Security

SECURITY.md

Security Notes

1) Never commit secrets

Do NOT commit any of these:

Telegram bot token
API keys
Personal chat exports

Use environment variables or local config files excluded by .gitignore.

2) Token hygiene

If token was exposed in chat/logs, revoke immediately via @BotFather (/revoke)
Rotate tokens periodically
Use one bot token for one production pipeline

3) Single consumer rule (critical)

For a Telegram bot token, run only ONE update consumer:

either OpenClaw
or a standalone polling/webhook bot

Running both leads to 409 Conflict and possible message loss.

4) Least privilege

Keep OpenClaw tool permissions minimal
Avoid giving broad sudo unless required
Separate high-risk automation into dedicated agents

5) Privacy

Voice notes may contain sensitive data. Decide retention policy:

Keep minimal logs
Delete temp audio files after processing if required by your compliance policy

There aren’t any published security advisories