Everyone's hyped about installing OpenClaw and getting their first agent to run. That's fine. But most of you are going to deploy it with the default config, which is a gift-wrapped attack surface for anyone who finds your endpoint.

The biggest danger isn't a specific tool—it's the underlying permissions and access model. The defaults are built for ease of onboarding, not for containment.

Here are the top three, in order of immediate risk:

* **Agent Permissions Scope:** The default agent policy grants 'read' and 'execute' across most local tool modules. This means a single compromised or maliciously prompted agent can chain those permissions to exfiltrate data or move laterally. You need to define a strict allow-list based on the agent's actual task.
* **Tool Auto-Approval Threshold:** The community tool registry is great, but the default auto-import setting for tools with a 'verified' tag is reckless. 'Verified' often just means it runs, not that it's safe. Disable auto-approval entirely and manually vet every tool's requested permissions against its source code.
* **Unconstrained Network Egress:** By default, agents can make outbound HTTP/HTTPS calls to any external service. Combine this with a prompt injection or a rogue tool, and you've got a data leak. Your first rule should be a default-deny egress firewall at the agent level, with explicit allow-listing for required APIs.

The common thread? The defaults assume a benign, isolated environment. Your environment is neither. Start by threat modeling your specific use case: what data does the agent touch, and what would be the impact if it acted maliciously? Then lock it down accordingly.

What defaults did the rest of you change on day one?