manual baseline · 15 minutes · checklist

15‑minute manual baseline

For technical/cautious users who want to verify everything themselves. If you can’t complete an item, treat it as a blocker.

Baseline checklist (in order)

1
Do not expose your dashboard
If it’s reachable from the internet without strong auth, assume compromise risk.
Networking hardening →
2
Restrict who can message the bot
Start allowlist-only. In groups, use mention-only.
Access control →
3
Minimize secrets
Use least-privilege tokens. Never paste secrets into chat.
Secrets →
4
Assume chat is untrusted input
Prompt injection is real. Reduce what the agent can do.
Prompt injection →
5
Verify via logs
If you can’t see what happened, you can’t secure it. Enable/inspect logs.

Fast verification

Panel not exposed

It’s bound locally or behind strong access controls.

Verify →

Only you can trigger

Unknown senders can’t talk to the bot.

Secrets not leaking

No keys in logs, chats, screenshots, or config backups.

Run exposure check → Hardening: networking →