Security baseline: complete these 5 checks first

What to do now

Complete all five checks before public rollout.

Security checklist

1. do not expose management surfaces to uncontrolled public access
2. update to a security-fixed stable release
3. verify skill source and permission scope
4. restrict file paths, commands, and external services
5. define channel permissions and ownership

Completion standard for each check

1. management surface:

• only allowlisted access or private network access

2. version updates:

• current runtime version matches a stable release with recent fixes

3. skill review:

• each installed skill has source and permission notes

4. access policy:

• high-risk commands and paths are denied by default

5. channel boundaries:

• each channel has clear invoke scope and owner

SlowMist additions (high priority)

The SlowMist repository provides a more operational defense matrix. Add it to your baseline:

• OpenClaw Security Practice Guide
• Security Validation & Red Teaming Guide
• Project repository (SlowMist)

At minimum, add these six controls:

1. define red-line and yellow-line command rules in AGENTS.md
2. run full-text audits for skills (.md/.json included), not script-only checks
3. use permission narrowing + hash baseline for core config files
4. require nightly audit reports to list all metrics explicitly, including healthy ones
5. add DLP checks for plaintext private keys and mnemonics
6. run red-team validation drills after deployment

Read these when you need detail

If you only read three pieces, start with:

• SlowMist Chinese guide
• Malwarebytes guide
• Adversa AI security guide
• Snyk ToxicSkills study

Optional extra reading:

• The Hacker News: ClawJacked
• Snyk: SKILL.md to shell access

Next step: return to Learn Hub and continue use-case stage.