Why AI Agents on a VPS Need Their Own Preset
Running an AI agent on a VPS is not the same as running a web app. The threat model is fundamentally different. A traditional web server handles HTTP requests from browsers. An AI agent handles natural language from WhatsApp, executes shell commands, reads your email, controls a browser, and remembers everything across restarts in plaintext files.
The numbers tell the story. Researchers found over 42,000 OpenClaw instances exposed to the public internet. At least 12,812 are vulnerable to full remote code execution via CVE-2026-25253. The ClawHavoc campaign delivered malware through 335 malicious skills on ClawHub. And the Moltbook incident leaked 1.5 million API tokens because of a misconfigured database.
Our existing presets (lax, safe, balanced, strict) are designed for general infrastructure. They escalate uniformly across all 16 modules. But an AI agent VPS has a very specific attack surface: the gateway port is the front door, prompt injection is the primary weapon, and the agent's memory files are the crown jewels. The vps-agent preset tunes every module for this reality.
The VPS Agent Threat Model
We analyzed every documented OpenClaw compromise, CVE, and attack campaign to identify the six threat categories that define the VPS agent attack surface.
Gateway Exposure and Token Theft
OpenClaw binds to 0.0.0.0 by default, exposing its control panel to the internet. CVE-2026-25253 enables token exfiltration that leads to full gateway takeover. Attackers inherit the agent's permissions: messaging accounts, API keys, shell access, file system control. The vps-agent preset sets auth_fortress to trigger on MEDIUM severity with 30-second cooldowns and 60 actions per minute — the most aggressive auth configuration of any preset.
Prompt Injection via Chat Channels
Every messaging channel connected to the agent is an attack vector. A Telegram message, a forwarded email, a PDF, a webpage the agent browses — all can carry injection payloads. Researchers demonstrated extracting private keys in under five minutes on default deployments. The preset configures the LLM Firewall with 10-second cooldowns and 100 actions per minute, ensuring rapid response to injection floods without missing any attempts.
Malicious Skills and Supply Chain Attacks
The ClawHavoc campaign proved that the skills ecosystem is a live attack vector. 335 malicious skills delivered Atomic Stealer, targeting .env files, SSH credentials, wallet keys, and agent memory files. The preset enables supply chain quarantine on MEDIUM severity and blocks C2 IPs for 24 hours — the longest block duration in the preset, reflecting the severity of confirmed supply chain compromise.
Agent Scope Escalation
A compromised agent can spawn sub-agents with inherited permissions, make unauthorized API calls to shadow AI services, and escalate from reading emails to executing shell commands. The preset configures AI Containment to kill violating processes on MEDIUM severity with 15-second cooldowns — fast enough to stop an agent before it completes a multi-step attack chain.
Memory and Config File Tampering
SOUL.md and MEMORY.md are plaintext files that persist across agent restarts. Poisoning these files creates time-delayed attacks: inject a payload today, detonate it when the agent's context aligns tomorrow. The Runtime Watcher is configured with the tightest settings in the preset — MEDIUM severity, 15-second cooldowns, 60 actions per minute — with both kill_process and quarantine_file enabled.
Network-Level Exfiltration
Once compromised, an agent can exfiltrate data via DNS tunneling, C2 beaconing, or direct HTTPS connections to attacker infrastructure. The Network Guardian blocks on MEDIUM severity and drops exfiltration connections on HIGH, providing the perimeter defense that most VPS deployments lack.
How the Preset Tunes Each Module
The vps-agent preset is not just "strict with a different name." It is a purpose-built configuration that makes deliberate tradeoffs based on the VPS agent threat model.
The five critical modules — auth_fortress, llm_firewall, ai_containment, runtime_watcher, and supply_chain — all trigger on MEDIUM severity with short cooldowns and high rate limits. These are the modules that defend against the attack vectors actually hitting OpenClaw deployments.
The high-priority modules — network_guardian, api_fortress, injection_shield, and identity_monitor — are tuned between MEDIUM and HIGH severity. They provide essential perimeter and application defense without the ultra-aggressive settings of the critical tier.
The lower-priority modules — iot_shield, deepfake_shield, quantum_crypto, and cloud_posture — are set to HIGH severity with longer cooldowns. A single-VPS AI agent is unlikely to face IoT botnet attacks or quantum cryptographic threats, but the modules remain enabled for completeness. If your agent VPS is also running IoT services, you can override these individually in your config.
vps-agent vs. strict: What Is Different
The strict preset is uniformly aggressive across all 16 modules. The vps-agent preset is selectively aggressive — it concentrates enforcement budget on the modules that matter for AI agent defense.
For example, strict sets llm_firewall cooldown to 30 seconds. The vps-agent preset sets it to 10 seconds, because prompt injection is the number one attack vector and you cannot afford to miss a burst. Conversely, strict sets iot_shield to MEDIUM severity with 60-second cooldowns. The vps-agent preset relaxes this to HIGH severity with 300-second cooldowns, because IoT threats are not the primary concern on an agent VPS.
The result is a preset that is more aggressive than strict where it counts and more relaxed where it does not — reducing alert fatigue while maintaining tighter defense on the actual attack surface.
Deploy in One Command
Apply the preset to any 1-SEC installation:
1sec enforce preset vps-agent
Or start in dry-run mode to see what it would do without enforcing:
1sec enforce preset vps-agent --dry-run
To preview the full policy table:
1sec enforce preset vps-agent --show
The preset works alongside any OpenClaw deployment. Install 1-SEC on the same VPS, apply the preset, and all 16 modules activate with agent-optimized thresholds. No containers, no additional dependencies — just one binary between your agent and the threats targeting it.
Customizing the Preset
The vps-agent preset is a starting point. You can override any module policy in your config YAML. For example, if your agent VPS also serves as a web API, you might want to tighten api_fortress further:
enforcement: preset: vps-agent policies: api_fortress: min_severity: LOW cooldown_seconds: 10 max_actions_per_min: 100
Preset policies are applied first, then your overrides are merged on top. This lets you use the preset as a baseline and fine-tune for your specific deployment.
Stop Running Naked
Every exposed AI agent instance is a machine with shell access, API keys, and messaging credentials sitting on the open internet. The vps-agent preset exists because these deployments deserve purpose-built defense, not generic infrastructure policies.
curl -fsSL https://1-sec.dev/get | sh && 1sec up && 1sec enforce preset vps-agent
Three commands. Total defense. Your agent deserves it.