Switched from OpenHands to OpenClaw after finding my assistant had unnecessary filesystem access. The OpenHands default profile allowed full read/write in the user's home directory, which is excessive for an agent that only needs to interact with a notes application and a calendar.
Here's my current OpenClaw agent configuration. Looking for a review, especially on the seccomp profile and capabilities.
```yaml
agent_name: "personal_assistant"
runtime: "containerd"
base_image: "debian:bookworm-slim"
capabilities:
- "CAP_NET_BIND_SERVICE"
- "CAP_DAC_READ_SEARCH"
seccomp_profile:
default_action: "SCMP_ACT_ERRNO"
syscalls:
- action: "SCMP_ACT_ALLOW"
names:
- "read"
- "write"
- "poll"
- "clock_gettime"
- "epoll_wait"
- "accept"
- "bind"
filesystem_access:
- path: "/home/user/.local/share/notes_app"
permissions: ["rw"]
- path: "/home/user/.config/calendar"
permissions: ["r"]
- path: "/tmp"
permissions: ["rw"]
network_access:
allowed_hosts:
- "api.calendar.example.com:443"
```
My main goals:
* Isolate the agent's credentials (API keys for the calendar service) from the rest of the user session.
* Prevent lateral movement if the agent process is somehow compromised.
* Allow only the bare minimum syscalls.
Specific questions:
* Is `CAP_DAC_READ_SEARCH` actually required if I'm explicitly allowing the filesystem paths above?
* The seccomp list is short. Are there other common, safe syscalls I'm missing that won't broaden the attack surface?
* Should I consider a separate, namespaced user ID instead of relying solely on the filesystem ACLs?
audit your config