Your AI agent has access to your terminal, your files, your APIs, and possibly your email. That is a lot of power. Here are the security practices that keep it safe without killing productivity.
Originally published on clamper.tech
The Trust Spectrum
Security for AI agents is not binary. You do not want to lock everything down (your agent becomes useless) or open everything up (you wake up to a deleted database). The goal is finding the right position on the trust spectrum for your use case.
OpenClaw gives you three exec security modes:
- deny - Agent cannot run any shell commands. Safe but extremely limited.
- allowlist - Agent can only run pre-approved commands. Good for production.
- full - Agent can run anything. Maximum productivity, requires trust.
Most developers start with full during development, then tighten to allowlist for production.
1. Configure Exec Permissions
The exec tool is where most risk lives. Your agent can run arbitrary shell commands.
# openclaw.yaml
exec:
security: allowlist
ask: on-miss
allowlist:
- git *
- npm *
- node *
- cat *
- ls *
# Excluded: rm, sudo, chmod
The ask: on-miss setting is the sweet spot. Your agent runs freely within the allowlist, but prompts you before doing anything unexpected.
2. Use trash Instead of rm
Train your agent (via AGENTS.md) to always prefer trash over rm. Recoverable beats gone forever.
## Safety
- trash > rm (recoverable beats gone forever)
- Do not run destructive commands without asking
3. Scope API Keys
Create dedicated keys with minimum permissions:
- GitHub: Fine-grained tokens scoped to specific repos
- Cloud: IAM roles with read-only access unless writes needed
- Email: App-specific passwords
- Databases: Read-only credentials for analytics
Never put API keys in files that might get committed to git.
4. Separate Workspaces by Risk
~/.openclaw/workspace/ # Agent home, full access
~/projects/my-app/ # Source code, write via PR
~/production-configs/ # Read-only, changes need approval
5. Audit External Communications
Set clear boundaries in AGENTS.md:
## External vs Internal
Safe to do freely:
- Read files, explore, organize, learn
- Search the web, check calendars
Ask first:
- Sending emails, tweets, public posts
- Anything that leaves the machine
6. Monitor Agent Activity
- Review
memory/daily/files for unusual activity - Use cost tracking to catch runaway spending
- Check heartbeat cycle logs
- Keep a record of all external actions
7. Handle Secrets Properly
- Environment variables for runtime secrets
- Bitwarden/Vaultwarden for rotating credentials
- .gitignore workspace files (MEMORY.md, TOOLS.md, logs)
8. Install the Healthcheck Skill
clawhub install healthcheck
Audits SSH config, firewall rules, system updates, exposed ports. Schedule weekly.
9. Limit Elevated Permissions
elevated:
allow:
- telegram:YOUR_USER_ID
- webchat:*
Only your direct channels should have sudo access.
10. Plan for Compromise
- Enable 2FA on all connected accounts
- Set rate limits on external actions
- Require confirmation for destructive actions
- Configure session timeouts
The Checklist
- Set exec security mode
- Configure ask mode
- Add trash-over-rm rule
- Create minimal-permission API keys
- Set external communication boundaries
- Install healthcheck skill
- Restrict elevated permissions
- Enable 2FA on messaging accounts
- Exclude workspace files from git
- Review agent logs weekly
Bottom Line
Security for AI agents is about balance. Lock everything down and your agent is useless. Open everything up and you are one bad prompt from disaster. These practices give you a practical middle ground.
Clamper makes several of these automatic. Install with clawhub install clamper or npm i -g clamper.
Clamper is an open-source toolkit for OpenClaw that adds cost tracking, memory management, and security scanning to your AI agent.
Top comments (0)