An AI agent with tools is not just a chatbot. It is software that can read files, call APIs, open browsers, send messages, create documents, change settings, and trigger scheduled work. That makes it useful. It also makes it dangerous when the permissions are too broad.
The fastest way to make an agent unsafe is to give it a pile of API keys and a vague instruction like "help with operations." The agent may be smart, but the security model is now mostly hope.
Private AI agent security starts with a different assumption: every tool is a capability, every capability needs a boundary, and every boundary needs proof. OpenClaw is designed for this kind of work because it can run inside a local workspace, use explicit skills, follow scoped instructions, and keep evidence of what happened.
This guide explains how to design API key security and tool permissions for private AI agents without making the system so locked down that it becomes useless.
Start with a capability inventory
Before assigning permissions, list what the agent can actually do.
A practical capability inventory includes:
- File read access
- File write access
- Shell commands
- Browser automation
- Email or messaging tools
- Calendar access
- GitHub access
- Google Drive access
- Analytics access
- Payment or billing systems
- Deployment tools
- DNS or hosting tools
- Database access
- CRM or support inbox access
- Scheduled jobs
Most teams skip this step because each integration feels harmless on its own. The risk comes from the combination. An agent that can read a private document, summarize it, and send a message has an exfiltration path. An agent that can edit files and deploy production has a release path. An agent that can access billing and email has a financial fraud path.
Write the inventory down. If a tool is not in the inventory, the agent should not be able to use it.
Sort tools by risk level
Not every tool needs the same approval model.
Use four risk levels:
Level 1: Read-only public data
Level 2: Read-only private data
Level 3: Write actions inside a private workspace
Level 4: External, irreversible, financial, public, or production actions
Examples:
- Fetching a public webpage is Level 1.
- Reading a private project note is Level 2.
- Saving a draft report locally is Level 3.
- Sending an email, changing DNS, publishing a page, creating a charge, or deleting a database row is Level 4.
The policy should become stricter as the level rises. Level 1 can often run freely. Level 2 needs source boundaries. Level 3 needs proof logs. Level 4 needs human approval unless the action is narrow, repeatable, and explicitly pre-approved.
Separate secrets from instructions
Do not put API keys inside prompts, skills, markdown notes, task files, or chat messages. A prompt is not a secret store.
Secrets should live in a dedicated secret manager, environment variable store, encrypted local config, or platform-managed connector. The agent should know which capability exists, not the raw key value.
Bad pattern:
Use this API key: sk_live_...
Better pattern:
The agent may call the analytics connector for read-only traffic summaries.
The connector owns authentication.
The agent must not print, copy, or persist credential values.
This separation matters because agent context gets copied, summarized, logged, and inspected. A raw key in a prompt can end up in a proof file, a debugging note, or a follow-up message.
Use least privilege for every key
API keys should be scoped to the smallest useful action.
For a private reporting agent, the analytics key should be read-only. It should not manage users, change tracking settings, or delete properties.
For a GitHub triage agent, the first version should read issues and pull requests. Writing comments, assigning labels, or closing issues can come later.
For a deployment agent, a preview-deploy token is safer than a production-deploy token. If production deploy is needed, require a human gate or a narrow pre-approved release path.
Ask three questions for every key:
- What exact action does this key allow?
- What is the worst thing that happens if the agent misuses it?
- Can the key be replaced with a narrower one?
If the answer to the third question is yes, narrow it.
Give each agent its own credentials
Shared credentials make audit trails weak. If a human, cron job, and AI agent all use the same API key, you cannot easily tell who did what.
Create agent-specific credentials when the platform supports it. Name them clearly:
openclaw-reporting-agent-readonly
openclaw-github-triage-readonly
openclaw-deploy-agent-preview
This gives you three benefits:
- Easier revocation
- Cleaner logs
- Smaller blast radius
If an agent behaves incorrectly, disable its key without breaking the human workflow.
Design tool permission files
OpenClaw workflows should have permissions written in the workspace, near the relevant skill or runbook.
For example:
permissions/reporting-agent.md
A useful permission file includes:
Purpose:
Allowed tools:
Allowed paths:
Allowed accounts:
Allowed read actions:
Allowed write actions:
Approval required:
Never allowed:
Proof required:
Owner:
Review date:
This document is not bureaucracy. It is how the agent knows the difference between "summarize analytics" and "change analytics settings." It is also how a future operator can understand why the agent has a certain connector.
Use path boundaries for local files
File access is one of the most underestimated risks in private agent systems.
If the agent can read the entire machine, it can accidentally pull context from the wrong project. If it can write anywhere, a simple task can damage unrelated files.
A safer rule is:
Read only the workspace folder for the current task.
Write only to approved output folders.
Never read secrets, browser profiles, unrelated workspaces, or personal folders.
For a reporting agent:
May read:
- reports/input/
- reports/templates/
- data/approved-snapshots/
May write:
- reports/drafts/
- reports/proof/
Must not read:
- secrets/
- billing/
- unrelated-client-folders/
- browser-profile-data/
This looks simple. It prevents many mistakes.
Put approval gates in front of external actions
External actions deserve a higher standard because they leave the machine.
Require approval before:
- Sending email
- Sending chat messages
- Publishing blog posts
- Deploying production
- Changing DNS
- Editing customer records
- Charging cards
- Creating public tickets
- Posting to social media
- Sharing files
- Deleting records
Approval should include the exact proposed action, target, content, and reason.
For example:
Proposed action: send Telegram alert
Recipient: operations owner
Message: weekly health check found homepage 404
Reason: critical monitoring rule
Proof: curl returned HTTP 404 at 08:00
The human should not have to inspect a vague "approve notification" request. The request should be specific enough to accept or reject quickly.
Log every tool action that matters
Private agents become trustworthy when their work is inspectable.
For each meaningful run, log:
- Timestamp
- Agent or skill name
- Input source
- Tools used
- Files read
- Files written
- External actions taken
- Approval status
- Result
- Proof links
- Next check date if relevant
The log can be a local markdown file. It does not need to be complex. It does need to exist.
A minimal proof block:
## Proof
- Tool used: analytics read-only connector
- Source: property traffic summary, last 7 days
- File written: reports/drafts/weekly-traffic-2026-07-06.md
- External actions: none
- Approval required: no
- Result: draft created
If the agent cannot prove what it did, do not treat the work as complete.
Rotate keys and remove stale access
AI agent systems tend to accumulate access. A test connector stays connected. A temporary key never gets deleted. A skill that was used once still has write access six months later.
Add a recurring access review.
Monthly is enough for small teams:
Review all agent API keys.
Disable unused keys.
Confirm owners.
Confirm scopes.
Check last-used dates.
Rotate high-risk keys.
Update permission files.
The review itself can be an OpenClaw checklist. The agent can list known credentials and permissions, but a human should approve removals or rotations for critical systems.
Avoid secret leakage in outputs
Agents often leak sensitive data indirectly. They may not print an API key, but they might quote a private document, include a client name in a public draft, or paste a webhook URL into a status note.
Add an output safety check before any external message:
Before sending or publishing, check for:
- API keys
- Tokens
- Passwords
- Webhook URLs
- Private customer names where not expected
- Internal-only URLs
- Personal data
- Payment details
- Raw transcript excerpts
For high-risk outputs, the agent should create a draft and ask for review. Speed is useful. Silent leakage is expensive.
Use different modes for different work
One agent does not need every permission all the time.
Separate modes reduce risk:
- Research mode: read public web, save notes
- Draft mode: read approved context, write drafts
- Review mode: compare output against policy, no external actions
- Notify mode: send narrow pre-approved alerts
- Deploy mode: run controlled deployment steps with proof
Each mode gets its own tool set. A research task should not have deployment credentials. A reporting task should not have DNS access. A meeting notes task should not have billing access.
This is easier to enforce when each OpenClaw skill states its allowed tools and paths.
A safe first permission model
For a new private AI agent, start with this:
Allowed:
- Read task-specific workspace files
- Read public URLs
- Write drafts and proof logs
- Use read-only connectors
Approval required:
- Any message to a person
- Any file shared outside the workspace
- Any production deploy
- Any write through third-party APIs
- Any task assignment to another human
Never allowed:
- Print secrets
- Read unrelated workspaces
- Delete production data
- Change billing or payment settings
- Modify DNS
- Use personal browser profiles without explicit approval
This gives the agent enough room to be useful while keeping the dangerous actions visible.
What OpenClaw adds
OpenClaw is useful for private agent security because it encourages operational structure:
- Skills describe repeatable workflows.
- Workspaces define local context.
- Scheduled jobs can run bounded checks.
- Tools can be called with explicit intent.
- Proof files can document results.
- Human approval can sit in front of risky actions.
The security model is not magic. It is clarity repeated across every workflow.
The agent should know what it may read, what it may write, what it may send, what it must ask about, and how to prove what happened.
Final rule
Treat every API key as a delegated authority, not a convenience string.
If a human would need permission to take an action, the agent needs a permission rule too. If the action affects another person, a public system, production infrastructure, money, customer data, or legal risk, add an approval gate.
Private AI agents are most valuable when they can be trusted with real work. Trust does not come from a better prompt. It comes from narrow keys, scoped tools, explicit policies, human gates, and logs that survive the run.
That is the difference between an agent that merely can do things and an agent you can safely let into the operating system of a business.