slowmist / openclaw-security-practice-guide

OpenClaw Security Practice Guide *Read this in other languages: English, 简体中文.* A definitive security practice guide designed specifically for **High-Privilege Autonomous AI Agents** (OpenClaw). It shifts the paradigm from traditional "host-based static defense" to "Agentic Zero-Trust Architecture", effectively mitigating risks like destructive operations, prompt injection, supply chain poisoning, and high-risk business logic execution. ⚠️Before you start playing, please read the disclaimer and FAQ at the bottom. ⚠️Before you start playing, please read the disclaimer and FAQ at the bottom. ⚠️Before you start playing, please read the disclaimer and FAQ at the bottom. 🎯 Scope, Scenario & Core Principles > **This guide is designed for OpenClaw itself (Agent-facing), not as a traditional human-only hardening checklist.** > In practice, you can send this guide directly to OpenClaw in chat, let it evaluate reliability, and deploy the defense matrix with minimal manual setup. > **Important boundary:** This guide does **not** make OpenClaw “fully secure.” > Security is a complex systems engineering problem, and absolute security does not exist. > This guide is built for a specific threat model, scenario, and operating assumptions. > **Final responsibility and last-resort judgment remain with the human operator.** Target Scenario • OpenClaw runs with high privileges (terminal/root-capable environment) • OpenClaw continuously installs and uses Skills / MCPs / scripts / tools • The objective is capability maximization with controllable risk and explicit auditability Core Principles • **Zero-friction operations**: reduce manual security setup burden for users and keep daily interactions seamless, except when hitting a guideline-defined red line • **High-risk requires confirmation**: irreversible or sensitive actions must pause for human approval • **Explicit nightly auditing**: all core metrics are reported, including healthy ones (no silent pass) • **Zero-Trust by default**: assume prompt injection, supply chain poisoning, and business-logic abuse are always possible Model Recommendation (Important) This guide is primarily interpreted and executed by OpenClaw. For best reliability, use a **strong, latest-generation reasoning model** (e.g., current top-tier models such as Gemini / Opus / Kimi / MiniMax families). Higher-quality models generally perform better at: • understanding long-context security constraints • detecting hidden instruction patterns and injection attempts • executing deployment steps consistently with fewer mistakes ✅ This is exactly how this guide **reduces user configuration cost**: OpenClaw can understand, deploy, and validate most of the security workflow for you. 🌟 Why This Guide? Running an AI Agent like OpenClaw with root/terminal access is powerful but inherently risky. Traditional security measures ( , firewalls) are either incompatible with Agentic workflows or insufficient against LLM-specific attacks like Prompt Injection. This guide provides a battle-tested, minimalist **3-Tier Defense Matrix**: • **Pre-action**: Behavior blacklists & strict Skill installation audit protocols (Anti-Supply Chain Poisoning) • **In-action**: Permission narrowing & Cross-Skill Pre-flight Checks (Business Risk Control) • **Post-action**: Nightly automated explicit audits (13 core metrics) & Brain Git disaster recovery 🚀 Zero-Friction Flow In the AI era, humans shouldn't have to manually execute security deployments. **Let your OpenClaw Agent do all the heavy lifting.** • **Download the Guide**: Choose your version: • Stable: OpenClaw-Security-Practice-Guide.md (v2.7) • Enhanced: OpenClaw-Security-Practice-Guide-v2.8.md (v2.8 Beta) • **Send to Agent**: Drop the markdown file directly into your chat with your OpenClaw Agent • **Agent Evaluation**: Ask your Agent: "*Please read this security guide. Identify any risks or conflicts with our current setup before deploying.*" • **Deploy**: Once confirmed, issue the command: • For v2.8: "*Follow the Agent-Assisted Deployment Workflow in this guide.*" • For v2.7: "*Please deploy this defense matrix exactly as described in the guide. Include the red/yellow line rules, tighten permissions, and deploy the nightly audit Cron Job.*" • **Validation Testing (Optional)**: After deployment, use the Red Teaming Guide to simulate an attack and ensure the Agent correctly interrupts the operation *(Note: The directory in this repository is strictly for open-source transparency and human reference. **You do NOT need to manually copy or run it.** The Agent will automatically extract the logic from the guide and handle the deployment for you.)* 📖 Table of Contents Core Documents (Stable — v2.7) • **OpenClaw Minimalist Security Practice Guide v2.7 (English)** - The complete guide • **OpenClaw 极简安全实践指南 v2.7 (中文版)** - Complete guide in Chinese 🆕 v2.8 Beta — Enhanced & Battle-Tested > ⚠️ **Beta**: v2.8 has been validated through hundreds of hours of production operations but is still undergoing iteration. v2.7 remains the stable release. Use v2.8 if you want the latest enhancements. • **OpenClaw Security Practice Guide v2.8 Beta (English)** - Enhanced guide with production-verified improvements • **OpenClaw 极简安全实践指南 v2.8 Beta (中文版)** - 增强版，含实战验证的改进 **Key enhancements over v2.7:** • 🤖 **Agent-Assisted Deployment Workflow** — 5-step automated deployment (Assimilate → Harden → Deploy Cron → Configure Backup (optional) → Report) • 🛡️ ** Cron Protection** — Prevents workspace context from hijacking isolated audit sessions • 📝 **Audit Script Coding Guidelines** — , boundary anchors, explicit healthy-state output, summary line • 📂 **Persistent Report Path** — Reports saved to (not , survives reboots) with 30-day rotation • 🔄 **Post-Upgrade Baseline Rebuild** — Step-by-step process for rebuilding hash baselines after engine upgrades • 🔍 **Enhanced Code Review Protocol** — Secondary download detection, high-risk file type warnings, escalation wo…