Security

Security practices and considerations for SadClaw.

Architecture Security

On-Chain Security

Immutable program: Once deployed, the Solana program cannot be modified
Atomic transactions: USDC transfers and NFT minting happen atomically
Ownership verification: All operations verify NFT ownership
No admin keys: No backdoors or admin overrides

Off-Chain Security

Encrypted credentials: SSH keys encrypted at rest
Per-VM isolation: Each VM has unique credentials
HTTPS only: All API traffic is encrypted
JWT authentication: Wallet-signed authentication

VM Security

Isolated VMs: No shared resources between users
Firewall by default: Only SSH port open initially
Root access: You control the full machine
No shared keys: Unique SSH keys per VM

Wallet Security

Best Practices

Use dedicated wallets - Don't use your main wallet for agents
Limit funding - Only fund what the agent needs
Hardware wallets - Use hardware wallets for large amounts
Backup seed phrases - Store securely offline

Agent Wallets

For AI agents:

import { Keypair } from '@solana/web3.js';

// Generate a dedicated agent wallet
const agentKeypair = Keypair.generate();

// Fund only what's needed
// Don't store large amounts in agent wallets

Key Storage

Never commit keys to version control:

# .gitignore
wallet.json
*.pem
.env

Use environment variables:

const secretKey = Buffer.from(process.env.WALLET_SECRET_KEY, 'base64');
const keypair = Keypair.fromSecretKey(secretKey);

VM Security

After Provisioning

Update packages:

apt update && apt upgrade -y

Configure firewall:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable

Disable root login (optional):

# Create a user
adduser myuser
usermod -aG sudo myuser

# Disable root SSH
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

SSH Key Management

Rotate keys periodically:

# Generate new key
ssh-keygen -t ed25519 -f new_key

# Add to VM
cat new_key.pub >> ~/.ssh/authorized_keys

# Remove old key

Monitoring

Set up basic monitoring:

# Install fail2ban
apt install fail2ban

# Check auth logs
tail -f /var/log/auth.log

Smart Contract Security

Audit Status

[Audit information to be updated]

Verified Source

Source code is open and verified on GitHub:

github.com/techwebc/sadclaw/programs/sadclaw-vm

Known Limitations

VMs are provisioned on centralized infrastructure (Hetzner)
Backend is a centralized service (can be unavailable)
NFT metadata stored off-chain

Reporting Vulnerabilities

Responsible Disclosure

If you find a security vulnerability:

Do not open a public GitHub issue
Email: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

Response Time

Acknowledgment: Within 24 hours
Initial assessment: Within 72 hours
Fix timeline: Depends on severity

Bug Bounty

We offer bounties for valid security reports:

Severity

Bounty

Critical

Up to $10,000

High

Up to $5,000

Medium

Up to $1,000

Low

Up to $200

Compliance

Data Handling

We don't store personal data beyond wallet addresses
SSH keys are stored encrypted
Logs are retained for 30 days
No third-party analytics on sensitive data

Jurisdiction

SadClaw operates globally. Users are responsible for compliance with local regulations.

PreviousTroubleshooting NextCLI reference

Last updated 1 month ago

Good night

hashtagArchitecture Security

hashtagOn-Chain Security

hashtagOff-Chain Security

hashtagVM Security

hashtagWallet Security

hashtagBest Practices

hashtagAgent Wallets

hashtagKey Storage

hashtagVM Security

hashtagAfter Provisioning

hashtagSSH Key Management

hashtagMonitoring

hashtagSmart Contract Security

hashtagAudit Status

hashtagVerified Source

hashtagKnown Limitations

hashtagReporting Vulnerabilities

hashtagResponsible Disclosure

hashtagResponse Time

hashtagBug Bounty

hashtagCompliance

hashtagData Handling

hashtagJurisdiction

Architecture Security

On-Chain Security

Off-Chain Security

VM Security

Wallet Security

Best Practices

Agent Wallets

Key Storage

VM Security

After Provisioning

SSH Key Management

Monitoring

Smart Contract Security

Audit Status

Verified Source

Known Limitations

Reporting Vulnerabilities

Responsible Disclosure

Response Time

Bug Bounty

Compliance

Data Handling

Jurisdiction