Checklist

OpenClaw config audit checklist

This is the fast version of what I look for in an OpenClaw audit. If you cannot answer these checks confidently, your setup probably has risk hiding in plain sight.

Secrets and exposure

  • +API keys are not inline in openclaw.json or copied into public repos
  • +Sensitive values load from a secrets provider or environment
  • +Sensitive tool output is redacted in logs
  • +Gateway is bound intentionally, not exposed by accident

Permissions and blast radius

  • +Destructive actions are gated behind approval
  • +DM and group access are scoped intentionally
  • +Agent roles are separated by capability
  • +Hooks or policies enforce rules that survive prompt drift

Spend and runaway protection

  • +maxConcurrent is set for agents and subagents
  • +Compaction thresholds are configured
  • +Cheap models handle heartbeats and low-value work
  • +Long-running tasks have tracking instead of disappearing into the void

Recovery and continuity

  • +Sessions recover cleanly after restart or compaction
  • +Important events flush to persistent memory
  • +Operational files like AGENTS.md and HEARTBEAT.md exist and are useful
  • +There is a known path for async work to push completion back

Want me to run this on your actual setup?

Email your config and I will turn this checklist into a written audit with findings, priorities, and specific fixes.

Get your free OpenClaw audit