OpenClaw Secure
Implementation
A reference architecture for deploying and operating a personal AI assistant as a coworker — with its own identity, explicit authority delegation, and strong operational boundaries.
22 chapters · Pure documentation · No executable code · Audio, video & slides available in the notebook
Documentation
22 chapters covering philosophy, infrastructure, governance, operations, and synthesis.
Introduction and Scope
Purpose, intended audience, scope, and the threat-model-first design approach.
Positioning and Anti-Patterns
Explicit non-goals: rejects high availability, unattended autonomy, and implicit trust accumulation.
Design Philosophy: Coworker, Not Plugin
Foundational principles — separation of identity, authority, and execution.
Deployment and Physical Boundaries
VM-based on-premises isolation. Physical dependency used as a safety feature.
Network Isolation and Access
Default-deny network posture. Telegram as one-way control plane.
Identity and Account Separation
Dedicated accounts for the assistant. No shared credentials or identity with the human operator.
GitHub Collaboration Model
Shared GitHub organization with fork-based workflow. Pull requests as governance primitive.
Memory and Auditability
Obsidian Markdown vault backed by Git as externalized, human-readable memory and audit trail.
Backup and Recovery
Backups preserve understanding, not execution state. Manual recovery; no auto-restore.
Update and Change Control
Assistant monitors for updates but cannot apply them. Human approvals required.
External Integrations and API Governance
Short allowlist of approved APIs. Hard monthly spend caps. No autonomous key rotation.
Tooling and Skill Governance
Default-deny tool policy. Risk classification: Safe, Conditional, High Risk, Rejected.
Recursive Improvement and North Star Constraints
Improvement through documentation and reflection, not autonomous code changes.
Skill Security Analysis Pipeline
Four-phase skill review: pre-ingestion analysis, multi-perspective review, capability-mismatch detection.
API Budgeting and Telemetry
Cost as a behavioral signal. Near-real-time usage monitoring, multi-level thresholds.
Alerts and Failure Behavior
Four operational states. Fail-closed by design; progressive escalation.
Downtime and End of Life
Loss of control triggers pause then stop. Inactivity-based auto-deletion.
Human Judgment Assumptions
Humans as the current least-dangerous authority — an empirical claim, not a moral one.
Operator Requirements and Failure Modes
Operator must understand security and review actions. No compensation for disengagement.
Threat Model Summary
Threats mitigated: escalation, runaway automation, credential compromise, supply chain abuse.
Replication Guide
What can be copied directly vs. what must be adapted. Common replication mistakes.
Conclusion and Reflections
Open questions on autonomy bounds, governance scalability, and ethical decommissioning.
Capability Examples Within Constraints
Concrete patterns showing that constraints enable capability, not limit it.