Before you expose your agent to the internet — through Discord, Telegram, or any public channel — do these 10 things. I learned most of them the hard way.
1. Set up rate limiting
Without rate limits, one enthusiastic user (or bot) can burn through your entire monthly API budget in an hour. OpenClaw has built-in rate limiting — use it. I set mine to 20 messages per user per hour.
2. Restrict tool access
Your agent should not have access to tools it does not need. If it does not need to execute shell commands, disable that tool. If it does not need file system access, remove it. Every unnecessary tool is a potential attack surface.
3. Set spending alerts
Configure your API provider to alert you at 50% and 80% of your budget. Set a hard cap at 100%. Do this before anything else.
4. Use environment variables for secrets
Never put API keys, passwords, or tokens directly in config files. Use environment variables. If someone gains access to your config (through a GitHub leak, a backup exposure, anything), your secrets stay safe.
5. Enable audit logging
Log every tool call, every external API request, every message sent by the agent. You will need these logs when something goes wrong — and something will go wrong.
6-10: Quick hits
6. Update dependencies monthly. 7. Use a dedicated user account (not root). 8. Enable firewall rules. 9. Set up automated backups of your memory files. 10. Have a kill switch — know how to shut your agent down immediately.
More security best practices at Nginx security documentation and Let’s Encrypt for SSL management.