Docs: Add Binance trading hardening and OpenClaw skill sandbox guidance by johnnyclem · Pull Request #51 · johnnyclem/AgentVault

johnnyclem · 2026-04-26T14:37:36Z

Clarify threat-model guidance for exchange-connected agents and automated trading workloads to reduce risk from compromised hosts or keys.
Provide concrete operational controls and a minimal runtime sandbox for OpenClaw/Claw-style skills to limit blast radius of untrusted skill execution.

Updated docs/security/best-practices.md to add weekly Binance API key rotation, API key IP whitelisting, and recommendation to route trading traffic through a hardened VPS with firewall egress controls.
Added a short UFW runbook example showing how to restrict outbound traffic to Binance hosts and how to restrict SSH to trusted admin IPs.
Added a new "Skill Runtime Sandboxing" section recommending non-root execution, denying writes outside /tmp, read-only runtime mounts, and process-level isolation, plus a minimal hardened docker run example.
Adjusted the operational checklist to require weekly Binance API key rotation instead of the previous monthly note.

Ran npm run typecheck, which failed due to pre-existing, unrelated TypeScript errors in cli/commands/pilot.ts and src/pilot/private-replica.ts, so no typecheck pass was produced for this docs-only change.
No runtime code was modified and no other automated tests were executed for this PR.

vercel · 2026-04-26T14:37:39Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-vault	Ready	Preview, Comment	Apr 26, 2026 2:49pm
agentvault	Ready	Preview, Comment	Apr 26, 2026 2:49pm

Add hardened trading and OpenClaw sandboxing guidance

2ab89dc

johnnyclem added the codex label Apr 26, 2026 — with ChatGPT Codex Connector

vercel Bot deployed to Preview – agentvault April 26, 2026 14:48 View deployment

vercel Bot deployed to Preview – agent-vault April 26, 2026 14:49 View deployment

Provide feedback