Security

Configure sender controls, folder policy, and network guard in Msty Claw

Security in Claw is practical and layered: control who can trigger bots, what files they can access, and where they can connect. The goal is safe execution without blocking useful work.

Open Settings > Security to configure baseline controls.

Security model at a glance

Use these controls together:

  • Sender Groups: who can invoke bots and channel presets
  • Allowed Folders: where bots can read/write
  • Blocked Patterns: sensitive paths blocked even inside allowed roots
  • Network Guard: outbound network restrictions
  • Approvals: confirmation checkpoints for higher-risk actions

Sender controls

Use Sender Groups to define who can run what.

  • Create reusable groups (team, service users, trusted operators)
  • Assign groups to bots and channel presets
  • Use Anyone only for intentionally open contexts

Guidance:

  • Keep production bots restricted by default
  • Avoid reusing wide-open groups on privileged bots

Folder policy

Use Allowed Folders and Blocked Patterns together.

  • Allowed roots define bot operating boundaries
  • Each root can be read/write or read-only
  • Blocked patterns protect sensitive material inside allowed roots

Common blocked patterns include:

  • .ssh
  • .gnupg
  • .aws
  • .env
  • credentials
  • private_key
  • id_rsa
  • id_ed25519

Guidance:

  • Start with project-specific roots, not broad home-directory roots
  • Prefer read-only access for reference sources

Network Guard

Available presets:

  • Recommended
  • Privacy
  • Strict
  • Approved Only

You can also define custom allow/deny hosts for finer control.

Guidance:

  • Start with Recommended
  • Move to stricter presets for sensitive automations
  • Treat Approved Only as production-hardened mode

Approval model

Claw can request approvals for sensitive actions. Keep approvals enabled until policies are stable and tested under real workflows.

Useful operator loop:

  1. Review approval prompts during rollout
  2. Adjust bot scope and permissions
  3. Re-run and confirm fewer unnecessary prompts

Practical security baseline

  1. Restrict sender groups before enabling shared channels
  2. Limit each bot to project-specific folders
  3. Add organization-specific sensitive patterns to blocklist
  4. Use a conservative Network Guard preset for production bots
  5. Keep approval prompts on for high-risk capabilities

Related detail pages

Setup
Guided first-run setup for a stable Msty Claw workspace
Bots
Create, run, and manage bots in Msty Claw