(no title)

But after reading the SecurityScorecard report this week (40,000+ exposed instances, 63% vulnerable), we got serious about the security side.

Our setup that balances productivity with safety:

1. Dedicated machine (not the daily driver laptop). Agent runs 24/7 on a separate device with sleep disabled.

2. Permission tiers — the agent operates at "worker" level by default. It can read files, run safe commands (git, npm, curl), and browse the web. But it cannot touch SSH keys, AWS credentials, or browser password stores without explicit elevation.

3. Skill auditing — every skill gets scanned before installation. We found that roughly 20% of ClawHub skills have suspicious patterns (consistent with what Clawned.io is reporting).

4. Audit logging — every file access, command execution, and network request gets logged. This saved us once when a skill was making unexpected outbound connections.

5. Network egress monitoring — we track what domains the agent contacts. Unexpected destinations get flagged immediately.

The $75/week cost mentioned by another commenter is in line with our experience on Opus. The security overhead (running ClawMoat for monitoring) adds essentially zero — it is a pure Node.js library with no external dependencies.

The key insight: you do not have to choose between productivity and security. You just need a monitoring layer that watches what the agent actually does, not just what it promises to do.