Meta’s Director of AI and Safety Alignment wanted to clean up her inbox, so she set up an OpenClaw AI agent and told it to “confirm before acting.” But it didn’t. Instead, the OpenClaw agent mass-deleted hundreds of emails while she scrambled to shut it down from another device.
OpenClaw’s adoption has skyrocketed in just a few short months, amassing hundreds of thousands of GitHub stars so far. It’s part of a growing number of frameworks built to make agentic AI possible.
Co-Founder and CTO of Merge.
But greater adoption also comes with alarming headlines about unprotected setups leaking passwords, fake add-ons spreading viruses, and poor storage of sensitive information.
Article continues below
The good news is that with the right processes in place, agentic AI can be secure, regardless of the framework you use. Here are 4 best practices worth putting into action before deploying your agents.
1. Give the agent minimum permissions
OpenClaw requires broad system access to execute shell commands, manage files, and control browsers, creating a large attack surface for security issues. It’s why everyone advises running it on an isolated computer. But doing so limits what your agent can reliably and safely do.
Thankfully, there are alternatives that do not require you to give broad system access. You can build agents through a platform like NemoClaw, which runs them in a sandbox with tightly scoped permissions. Or you could use Docker Sandboxes, which use microVMs rather than plain containers for better security.
During setup, consider what the minimum access for this specific task actually is. An agent summarizing emails needs read access, not write or delete. An agent filing documents needs one folder, not an entire drive.
While it’s tempting to give AI broad permissions so it can do more, it also exposes you (and your devices) to significant risk. By following the principle of least permissions, you’re still giving AI permission to do the work while minimizing later headaches.
For any OAuth approval the agent requests, verify exactly which permissions you’re granting. Otherwise, you risk giving your agents too much power and access over time.
In a similar vein, use purpose-built credentials instead of personal login tokens during setup, and rotate them regularly. When an agent uses your personal login token, it can access your full permissions, while a purpose-built credential is scoped to exactly what the agent needs.
To create one, go to the settings on the platform the agent will access and look for “API keys,” “service accounts,” or “app passwords.” These are separate login credentials that aren’t tied to your personal account. When creating one, you’ll be prompted to select what it can access; choose only the specific resource the agent needs.
2.Narrow your focus, then expand responsibilities
Before trusting an agent with anything high-stakes, watch how it handles a low-stakes task, such as analyzing logs or drafting an email. If all goes well, give it increasingly ambiguous tasks as a test to see how it responds. Ask it to complete an out-of-scope action or one that requires a permission it doesn’t have.
An effective AI agent will ask follow-up questions before proceeding or can clearly communicate its limits. What you want to avoid is an AI agent with false confidence making an assumption and proceeding, despite not actually knowing the right steps.
An agent that halts and asks on a low-stakes task will probably halt and ask on a high-stakes one. An agent that fills gaps by guessing will do the same when the stakes are real.
That said, remember that these systems are probabilistic, so agents can behave differently in production. A safe assumption is that if something goes wrong in testing, it will 100% happen when running in a live environment; but just because nothing goes wrong during testing doesn’t mean everything is secure.
That’s why constant monitoring is critical.
3. Monitor from day one
An agent that’s been running quietly for weeks may have already drifted due to configuration changes, extended OAuth consents, and new permissions acquired through normal operation. Often, it’s hard to detect issues because there’s no clear breach.
Have an observability tool in place to monitor for unusual activity, such as rogue tool calls or data transfers outside normal patterns, and set up alerts so you can quickly course-correct if something goes awry. You can also use it to periodically audit your agent’s credentials and actions for anything unusual.
4. Give measurable constraints
You may have seen online that it’s recommended to tell your AI to “confirm before acting” as a safeguard. Unfortunately, it’s too vague to be actionable, so in practice it often leads to inconsistent behavior.
Instead, give the AI agents testable guardrails so you can clearly decide whether they followed instructions. Guidance like “don’t delete, move, or modify any item without displaying a list of planned changes and receiving my explicit approval” is much easier to verify.
The more precisely you define the constraint, the less room there is for misunderstanding.
However, always remember that these systems are probabilistic and a bit of a black box, so there is a chance OpenClaw will ignore instructions at some point. You want to plan for the worst-case scenario when this happens.
If an action could expose an API key, delete emails, or transmit sensitive data, you need to make that outcome structurally impossible.
For example, you should revoke delete permissions at the account level so the agent literally cannot delete anything, regardless of what it decides to do, and store sensitive credentials in a secrets manager the agent has no access to, rather than in any file or environment the agent can read.
Good instructions reduce the likelihood of a mistake, but the right setup minimizes the damage.
Remember that while agents are powerful and quick, they lack human judgment, and most agentic frameworks, like OpenClaw, don’t include security features by default. It’s on the people deploying them to build in those safeguards.
Scoped credentials, precise instructions, and frequent monitoring are the minimum viable conditions for deploying an agent that does what you actually want and nothing else.
We’ve featured the best AI tool.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
https://cdn.mos.cms.futurecdn.net/U76sZeRd6fS2fKt5RqBYPL-2560-80.jpg
Source link
