So, you’ve decided to install Clawdbot, the "lobster way" of life. You’ve got a personal AI assistant that can browse your web, control your mac, chat on Signal, and probably knows your Spotify playlist better than you do. It’s local-first, fast, and incredibly powerful.
I looked under the hood. The architecture is brilliant, but let’s be real: you’re basically giving a highly persuasive, occasionally hallucinating LLM a set of keys to your digital kingdom.
If you don't want your assistant to accidentally leak your .env files to a random Telegram bot or execute a rm -rf / because a prompt-injection attack told it to "clean the room", follow these five essential recommendations.
1. Respect the pairing policy (Don’t Open the Door to Strangers)
Clawdbot has a dmPolicy="pairing" default for a reason. When a random account DMs your bot on Telegram or WhatsApp, it asks for a code. Do not change this to "open" unless you want to invite the entire internet into your shell.
Treat every inbound DM as untrusted input. If you’re using the "open" policy for a public-facing bot, ensure your agent’s workspace is strictly isolated. A lobster in a glass box is a safe lobster.
2. Guard the Gateway (Tailscale is your BFF)
The Gateway is your control plane. Clawdbot makes it tempting to use Tailscale Funnel to access your dashboard from anywhere. While Funnel is cool, it’s public.
Stick to tailscale serve (internal to your tailnet) whenever possible. If you must use Funnel, for the love of all things holy, use gateway.auth.mode: "password". An unauthenticated AI gateway is just a RCEaaS ("Remote Code Execution as a Service") endpoint.
3. Sandboxing: because "LLM-safe" is an oxymoron
Clawdbot supports a Docker-based sandbox (Dockerfile.sandbox). Use it. If you let your agent run scripts or "research" the web on your bare-metal host, you’re one clever prompt away from a disaster.
Configure your agent to run tools inside the container. If the agent decides to download and run a "cool optimization script" it found on a shady forum, it only kills a disposable container, not your precious mac box.
4. Audit your "Skills" (and their permissions)
The skills platform is what makes Clawdbot a powerhouse: Gmail access, browser control, system notifications. But every skill is a new attack vector.
Periodically run clawdbot doctor. It’s not just for troubleshooting; it’s your security auditor. If a skill doesn't need "System Run" permissions to tell you the weather, don't give it any. Privilege escalation is much harder when there are no privileges to escalate.
5. Rotate your Secrets (.env is not a Vault)
Clawdbot handles OAuth for Anthropic, OpenAI, and more. It even has a detect-secrets scan in the repo. Follow that lead.
Don't hardcode API keys in plain text files that you might accidentally sync to a public gist. Use the managed clawdbot onboard flow to handle credentials. If you suspect your bot has been "convinced" to output its environment variables, rotate those keys immediately.
Final thought: Clawdbot is an incredible piece of engineering. It brings the power of an agentic future to your local machine today. Just remember: with great power comes the absolute certainty that someone, somewhere, will try to prompt-inject your lobster.
Stay secure, stay hungry, and keep snapping those claws. 🦞
Top comments (0)