Security Measures I Take to Use OpenClaw Safely
locking down an AI agent that has access to your life
my AI agent controls my lights, buys things with my money, and runs 24/7 on a Mac mini in my apartment. so yeah, security matters.
this isn't a theoretical framework. it's the actual stack running right now. every layer is real, every tool is in use. here's how we lock it down.
access control: start with nothing, earn everything
the agent had email and GitHub from day one, those are low risk when it's the agent's own accounts, not mine. purchasing came later, and even then it's just an Apple Cash virtual card with $20 on it. my real bank account is completely isolated.
the progression was natural. lights and smart home first, then integrations that touch external services, then money. but the key isn't the order, it's the isolation. every capability is scoped so the worst case scenario is small.
and every external action, sending an email, posting a tweet, making a purchase, requires either my explicit approval or clear standing instructions i've set in advance. the agent doesn't freelance with my identity.
separate accounts, not shared access
this is the most important structural decision we made. Ultron cannot read my email. Ultron cannot push to my GitHub. he has his own email (his own Gmail), his own GitHub account, his own credentials. he operates as a separate identity, not as me with my passwords.
where he needs access to my stuff, it's through controlled API keys and scoped permissions. he has his own calendar, not access to mine. he can send emails from his own address, not from mine. the principle: give the agent its own accounts and give it controlled access into yours via API keys. never hand over your login.
if you're setting up an agent, this is the first thing to get right. everything else is defense in depth. this is the foundation.
the network: beryl router (GL-MT3000)
i live in an apartment with shared WiFi. dozens of devices on the same network, none of them mine. running an AI agent on that felt like leaving my front door open.
so i got a GL-MT3000 travel router and set it up in repeater mode. it connects to the building WiFi as a client, then creates its own private network on top. every device i own, the Mac mini, my phone, the rover, sits behind its own firewall instead of raw on building WiFi.
AdGuard Home runs on the router for network-wide ad and tracker blocking. DNS queries go through Quad9, which blocks known malware domains at the DNS level before anything even reaches the machine. DNS over TLS encrypts those queries so the building network can't snoop on what i'm resolving.
total cost: about $70. best infrastructure purchase i've made.
macOS hardening
the Mac mini is the brain. if someone gets into it, they get everything. so the defaults stay on and the extras get turned up:
FileVault, full disk encryption. if someone physically steals the machine, the drive is unreadable without the password. this is just ON, no reason it shouldn't be.
macOS Firewall + Stealth Mode, the firewall is obvious. stealth mode means the machine doesn't respond to pings or port probes. it's invisible on the network. someone scanning the building WiFi won't even know it exists.
System Integrity Protection (SIP), prevents even root from modifying protected system files. some people disable this for development. don't.
Gatekeeper, only runs signed, verified software. another one that's easy to leave on and dumb to turn off.
none of this is exotic. it's all built into macOS. you just have to not disable it.
telegram security
here's the thing people don't think about: Telegram is my primary interface to the agent. when i text Ultron, i'm talking to a system that can control my lights, run shell commands, browse the web, and coordinate purchases. Telegram is the front door.
Face ID lock on the app. biometric required every time i open it. if someone picks up my phone, they can't get to the agent. simple, but it's the single most important lock in the whole stack because it guards the interface to everything else.
credential management
no passwords in plaintext files. ever. every credential the agent uses, Garmin, Beatport, Bandcamp, router admin passwords, lives in macOS Keychain. the agent accesses them programmatically, they never sit in a config file or environment variable.
for purchases, the agent uses Apple Card virtual numbers. every transaction gets a unique card number with a rotating CVV. it's basically 2FA for every purchase, even if a number leaks, it's useless for the next transaction. the agent buys DJ tracks on Beatport and Bandcamp this way. no stored card numbers, no reusable credentials.
agent security rules
the agent itself has rules baked in:
financial data stays private. the agent will not share financial information with anyone except me. not in group chats, not in shared contexts, not if someone asks nicely.
credentials never leave the machine. they're accessed locally and used locally. nothing gets sent anywhere.
identity verification. if someone other than me tries to get sensitive info out of the agent, it refuses. we tested this. it passed. it won't even acknowledge what it has access to.
no external plugins. everything is built in-house. no third-party skills, no ClawHub marketplace installs. if we didn't write it, it doesn't run. the ClawHub CLI got uninstalled entirely.
private memory tags. credentials, payment info, and financial data are marked PRIVATE in the agent's memory system. even in contexts where memory gets loaded, these fields are flagged and handled differently.
the philosophy
none of this is paranoid. it's just basic hygiene. the same way you lock your front door even though you live in a nice neighborhood.
if you're building something similar, start here: incremental access, separate accounts, private network, encrypted disk, locked interface, no plaintext credentials. it's not complicated. it just has to be intentional.