Before You Start
This checklist applies to any self-hosted AI assistant — OpenHuman, Open WebUI with extensions, or any tool that requests OAuth access to your accounts. Print it or keep it open in a tab while you evaluate.
- Check each box before connecting your first account.
- If any box fails, resolve it before proceeding.
- Re-run this checklist quarterly or after any major update.
The 10-Point Checklist
Each point includes what to check, why it matters, and how to verify.
- ☐ 1. Verify the install source. Check that the installer or script comes from the official repository or signed release. Never run curl-to-bash or PowerShell remote-invoke without reading the script first. Why: supply-chain attacks often start with tampered install scripts.
- ☐ 2. Confirm local storage claims. Verify that memory, tokens, and fetched data are stored on your machine — not synced to a remote backend. Check the app's settings for storage paths. Why: 'local-first' marketing does not always mean local-only.
- ☐ 3. Audit OAuth scopes. For every integration, read the permission screen carefully. Reject scopes broader than your use case requires. Why: over-scoped permissions create unnecessary attack surface.
- ☐ 4. Check token encryption. Verify that OAuth tokens are encrypted at rest (AES-256 or equivalent) and that the encryption key is not trivially accessible. Why: unencrypted tokens on disk are a high-value target for local attackers.
- ☐ 5. Understand the OAuth flow. Know whether the initial exchange routes through a vendor proxy or goes directly to your machine. Why: proxy-based exchange means a third party briefly handles your token.
- ☐ 6. Test deletion. Connect one low-risk account, sync data, then delete a specific item. Verify it disappears from the vault, SQLite store, and search index. Why: incomplete deletion is a privacy failure.
- ☐ 7. Test revocation. Revoke a connector token at the source service, then confirm the app handles it gracefully (no crashes, no stale data access). Why: token leakage response matters as much as prevention.
- ☐ 8. Review inference routing. Know which tasks run locally and which route to cloud providers. Document this for each integration. Why: local storage is meaningless if all your data is sent to cloud LLMs for processing.
- ☐ 9. Check for a security audit. Look for published independent audit reports or CVE history. Why: absence of an audit does not prove insecurity, but it means you are trusting unaudited code with sensitive data.
- ☐ 10. Start with a test account. Never connect banking, legal, health, or primary corporate accounts on first install. Why: early-beta software can have unexpected behavior. Low-stakes testing protects your critical data.
What to Do If a Check Fails
Do not connect accounts until all checks pass. Here is how to handle common failures.
- Install source unverified → use the signed installer from the official product page, or audit the script personally.
- Storage not local → check config.toml or settings for storage paths. If data routes to a cloud backend, decide whether that is acceptable.
- OAuth scopes too broad → decline and look for a narrower scope option. If none exists, skip that integration.
- No token encryption → this is a hard stop. Do not connect any account until encryption is confirmed.
- No security audit → use a dedicated test account with fake data. Wait for an audit before connecting production accounts.
Checklist for Specific Tools
How each major tool scores on this checklist.
- OpenHuman: passes checks 1, 2, 4, 5, 6, 7, 8 with configuration. Fails check 9 (no audit published as of June 2026). Check 3 depends on your OAuth scope choices. Check 10 is strongly recommended.
- Open WebUI: passes checks 1, 2, 3, 4, 5, 9 (mature project with community scrutiny). Checks 6 and 7 are less relevant (no OAuth connectors by default). Check 8 depends on model configuration.
- AnythingLLM: passes checks 1, 2, 3, 4, 5, 9. Checks 6 and 7 less relevant (no OAuth by default). Check 8 depends on model configuration.
- OpenHands: passes checks 1, 2, 4, 9. Check 3 depends on GitHub OAuth scopes. Check 5 uses direct OAuth. Check 8 depends on model configuration.
- AutoGPT: passes checks 1, 2, 4. Check 3 depends on API key scope. Check 5 uses direct API keys. Check 9 has community scrutiny but no formal audit. Check 8 is critical — AutoGPT can autonomously call external APIs.
Do I need to run this checklist for every integration?
Yes. Each integration has different OAuth scopes, data sensitivity, and risk profiles. Run the full checklist for your first integration, then at minimum checks 3, 6, 7, and 8 for each additional one.
What if the tool has no security audit?
Use a dedicated test account with non-sensitive data. Do not connect banking, legal, health, or primary corporate accounts. Re-evaluate when an audit is published. This is not paranoia — it is standard practice for unaudited software handling sensitive data.
How do I verify local storage claims?
Check the app's settings for storage path configuration. Open the folder and confirm your data appears there. Disconnect the internet and verify the app still shows synced data. Inspect file contents to confirm they are not encrypted blobs pointing to a remote URL.
Can I use this checklist for cloud AI assistants too?
Partially. Checks 1, 3, 5, 8, 9, and 10 apply to cloud assistants. Checks 2, 4, 6, and 7 are specific to self-hosted tools. For cloud assistants, add: verify data retention policies, check export/deletion rights, and review the vendor's security certifications.