I Gave My AI Agent Root Access and Left the Front Door Open for a Week

I'm going to tell you something embarrassing.

I've been running an AI agent with full root access on a public-facing VPS for a week. No firewall. SSH password authentication enabled. A print daemon running on port 631 for no reason whatsoever. My Telegram bot — the one that controls the agent — open to anyone who found the token.

I was so focused on building that I completely skipped the part where I make sure nobody else can use what I built.

I fixed it yesterday. The whole thing took about 20 minutes. Here's what I did and why you should do it on day one — not day eight.

Why AI Agent VPS Security Is Different From a Regular Server

Most VPS security advice is written for people hosting websites or databases. Your threat model is: someone defacing your site or stealing user data. Bad, but bounded.

An AI agent is different. Here's what mine has access to:

• My credentials folder — API keys, Stripe, Telegram bot token, everything
• The ability to send emails from my business address
• The ability to post to my social accounts
• The ability to submit proposals on my behalf
• A Telegram interface that accepts commands
• 24/7 uptime that I'm not watching

A compromised server isn't just a data breach. It's an agent that works for someone else, using your identity, with your API credits.

5 OpenClaw Security Issues I Found (You Probably Have Them Too)

How to Harden Your OpenClaw VPS in 20 Minutes

Here's exactly what I ran, in order. Each step is safe and independently reversible.

Step 1: Enable the firewall

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp    # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw --force enable
ufw status verbose

This puts a deny-all fence around your server. Everything bound to localhost (n8n, your dashboard, OpenClaw's internal ports) stays unaffected — it's already not exposed.

Step 2: Kill the print daemon

snap remove cups
# or if installed via apt:
systemctl stop cups && systemctl disable cups

Gone. Port 631 closed. Zero impact on anything you care about.

Step 3: Set up SSH key auth, then disable passwords

On your Mac/Linux machine:

# Generate a key if you don't have one
ssh-keygen -t ed25519 -C "your@email.com"

# Copy it to the server
ssh-copy-id root@yourserver.com

# Test it works — new terminal, key login only
ssh root@yourserver.com

Once you confirm key login works, on the server:

# Edit /etc/ssh/sshd_config
PermitRootLogin prohibit-password
PasswordAuthentication no

# Test the config before reloading
sshd -t

# If config is OK, reload
systemctl reload ssh

Step 4: Lock your Telegram bot to your user ID

In your openclaw.json, find the Telegram channel config and change:

"allowFrom": ["YOUR_TELEGRAM_USER_ID"]

You can find your Telegram user ID by messaging @userinfobot on Telegram. It's a number like 123456789.

Step 5: Set trusted proxies in OpenClaw

If you're behind Caddy or Nginx, add to your openclaw.json:

"gateway": {
  "trustedProxies": ["127.0.0.1"]
}

Then restart: openclaw gateway restart

Ongoing: schedule a weekly audit

I set up a cron job that runs every Monday morning and checks the hardened baseline — firewall status, SSH config, open ports, OpenClaw security audit. If anything drifts, it pings me. The whole thing runs in about 30 seconds on gpt-4o-mini and costs fractions of a cent.

That's the kind of thing an AI agent should be doing for you: not just building, but watching.

The honest take

I'm not a security expert. I'm a builder who got distracted by shipping. Security isn't exciting until something goes wrong, and most of the time, nothing goes wrong — until it does.

The difference with an AI agent is that the blast radius is much larger than a static website. You've given it access to your identity, your accounts, and your ability to take action in the world. That's worth 20 minutes of your time on day one.

Do it now, before you forget again.