Mammoth Club Skill Usage

By using a Mammoth Club Skill, you agree to the following:

Mammoth Club cannot be held liable for OpenClaw's actions due to this Skill. Mammoth Club cannot be held liable for API or token usage from this Skill or OpenClaw.

Review Skills before running them. Mammoth Club Skills are for educational purposes only.

Advisory Notice — OpenClaw Security & Usage Best Practices

OpenClaw can run shell commands, read/write files, and execute code, so an agent or plugin can do real harm if misconfigured. Monitor your OpenClaw's actions and set restrictions.

- Scripts and Skills from public registries may be unvetted and malicious.

- Stored logs and session data can be read by processes/users that have access to your filesystem.

- Misconfigured instances can expose API keys, credentials, or commands to attackers.

1) Isolate and Sandbox the Agent

Run OpenClaw in an environment that limits its access:

- Dedicated account / user on your machine — avoid running it as your main user.

- Container or VM — use Docker, a Linux container, or a dedicated VPS to isolate it from your personal workstation.

- Chroot / sandbox tools (like Firejail on Linux) to limit filesystem and network access.

⚠️ Watch out — If you close the terminal without stopping your Docker container, the container keeps running in the background.

2) Lock Down Filesystem Permissions

- Restrict access to ~/.openclaw and other data directories; ensure only the OpenClaw process/user can read/write them.

- Avoid exposing these directories to other services or unnecessary users.

3) Vet Every Skill / Plugin

- Treat skills like executable code; review them manually before installing.

- Never install from public registries without checking the source. Malicious skills have already appeared in the ecosystem.

4) Avoid Sensitive Accounts & Keys

- Never grant access to financial accounts, wallets, or personal credentials.

- Use API gateways and limited-scope credentials instead of full keys.

- Don't paste a password or OpenClaw token into tickets/chat rooms. The token is admin access to your agent control surface. The docs emphasize hardening, and there's active attention on token/WS risks around localhost agent dashboards.

- If you think you leaked it, rotate/regenerate the gateway token.

5) Network & API Safety

- Restrict outbound connections with firewall rules.

- If you must expose a service (for chat integration), use reverse proxies with authentication and HTTPS.

6) Monitor & Audit What It Does

- Enable logging AND review logs regularly.

- If any unexpected filesystem changes or network calls appear, kill the process immediately.

7) Apply Prompt Guardrails

- Avoid prompts that ask it to perform ambiguous or system-level tasks without explicit safety checks.

- Consider using guardrail libraries or defensive prompt patterns to reduce prompt-injection-like risks.

8) Stay Updated

- OpenClaw is evolving rapidly; keep your install and its dependencies up-to-date with the latest security patches.

Best Practices

- We strongly recommend running OpenClaw on a secondary (non-essential) PC, Docker container, or virtual machine to limit potential damage.

- Use test accounts with OpenClaw to validate projects and configurations before granting access to any production or full credentials.

- Always store API keys and credentials in a .env file; never hardcode them.

- Do not share sensitive information or credentials directly with OpenClaw or any large language model.

- OpenClaw can execute PowerShell and Linux terminal commands; which, if misused, could delete files or modify system permissions.

- OpenClaw instances may be exposed to the internet, increasing the risk of LLM prompt-injection or other attacks.

- OpenClaw can generate significant API usage costs, especially if allowed to run autonomously in the background; monitor usage carefully.

If you're experimenting and not comfortable with these risks yet:

- ✔️ Run it in a disposable VM

- ✔️ Don't connect personal accounts

- ✔️ Don't install third-party skills until you understand what they do

> Unofficial automation may lead to account suspension/ban on the platform you are automating. If web scraping, abide by the scraped website's policies and rate limits.

By enrolling in this course, you acknowledge and accept full responsibility for any risks, system changes, or costs incurred through the use of OpenClaw. You agree not to hold Mammoth Club liable for any damages, losses, costs, or issues arising from the use or misuse of OpenClaw.

---

Advisory Notice — API Key Usage

When using external APIs like OpenAI, keep these warnings in mind:

🎉 Hurray! Free credits!

Many external APIs offer free credits for each new account before billing is required. Many of the projects we show in our courses you can complete using free credits. If you go beyond the free credit limit, using external APIs should use very little costs (less than $1) for each project in our courses.

However, agents are autonomous and can incur background costs. Cloud platforms like Google Cloud with background processes are autonomous and can incur background costs. De-activate and terminate any processes that you do not want running in the background.

⚠️ Watch your billing usage

Most projects use very little costs. However, if you run a project repeatedly or encounter a rare bug, you may incur higher than expected billing costs.

To avoid this, set up automatic limits or billing notifications in the settings of each external platform.

- Do not run calls to the APIs over and over again. When testing one function, just run that function, not your entire project. Otherwise all of your functions will incur billing over and over again. For example, each time you send a prompt to a chatbot API, billing incurs.

- Do not share your API keys publicly.

- Delete your API keys either from your project or from the API platform before you:

- Upload a project to Github

- Ask a question about your code on a public forum

- Create a public Colab file

- Show your project on YouTube/Twitch

- Or share the project in any other manner

- Delete your API keys from the external API when you are finished with a project. Your project will still work if you want to use it in the future — you will just have to create a new API key to use in the project.

- Also — remove your credit card from the external API when you are finished using it.

💡 Tip

- Use the cheaper models that an API offers during development, experimentation, or learning.

- Each API often has more expensive models that perform better, which you can use during production if needed.

😊 Have fun!

These external APIs are powerful and required learning for many developer jobs. We chose the top most important APIs to prepare you for the next decade. Have fun exploring these amazing APIs!

You agree to be held fully responsible for the risks and costs associated with using APIs. You agree not to hold Mammoth Club liable for any damages, losses, costs, or issues arising from the use or misuse of API keys.