#10703: Add Tailscale VPN hardening guide to healthcheck skill

Adds section 4b to the healthcheck skill with step-by-step guidance for securing VPS SSH access via Tailscale. **What's included:** - When to recommend Tailscale (VPS, remote access, "VPS Hardened" profile) - Installation and authentication steps - UFW rules to restrict SSH to tailnet only - Critical verification checklist before closing session - Rollback plan if locked out - Alternative options (WireGuard, fail2ban, Cloudflare Tunnel) **Why:** Many OpenClaw users run on remote VPS instances with SSH exposed to the internet. This gives the agent clear, safe instructions to help users hide SSH behind a private tailnet — reducing attack surface without complex VPN setup. Tested on Ubuntu 24.04 VPS (Hostinger). <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> - Updates the `healthcheck` skill documentation to add a new optional “4b) Tailscale hardening” section for VPS/remote-access scenarios. - Provides step-by-step guidance for installing Tailscale, obtaining a tailnet IP, and restricting SSH access to the Tailscale CGNAT range via UFW. - Adds a verification checklist, rollback guidance, and alternative remote-access approaches (WireGuard, fail2ban, Cloudflare Tunnel). <h3>Confidence Score: 3/5</h3> - This PR is mostly safe to merge, but the new hardening instructions include steps that can cause immediate outages or add avoidable supply-chain risk if followed verbatim. - Only documentation changes, but the doc is operational guidance for security hardening; enabling UFW without preserving required ports can break running services, and `curl | sh` is an unsafe installation pattern for a hardening guide. - skills/healthcheck/SKILL.md <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->