McEachen & Co.
Built in the Fire · 5 min read

Your AI Agent Has Read Access to Every File on Your Computer (And You Probably Don't Know It)

I set up an AI agent on a dedicated Mac Mini with a separate user account and no admin privileges. I did everything I could think of to isolate it. Then I found out macOS was quietly giving it access to my personal files anyway.

A closeup view through a keyhole in a heavy wooden door

I spent a weekend setting up OpenClaw on a dedicated Mac Mini. Separate machine, separate user account, no admin privileges. The whole point was containment: if the agent gets a bad instruction, the blast radius stays limited to a machine that doesn’t hold my personal files, passwords, and work data.

I felt pretty good about it. Then I started poking around.

What I Found

Once OpenClaw was running, I ran its built-in security audit:

openclaw security audit --deep

Everything passed except one finding: my firewall wasn’t enabled. Easy fix. But the audit only checks OpenClaw-specific configurations. It doesn’t check whether the underlying operating system is doing what you think it’s doing.

So I checked manually. I switched to the Openclaw user account and tried to list the files in my personal home directory.

It worked.

Even though the Openclaw account was a standard, non-admin user, it had read-only access to my personal home files. My documents, my OneDrive files, my downloads. Everything I’d put on that machine was visible to the account running the AI agent.

The entire point of creating a separate user was to prevent exactly this.

Why This Happens

On macOS, the picture is more complicated than most guides suggest.

The standard subdirectories in your home folder (Documents, Desktop, Downloads) are typically locked down on modern versions of macOS. Apple has progressively tightened these permissions over the last several releases. But the home directory itself may still be listable by other users on the same machine. And non-standard folders, like cloud sync directories from OneDrive or Google Drive, don’t always inherit those same protections.

In my case, Openclaw could see files I assumed were private. Whether that was due to my OneDrive configuration, a quirk of how I set up the machine, or something else, I’m honestly not sure. Five thousand people smarter than me about macOS security could probably tell me exactly what happened.

What I do know: “create a separate user account” is the advice every security guide gives for isolating applications. And on my machine, that advice alone wasn’t enough.

Why This Matters for AI Agents

If OpenClaw were a regular application, the file permission gap would be a minor concern. Most apps don’t actively browse your filesystem looking for interesting data.

An AI agent is different. It has shell access. It can run commands. It can be instructed (by you, by a chat message, by a website it’s browsing) to look at files, read their contents, and act on what it finds. The whole point of an agent is that it takes initiative.

That’s the feature. It’s also what makes the file permission gap dangerous. An agent with read access to your personal files isn’t a theoretical risk. It’s a capability that’s one bad instruction away from being exercised.

And you probably won’t see it happen. There’s no popup. No permission dialog. The agent just quietly has access to files you assumed were private.

The Fix

The fix is one command, run from your personal (admin) account:

chmod 700 /Users/yourusername

This changes the permissions on your home directory so that only your user account can read, write, or list its contents. After running this, everything in my home folder became invisible to the Openclaw account.

Verify it by switching to the OpenClaw user and trying:

ls /Users/yourusername

You should see “Permission denied.”

That’s it. One command. It costs nothing, breaks nothing, and closes any gaps in your file permissions, whether or not you fully understand what those gaps are.

I didn’t fully understand mine. I’d rather be safe about it than right about it.

What I’d Do Differently

I ran that chmod command after OpenClaw was already up and running. That means the agent had access to my personal files for the entire setup and testing process. Nothing bad happened. But it shouldn’t have been possible in the first place.

If I were doing this again, I’d lock down the home directory before installing anything on the Openclaw account. In fact, I’ve gone back and updated my setup guide to include this step early in the process, before Homebrew, before Node.js, before OpenClaw touches the machine.

The Bigger Lesson

This experience crystallized something I keep running into with AI tools: the defaults aren’t designed for the way people are actually using them.

macOS user accounts were designed to let multiple people share a computer. They were not designed to isolate an autonomous AI agent that has shell access and the ability to follow instructions from external sources. The permission model is doing exactly what it was built to do. It just wasn’t built for this.

Every setup guide I found for OpenClaw (and similar tools) focused on getting the agent running. None of them talked about what happens after it’s running, when it has access to more of your system than you intended. The gap between “working” and “actually locked down” is where the real risk lives. And nobody warns you about it.

I’m not a security expert. I’m a person who builds and scales operations for a living and tries to think about blast radius and containment before giving anything access to systems. I probably missed things. But I found this one, and it seems worth sharing.

I wrote a companion piece on setting up OpenClaw on a dedicated Mac Mini from scratch, including the two-user architecture, installation steps, and hardening. If you’re considering running an AI agent locally, start there.