The Agent Security Checklist
The 15-minute hardening pass you should do for every new agent setup. Print it, work through it, sign off.
The threat
Most agent compromises come from skipping obvious controls — a global skill allowlist, a secret in SOUL.md, an OAuth token with write scope that only needed read. This checklist catches the easy stuff.
What to do about it
-
1. Identity & process isolation
Agent runs as a dedicated user (not you). On Linux/macOS: useradd agent. On Windows: separate user account.
-
2. Skills scoped per project
No global allowlist. Each project explicitly declares the skills it needs.
-
3. Secrets in .env with chmod 600
Nothing in SOUL.md, CLAUDE.md, system prompts, or version control.
-
4. OAuth scopes at minimum
Read-only unless you need write. Draft-only for email sending. Never delete.
-
5. Draft-only gate for all irreversible actions
Send email, push code, post publicly, move money, delete files — all require explicit human confirmation.
-
6. MCP servers pinned to specific versions
No 'latest.' Read the code for each one at least once.
-
7. Audit logging enabled and reviewed weekly
If you can't see what the agent did, you can't catch problems. Review every Monday.
-
8. Incident response plan written down
Where to revoke OAuth, how to kill the process, where the logs are. Two minutes to write, saves an hour in an emergency.
-
9. Quarterly skill/MCP audit scheduled
Calendar reminder. Uninstall anything you haven't actively used in 90 days.
-
10. 2FA on every connected account
Email, cloud, GitHub, payment. A compromised agent credential shouldn't mean a compromised account.
Applies to
OpenClaw · NemoClaw · IronClaw · Hermes · Claude Cowork · ChatGPT
← Back to the security hub · See also the hardening checklist.