Lesson 29: Security and Privacy — Your Agent in the Real World

Why talk about security?

When you have an agent running, there’s sensitive data at stake: your API keys (which cost money), your conversations (with personal information), and the data the agent processes.

Rule 1: Protect API keys

Never in code you push to GitHub. Use environment variables. Revoke if you suspect compromise. One key per service.

Rule 2: Restrict Telegram bot access

Always configure allowedUsers. Don’t share the bot token.

Rule 3: Understand what you send to the provider

All your conversation text passes through the provider’s servers. For sensitive information: local model with Ollama, or review the provider’s policies.

Rule 4: Backups

Back up ~/.openclaw/ regularly. Store backups securely (they contain API keys).

Rule 5: Update regularly

npm update -g openclaw

Rule 6: Monitor usage

Check token consumption, OpenClaw logs, and conversations.

Best practices summary

API keys in environment variables, never in code
allowedUsers always configured
Local model for sensitive data
Regular backups of ~/.openclaw/
Update OpenClaw periodically
Monitor token consumption

Key concepts today

API keys: The most critical piece — protecting them is priority number one
allowedUsers: Restricting access to the Telegram bot
Local model: The safest solution for sensitive data
Backups: Your configuration is worth hours of work

Next lesson: What now? — Next steps to keep learning.

Why talk about security?#

Rule 1: Protect API keys#

Rule 2: Restrict Telegram bot access#

Rule 3: Understand what you send to the provider#

Rule 4: Backups#

Rule 5: Update regularly#

Rule 6: Monitor usage#

Best practices summary#

Key concepts today#