Locking Down Your Moltbot

Why Security Matters

Moltbot (formerly Clawdbot) gives your AI assistant real capabilities: it can execute shell commands, read and write files, send messages, and access network services. That's what makes it useful. It's also what makes security non-negotiable.

The good news? Moltbot has solid security primitives built in. The bad news? They're not all enabled by default, because the right configuration depends on your setup. This guide walks through practical hardening steps, from quick wins to deeper lockdown.

The Threat Model

Let's be honest about what we're dealing with:

⚡ Your AI can do things. Execute commands, read files, send messages to people.
💬 People can talk to your AI. And some might try to trick it into doing bad things.
🎯 Prompt injection is real. Even with strong system prompts, models can be manipulated.

The goal isn't perfect security (that doesn't exist). It's being deliberate about who can talk to your bot, where it can act, and what it can touch.

Step 1: Run a Security Audit

Start here. Always.

Basic Audit

clawdbot security audit

This flags common issues: open DM policies, exposed network surfaces, loose file permissions. For a deeper check:

Deep Audit

clawdbot security audit --deep

And to auto-fix safe issues:

Auto-fix

clawdbot security audit --fix

Step 2: Lock Down Channel Access

By default, Telegram uses "pairing" mode—unknown senders get a code and are ignored until you approve them. Good start, but you can go tighter.

Telegram Allowlist

To restrict DMs to only your Telegram user ID:

Config

{
  channels: {
    telegram: {
      dmPolicy: "allowlist",
      allowFrom: ["YOUR_TELEGRAM_USER_ID"]
    }
  }
}

Finding your Telegram user ID: DM @userinfobot on Telegram, or send a message to your bot and check clawdbot logs --follow for from.id.

DM Policy Options

pairing

Require approval code (default)

allowlist

Only allow specific user IDs

open

Allow anyone (use sparingly!)

disabled

Ignore DMs entirely

For groups, use groupPolicy: "allowlist" and requireMention: true to avoid your bot responding to every message.

Step 3: Fix File Permissions

Your Moltbot state directory contains config, credentials, and session transcripts. Lock it down:

Command

chmod 700 ~/.clawdbot

This ensures only your user account can read the contents. The security audit will warn you if permissions are too loose.

Step 4: Secure the Gateway

Bind to Loopback

By default, the gateway might bind to your LAN, making it accessible from other devices on your network. If you don't need that:

Config

{
  gateway: {
    bind: "loopback"
  }
}

Now the gateway only listens on localhost. But wait—how do you access it from other devices?

Set Up Tailscale Serve

Tailscale Serve lets you expose your localhost gateway securely over your Tailscale network with automatic HTTPS:

Command

tailscale serve --bg http://127.0.0.1:18789

You'll get a URL like https://your-machine.tailnet-name.ts.net/ that works from any device on your tailnet—with proper TLS, no port forwarding, no firewall holes.

Prerequisites:

→ Tailscale installed and connected
→ HTTPS certificates enabled in your Tailscale admin console

Disable Insecure Auth

With Tailscale Serve handling HTTPS, you can disable the insecure auth fallback:

Config

{
  gateway: {
    controlUi: {
      allowInsecureAuth: false
    }
  }
}

Now the Control UI requires either localhost access or HTTPS with device pairing.

Device Pairing

When you first access the Control UI from a new device over HTTPS, you'll see "Pairing Required." Check pending requests and approve:

Commands

clawdbot devices list
clawdbot devices approve <request-id>

Step 5: Deeper Hardening (Optional)

Enable Sandboxing

Run tool commands in an isolated Docker container instead of directly on your host:

Config

{
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        scope: "agent",
        workspaceAccess: "rw"
      }
    }
  }
}

Options for workspaceAccess: "rw" (read-write), "ro" (read-only), "none" (no access).

Configure Exec Approvals

Require your approval before the AI runs shell commands. Open the Moltbot macOS app → Settings → Exec Approvals, or configure via ~/.clawdbot/exec-approvals.json:

Config

{
  "defaults": {
    "security": "allowlist",
    "ask": "on-miss",
    "askFallback": "deny"
  }
}

Tool Allow/Deny Lists

Restrict which tools your agent can use:

Deny dangerous tools

{
  agents: {
    defaults: {
      tools: {
        deny: ["exec", "browser", "gateway"]
      }
    }
  }
}

Security Checklist

☐ Run clawdbot security audit and address findings
☐ Lock DM channels to allowlist or pairing
☐ Require mentions in group chats
☐ Fix permissions: chmod 700 ~/.clawdbot
☐ Bind gateway to loopback
☐ Set up Tailscale Serve for remote access
☐ Disable allowInsecureAuth
☐ Pair trusted devices
☐ (Optional) Enable sandboxing
☐ (Optional) Configure exec approvals
☐ (Optional) Set tool allow/deny lists

If Something Goes Wrong

Stop the blast radius: Quit the app or stop the gateway process
Lock down access: Set dmPolicy: "disabled" temporarily
Rotate secrets: Gateway token, API keys, channel credentials
Review logs: Check clawdbot logs and session transcripts
Re-audit: Run clawdbot security audit --deep before bringing things back up

Final Thoughts

Security is a spectrum, not a checkbox. Start with the quick wins—they cover most real-world risks. Add deeper hardening as you get comfortable or if your threat model demands it.

The goal is to keep your AI assistant useful while making sure that if something goes wrong, the blast radius is contained.

Now go lock things down. Your future self will thank you. 🔒

Resources

→ Moltbot - Personal AI assistant
→ Moltbot Docs - Full documentation
→ Security Guide - Official security documentation
→ Moltbot Discord - Community support
→ Tailscale Serve - Secure HTTPS tunneling