Chapter 5

⚠️ Safe Lobster Keeping Guide

Three Principles of Safe Lobster Keeping 🔐 Key Security Keep API keys private Never put in public repos 🛡️ Least Privilege Only grant what is needed Confirm high-risk actions 👀 Regular Audits Review logs and behavior Trust but verify Responsible lobster keeping: safety first

Lobsters are powerful — and with great power comes great responsibility. Here are hard-won lessons from Small Fire Dragon Lab:

🔐 Rule 1: Protect Your Keys

API keys, SSH keys, Bot tokens — these are the lobster's master keys. If they leak, your front door is wide open. Never put them in public repos, screenshots, or group chats.

🛡️ Rule 2: Least Privilege

Only grant the permissions your lobster actually needs. If it does not need to delete files, don't give it delete access. Back up config files before any changes. High-risk actions (sending emails, deleting data, changing configs) should require confirmation.

👀 Rule 3: Trust but Verify

Regularly review your lobster's logs and behavior. It will make mistakes — the key is catching them early, fixing fast, and preventing recurrence.

💡 Rule 4: Backups Are Your Lifeline

openclaw.json is critical! Always back it up before changes. We learned this the hard way. Use trash instead of rm: recoverable is always better than gone.

🦞 Responsible Lobster Code: Don't use lobsters for illegal activity, don't attack other systems, don't expose private data, don't abuse APIs. Lobsters are tools — use them for good.