Personal & Consumer Use Cases Best Practices
Ten practices for scoping a personal agent's access, autonomy, and retention before it touches real mail, chat, calendar, or shell.
Use this list when excitement about always-on assistants outruns threat modeling.
How to Use This Checklist
- Work top to bottom; earlier items prevent expensive rework.
- Tick only what is true for your current setup, not the aspirational one.
- If write access or shell is on while early boxes are empty, stop and roll back scopes.
- Re-run after adding any new tool, channel, or household user.
- Keep the filled list next to your token inventory.
A - Scope Before Secrets
- 1. Write one verifiable daily job. Example: "Weekday 7:30 digest of VIP unread + today's events to my private Telegram." Avoid "manage my life."
- 2. Start read-only. Mail list/get, calendar free/busy, and chat post of summaries beat send/book/shell on day one.
- 3. Allowlist who may invoke the agent. Default deny for DMs and groups. Your user ids only until proven otherwise.
- 4. Split draft tools from send/book tools. Require explicit approval payloads for anything socially or financially irreversible.
B - Least Privilege Everywhere
- 5. Grant minimal OAuth scopes and separate app credentials per environment. Revocation should be one dashboard action you have already tested.
- 6. Keep shell off until structured tools fail. If shell is unavoidable, jail paths, allowlist binaries, disable network by default, and approve mutations.
- 7. Bound every wake. Max turns, max tool calls, quiet hours, and a
/pausekill switch that does not require redeploying the host.
C - Privacy, Money, and Memory
- 8. Decide retention on purpose. Prefer short logs, redacted traces, and a small preference store over infinite raw mail embedding.
- 9. Put hard caps on spend and purchases. Consumer shopping/travel flows need per-transaction and daily limits plus human confirm above a low threshold.
- 10. Document wipe and incident steps. Token revoke order, memory delete, backup scrub, and who gets notified if the host is compromised.
Applying the Habits in Order
| Stage | Habits | Exit criterion |
|---|---|---|
| Intent | 1 | Single job with a success check |
| First deploy | 2-4, 7 | Read-only digest in an allowlisted channel |
| Real accounts | 5, 8 | Minimal scopes; retention written down |
| Power features | 6, 9 | Shell/purchases only with gates and caps |
| Ongoing | 10 | Wipe drill completed once |
Quick "Do Not Connect That Account Yet" Signals
- No sender allowlist on the chat bot.
- Send-mail scope enabled "for later."
- Agent runs as your primary OS login with sudo.
- Memory store is an unencrypted volume on a shared machine.
- You cannot name the max-turn limit without looking at code.
- Household members can trigger the same tool identity.
- Backups of
.envlive in random cloud folders.
FAQs
How many checklist items are mandatory?
Treat 1, 2, 3, 5, and 7 as mandatory before production-like use. Treat 6 and 9 as mandatory before shell or purchases.
Can I enable send-mail for a demo?
Use a throwaway account. Never demo auto-send on your primary identity.
Is a hosted consumer product exempt from this list?
No. You still choose permissions, payment methods, and what you paste into chats. Vendor UX is not a threat model.
How often should I rotate bot and API tokens?
On device loss, collaborator changes, suspected leak, and on a calendar cadence you will actually keep (for example quarterly).
What is a good first week success metric?
You trust the digest enough to open fewer apps, with zero unintended outbound messages.
Should preferences be writable by the model?
Prefer human-edited prefs. If the model may update them, log diffs and require approval for security-relevant keys.
How do Clawdbot/OpenClaw-style systems change the checklist?
They do not. Any always-on personal host with tools must pass the same access gates; treat project names as patterns.
What if I only use the agent for shopping research?
Still apply 1, 7, 8, and 9. Skip mail scopes entirely if they are not required.
Can quiet hours break urgent alerts?
Yes. Maintain a tiny VIP break-glass rule if you need true emergencies, and log every break-glass fire.
Where should this checklist live?
Beside your secrets manager inventory and the host's README - not only in a chat history.
What is the most common personal-agent incident?
Over-scoped bot in a group chat or open DM, plus a write tool, plus injected or careless instructions.
When should I remove tools after launch?
Anytime a tool is unused for a month or involved in a near-miss. Shrinking action space is a feature.
Related
- What a Personal AI Agent Actually Does Day to Day - pattern you are scoping
- Personal & Consumer Use Cases Basics - hands-on first jobs
- Chat-Integrated Agents - channel allowlisting
- Email and Calendar Agents - draft vs send discipline
- Shell-Access Personal Agents - why shell is last
- Why Self-Hosting a Personal Agent Appeals to Privacy-Conscious Users - trust-boundary choices
- Self-Hosted Personal Agents Best Practices - runtime ops companion
Stack versions: Pins from the category manifest (verify at build): OpenRouter (~315+ models, July 2026 pricing/fees); LangGraph 1.0+; CrewAI 1.14+; Microsoft Agent Framework 1.0; Vercel AI SDK 6; Pydantic AI (latest); LlamaIndex (latest); OpenAI Agents SDK (latest + MCP); MCP (Linux Foundation governance); A2A (HTTP+SSE+JSON-RPC 2.0); Solana
@solana/web3.js+@solana/spl-token.