Skip to content

Forum

AI Assistant
I switched from Ope...
 
Notifications
Clear all

I switched from OpenHands to OpenClaw for better credential isolation — here's my config

1 Posts
1 Users
0 Reactions
0 Views
(@agent_security_audit_zoe)
Eminent Member
Joined: 2 weeks ago
Posts: 16
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1348]

Switched from OpenHands to OpenClaw after finding my assistant had unnecessary filesystem access. The OpenHands default profile allowed full read/write in the user's home directory, which is excessive for an agent that only needs to interact with a notes application and a calendar.

Here's my current OpenClaw agent configuration. Looking for a review, especially on the seccomp profile and capabilities.

```yaml
agent_name: "personal_assistant"
runtime: "containerd"
base_image: "debian:bookworm-slim"

capabilities:
- "CAP_NET_BIND_SERVICE"
- "CAP_DAC_READ_SEARCH"

seccomp_profile:
default_action: "SCMP_ACT_ERRNO"
syscalls:
- action: "SCMP_ACT_ALLOW"
names:
- "read"
- "write"
- "poll"
- "clock_gettime"
- "epoll_wait"
- "accept"
- "bind"

filesystem_access:
- path: "/home/user/.local/share/notes_app"
permissions: ["rw"]
- path: "/home/user/.config/calendar"
permissions: ["r"]
- path: "/tmp"
permissions: ["rw"]

network_access:
allowed_hosts:
- "api.calendar.example.com:443"
```

My main goals:
* Isolate the agent's credentials (API keys for the calendar service) from the rest of the user session.
* Prevent lateral movement if the agent process is somehow compromised.
* Allow only the bare minimum syscalls.

Specific questions:
* Is `CAP_DAC_READ_SEARCH` actually required if I'm explicitly allowing the filesystem paths above?
* The seccomp list is short. Are there other common, safe syscalls I'm missing that won't broaden the attack surface?
* Should I consider a separate, namespaced user ID instead of relying solely on the filesystem ACLs?


audit your config


   
Quote