: Gateway Operator - Retrieve Credentials
+
+**Execute on the gateway machine.**
+
+### 1.1 Get TLS Fingerprint
+
+```bash
+openssl x509 -in ~/.openclaw/gateway/tls/gateway-cert.pem -fingerprint -sha256 -noout
+```
+
+Remove colons to get the 64-character hex string:
+```bash
+openssl x509 -in ~/.openclaw/gateway/tls/gateway-cert.pem -fingerprint -sha256 -noout | tr -d ':' | cut -d= -f2
+```
+
+**Example output:** `85544cd42bcfa0b15e50c3f0f6f0b274d89f4ed292119918494290fad3582ea7`
+
+### 1.2 Get Auth Token
+
+Check if token exists in config:
+```bash
+openclaw config get gateway.auth.token
+```
+
+If empty, check the environment variable:
+```bash
+echo $OPENCLAW_GATEWAY_TOKEN
+```
+
+**If both are empty**, generate or set a token:
+```bash
+# Generate a secure token
+openssl rand -hex 32
+
+# Or set via openclaw config (if supported)
+openclaw config set gateway.auth.token "<generated-token>"
+```
+
+### 1.3 Share with Node Operator
+
+Provide these values:
+- **Gateway host/IP**: the IP or hostname node will connect to
+- **Port**: default is `18789`
+- **TLS fingerprint**: the 64-char hex string (no colons)
+- **Token**: the auth token value
+
+---
+
+## Step 2: Node Operator - Configure and Connect
+
+**你是 Node 操作者，请先确认已从 Gateway 操作者处获得以下信息：**
+
+### 2.0 接收信息检查表
+
+在开始之前，请确认你已收到以下四项信息：
+
+| 信息项 | 示例值 | 是否已收到？ |
+|--------|--------|-------------|
+| Gateway 主机地址 | `203.0.113.50` 或 `gateway.example.com` | ☐ |
+| 端口号 | `18789`（默认） | ☐ |
+| TLS 指纹 | `85544cd42bcfa...`（64位十六进制，无冒号） | ☐ |
+| 认证 Token | `a1b2c3d4e5f6...` | ☐ |
+
+> ⚠️ **如果任何一项缺失**，请联系 Gateway 操作者获取。缺少信息将导致连接失败。
+
+### 2.1 选择连接方式
+
+**Method A: CLI flags (temporary, for testing)**
+```bash
+export OPENCLAW_GATEWAY_TOKEN="<token>"
+openclaw node run \
+  --host <gateway-host> \
+  --port 18789 \
+  --tls \
+  --tls-fingerprint "<fingerprint>" \
+  --display-name "My Node"
+```
+
+**Method B: Install as system service (permanent)**
+```bash
+export OPENCLAW_GATEWAY_TOKEN="<token>"
+openclaw node install \
+  --host <gateway-host> \
+  --port 18789 \
+  --tls \
+  --tls-fingerprint "<fingerprint>" \
+  --display-name "My Node"
+```
+
+**Method C: Pre-configure via ~/.openclaw/node.json (then run with no flags)**
+
+Edit `~/.openclaw/node.json`:
+```json
+{
+  "version": 1,
+  "displayName": "My Node",
+  "gateway": {
+    "host": "<gateway-host>",
+    "port": 18789,
+    "tls": true,
+    "tlsFingerprint": "<fingerprint>"
+  }
+}
+```
+
+Then run:
+```bash
+export OPENCLAW_GATEWAY_TOKEN="<token>"
+openclaw node run
+```
+
+### 2.2 Validate Required Parameters
+
+**Before running, verify each parameter:**
+
+| Parameter | Where to get it | Example |
+|----------|-----------------|---------|
+| `gateway-host` | Gateway operator | `203.0.113.50` or `gateway.example.com` |
+| `port` | Usually 18789 | `18789` |
+| `fingerprint` | From gateway cert | `85544cd42bcfa0b15e50c3f0f6f0b274d89f4ed292119918494290fad3582ea7` |
+| `token` | From gateway config/env | `a1b2c3d4e5f6...` |
+
+**Critical checks:**
+- [ ] Fingerprint is exactly 64 hex characters (no colons)
+- [ ] Token is not empty
+- [ ] Host is reachable: `nc -zv <gateway-host> 18789` or `telnet <gateway-host> 18789`
+
+---
+
+## Step 3: Verify Connection
+
+### 3.1 On Node Side
+
+Check if node process started successfully:
+```bash
+openclaw node status
+```
+
+Or view logs if running in foreground - look for:
+- `Connected to gateway` - success
+- `tls fingerprint mismatch` - fingerprint incorrect
+- `authentication failed` - token incorrect
+- `connection refused` - host:port unreachable
+
+### 3.2 On Gateway Side
+
+List connected devices:
+```bash
+openclaw nodes status
+```
+
+Or list all devices (includes pending pairing):
+```bash
+openclaw devices list
+```
+
+### 3.3 Pairing (First Connection Only)
+
+If this is the first connection, the node appears as a **pending pairing request**.
+
+> 🔐 **重要：设备审批是高权限操作**
+>
+> 如果你当前在 **Channel**（聊天/协作空间）中操作，建议切换到 **WebUI** 完成审批：
+>
+> 1. 打开 Gateway WebUI：`https://<gateway-host>:18790`（默认端口）
+> 2. 导航到 **设备管理** 或 **Nodes** 页面
+> 3. 找到待审批的 Node，点击 **Approve** / **批准**
+>
+> WebUI 提供更直观的设备信息展示和审批流程。
+
+**CLI 方式（需要管理员权限）：**
+
+```bash
+# View pending requests
+openclaw devices list
+
+# Approve the node (replace <requestId> with actual ID)
+openclaw devices approve <requestId>
+
+# Or approve the most recent pending request
+openclaw devices approve --latest
+```
+
+After approval, the node establishes full connection.
+
+---
+
+## Troubleshooting
+
+### TLS Fingerprint Mismatch
+
+**Symptom:** `gateway tls fingerprint mismatch`
+
+**Causes:**
+1. Fingerprint from wrong certificate
+2. Fingerprint still has colons
+3. Gateway restarted and regenerated cert (fingerprint changed)
+
+**Fix:**
+1. Re-fetch fingerprint from gateway: `openssl x509 -in ~/.openclaw/gateway/tls/gateway-cert.pem -fingerprint -sha256 -noout | tr -d ':' | cut -d= -f2`
+2. Verify fingerprint is 64 chars with no colons
+3. If cert was regenerated, share new fingerprint with node operator
+
+### Authentication Failed
+
+**Symptom:** `authentication failed` or `unauthorized`
+
+**Causes:**
+1. Token is wrong or expired
+2. Token not set (empty string)
+3. Local mode ignores `gateway.remote.token`
+
+**Fix:**
+1. Verify token on gateway: `openclaw config get gateway.auth.token`
+2. Verify token on node: `echo $OPENCLAW_GATEWAY_TOKEN`
+3. For local mode nodes: use `OPENCLAW_GATEWAY_TOKEN` env var, not `gateway.remote.token`
+
+### Connection Refused
+
+**Symptom:** `ECONNREFUSED` or `connection refused`
+
+**Causes:**
+1. Gateway not running on remote host
+2. Firewall blocking port 18789
+3. Wrong host or port
+
+**Fix:**
+1. Verify gateway is running on gateway machine
+2. Check firewall: `nc -zv <gateway-host> 18789`
+3. Verify host:port from gateway operator
+
+### Node Not Showing in `nodes status`
+
+**Symptom:** Node appears to run but `openclaw nodes status` shows nothing
+
+**Causes:**
+1. Node connected but not yet paired
+2. Node connected to wrong gateway
+3. Token/auth worked but system.run not authorized
+
+**Fix:**
+1. Check `openclaw devices list` for pending pairing request
+2. Approve with `openclaw devices approve <requestId>`
+3. Verify node is connecting to correct gateway URL
+
+---
+
+## Reference: Config File Locations
+
+| Purpose | File Path |
+|---------|-----------|
+| Gateway TLS cert | `~/.openclaw/gateway/tls/gateway-cert.pem` |
+| Gateway TLS key | `~/.openclaw/gateway/tls/gateway-key.pem` |
+| Gateway config | `~/.openclaw/openclaw.json` |
+| Gateway TLS fingerprint | Computed from cert via `X509Certificate.fingerprint256` |
+| Node config | `~/.openclaw/node.json` |
+| Node gateway creds | `OPENCLAW_GATEWAY_TOKEN` env var |
+
+## Reference: CLI Commands
+
+```bash
+# Node run (foreground)
+openclaw node run --host <host> --port <port> --tls --tls-fingerprint <fp>
+
+# Node install (service)
+openclaw node install --host <host> --port <port> --tls --tls-fingerprint <fp>
+
+# Node status
+openclaw node status
+
+# Gateway: list devices (including pending pairing)
+openclaw devices list
+
+# Gateway: approve device
+openclaw devices approve <requestId>
+
+# Gateway: list nodes
+openclaw nodes status
+
+# Gateway: check TLS config
+openclaw config get gateway.tls.enabled
+openclaw config get gateway.auth.mode
+```