Tutorial

Moltbot Security Best Practices: Protecting Your Personal AI Assistant

9 min read

Why Security Matters for AI Assistants

Moltbot is powerful because it can execute actions on your behalf—run commands, access files, send emails, and interact with APIs. This power requires responsibility. A compromised AI assistant could potentially access sensitive data or execute malicious commands.

This guide covers essential security practices to keep your Moltbot installation secure.

Core Security Principles

1. Principle of Least Privilege

Only grant Moltbot the minimum permissions needed to perform its tasks.

Bad Practice:

# Running Moltbot as root - DON'T DO THIS
sudo moltbot start

Good Practice:

# Create a dedicated user with limited permissions
sudo useradd -m -s /bin/bash moltbot
sudo -u moltbot moltbot start

2. Sandboxed Execution

Moltbot supports running commands in isolated containers to prevent system-wide damage.

Enable Docker Sandboxing:

# Install Docker
curl -fsSL https://get.docker.com | sh

# Configure Moltbot to use Docker sandbox
moltbot config set SANDBOX_MODE=docker
moltbot config set SANDBOX_IMAGE=node:20-alpine

3. API Key Protection

Never hardcode API keys in configuration files or share them in public repositories.

Bad Practice:

// config.js - DON'T DO THIS
export const ANTHROPIC_API_KEY = "sk-ant-1234567890"

Good Practice:

# Use environment variables
export ANTHROPIC_API_KEY="sk-ant-1234567890"

# Or use encrypted vault
moltbot vault set ANTHROPIC_API_KEY

Authentication & Access Control

Multi-User Setup

If multiple people use your Moltbot instance, implement proper authentication:

# Enable authentication
moltbot config set AUTH_ENABLED=true

# Create users with different permission levels
moltbot user create alice --role admin
moltbot user create bob --role user
moltbot user create charlie --role readonly

Role-Based Permissions

Define what each role can do:

Admin Role:

  • Execute system commands
  • Modify configuration
  • Access all integrations

User Role:

  • Run approved commands
  • Access personal integrations
  • Cannot modify system settings

Readonly Role:

  • View logs and history
  • Query information
  • Cannot execute actions

WhatsApp/Telegram Security

Protect your messaging integrations:

# Enable phone number whitelist
moltbot config set WHATSAPP_WHITELIST="+1234567890,+9876543210"

# Require PIN for sensitive commands
moltbot config set REQUIRE_PIN=true
moltbot config set ADMIN_PIN=your_secure_pin

Network Security

Firewall Configuration

Only expose necessary ports:

# Allow SSH (22) and optional web dashboard (8080)
sudo ufw allow 22/tcp
sudo ufw allow 8080/tcp
sudo ufw enable

# Block all other incoming traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing

HTTPS for Web Dashboard

If you're running a web interface, always use HTTPS:

# Get free SSL certificate from Let's Encrypt
sudo certbot certonly --standalone -d yourdomain.com

# Configure Moltbot to use SSL
moltbot config set HTTPS_ENABLED=true
moltbot config set SSL_CERT=/etc/letsencrypt/live/yourdomain.com/fullchain.pem
moltbot config set SSL_KEY=/etc/letsencrypt/live/yourdomain.com/privkey.pem

Data Protection

Sensitive Data Handling

Configure which data types Moltbot can access:

# ~/.moltbot/security.yaml
data_access:
  filesystem:
    whitelist:
      - /home/user/documents/public
      - /home/user/projects
    blacklist:
      - /home/user/.ssh
      - /home/user/.gnupg
      - /etc/passwd

  environment_variables:
    blacklist:
      - AWS_SECRET_ACCESS_KEY
      - DATABASE_PASSWORD
      - PRIVATE_KEY

Audit Logging

Enable comprehensive logging to track all actions:

# Enable audit logs
moltbot config set AUDIT_LOG_ENABLED=true
moltbot config set AUDIT_LOG_PATH=/var/log/moltbot/audit.log

# Set log retention
moltbot config set LOG_RETENTION_DAYS=90

# View recent actions
moltbot logs audit --last 100

Encryption at Rest

Encrypt sensitive configuration and credentials:

# Enable encryption for stored credentials
moltbot vault init

# Store sensitive data encrypted
moltbot vault set DATABASE_URL "postgresql://..."
moltbot vault set STRIPE_SECRET_KEY "sk_live_..."

# Access encrypted values
moltbot vault get DATABASE_URL

Command Approval Workflow

For high-risk commands, implement an approval system:

# Enable command approval for system operations
moltbot config set APPROVAL_REQUIRED=true
moltbot config set APPROVAL_TYPES="system,file_delete,api_write"

# Set approval method
moltbot config set APPROVAL_METHOD=phone  # SMS confirmation

Example workflow:

  1. User: "Delete all log files older than 30 days"
  2. Moltbot: "This action requires approval. Sending SMS to +1234567890"
  3. User receives: "Approve deletion of 1,247 log files? Reply YES to confirm"
  4. User replies: "YES"
  5. Moltbot executes the command

Third-Party Integration Security

OAuth vs API Keys

Prefer OAuth when available:

Less Secure (API Keys):

moltbot integration add github --token ghp_1234567890

More Secure (OAuth):

moltbot integration add github --oauth
# Opens browser for secure OAuth flow

Webhook Security

If you're receiving webhooks from external services:

# Enable webhook signature verification
moltbot config set WEBHOOK_VERIFY_SIGNATURES=true

# Set webhook secret
moltbot config set GITHUB_WEBHOOK_SECRET=your_secret_here

Regular Security Maintenance

Weekly Tasks

  • Review audit logs for suspicious activity
  • Check for unauthorized users or sessions
  • Update Moltbot to the latest version

Monthly Tasks

  • Rotate API keys and tokens
  • Review and update permission roles
  • Audit enabled integrations and remove unused ones

Quarterly Tasks

  • Perform full security audit
  • Review and update firewall rules
  • Test backup and recovery procedures

Security Checklist

Before deploying Moltbot to production:

  • Run Moltbot as non-root user
  • Enable sandboxed execution
  • Store API keys in encrypted vault
  • Configure firewall (UFW/iptables)
  • Enable HTTPS for web interfaces
  • Set up audit logging
  • Implement authentication for multi-user setups
  • Configure command approval for high-risk actions
  • Whitelist allowed phone numbers for messaging
  • Enable automatic security updates
  • Set up automated backups
  • Document your security configuration

Incident Response

If you suspect a security breach:

  1. Immediately disable Moltbot:

    pm2 stop moltbot-assistant

  2. Review audit logs:

    moltbot logs audit --last 1000 > suspicious_activity.log

  3. Rotate all credentials:

    # Regenerate API keys on provider dashboards
# Update Moltbot configuration
moltbot vault set ANTHROPIC_API_KEY new_key

  4. Check for unauthorized changes:

    git diff HEAD~10 ~/.moltbot/config

  5. Report to the community if you discover a vulnerability

Conclusion

Security is not a one-time setup—it's an ongoing practice. By following these best practices, you can enjoy the power of Moltbot while keeping your data and systems safe.

Remember: With great AI power comes great responsibility.

Join the Moltbot Security Discord channel to stay updated on security advisories and best practices.

Explore More Moltbot Resources

Discover tutorials, guides, and community stories to get the most out of your AI assistant.

Browse TutorialsAll News
Back to All News