← Back to blog

Installing OpenClaw Safely

·OpenClaw
openclawsecuritydeployment

TL;DR: OpenClaw has 24 security issues and was the target of a supply chain attack that hit 1,184 malicious skills. If you're running it anyway, here's the only safe way: dedicated disposable VM, Docker sandboxing with read-only filesystems, localhost-only binding with token auth, and aggressive feature minimization. Even then, you're exposed to prompt injection and API key exfiltration—so never put sensitive data on that machine.

OpenClaw: Safe Installation Guide

Context

OpenClaw has 24 known security issues, 6 CVEs, 512 audit findings, 135K exposed instances, and the ClawHavoc supply chain attack (1,184 malicious skills). This guide covers the safest way to install and harden it.

Tier 1: Dedicated, Disposable Environment (Non-Negotiable)

ControlWhy
Dedicated VM or VPSNever run on your primary machine. A $5-10/mo VPS or a local VM is disposable if compromised
Fresh, throwaway accountsDedicated email, dedicated messaging accounts. No reuse of your real credentials
No access to sensitive dataNo API keys for sensitive services, no production credentials, no SSH keys to production systems on this machine
Separate network segmentThe OpenClaw host should not be able to reach your LAN, NAS, or other machines

Tier 2: Docker Sandbox Configuration

# In your OpenClaw config (~/.openclaw/config.yaml)
sandbox:
  mode: "all"              # Sandbox EVERYTHING, not just non-main
  scope: "session"         # Each session gets its own container, destroyed on end
  workspace:
    access: "ro"           # Read-only -- research agents don't need to write files
  network:
    egress: "allowlist"    # Only allow outbound to specific domains

Allowlist only what's needed:

  • LLM API endpoints (api.anthropic.com, api.openai.com)
  • News/data sources you actually use (e.g., specific financial APIs)
  • Block everything else

Tier 3: Minimize the Attack Surface

# Disable features you don't need for research
gateway:
  bind: "127.0.0.1"        # Localhost only, NEVER 0.0.0.0
  auth:
    mode: "token"           # Require auth even on localhost

# Disable risky capabilities
skills:
  disabled:
    - skill-creator         # Can create arbitrary new skills
    - clawhub               # Marketplace for third-party skills (ClawHavoc vector)
    - browser               # Full browser automation -- overkill for research

elevated_mode: false        # NEVER enable -- bypasses all sandboxing

exec_approvals:
  default: "deny"           # Require explicit approval for every shell command

Tier 4: Research-Focused Agent Configuration

# ~/.openclaw/agents/researcher/agent.yaml
name: researcher
model: claude-sonnet-4-5-20250929
tools:
  allowed:
    - web_fetch
    - web_search
  denied:
    - bash
    - file.write
    - file.delete
    - exec

system_prompt: |
  You are a research assistant. Your job is to:
  - Find and summarize information from public sources
  - Synthesize research into actionable insights
  You do NOT execute code, write files, or take any actions beyond research.

Tier 5: Consider SaferClaw

SaferClaw is a community-built hardened wrapper that pre-applies most of the above:

  • Disabled elevated mode
  • Removed risky skills (skill-creator, clawhub)
  • Disabled auto-approval
  • Network isolation behind nginx + token auth
  • systemd hardening (PrivateTmp, ProtectHome, NoNewPrivileges)
  • Execution timeouts (600s per execution, 1800s per agent)

Deployment Architecture

Your laptop (trusted)
    |
    |  SSH tunnel or Tailscale
    |
    v
Dedicated VPS ($10/mo)
    |
    +-- Docker container (sandboxed)
    |   +-- OpenClaw gateway (localhost:18789)
    |       +-- Research agent (web_fetch + web_search only)
    |           +-- LLM API calls (Claude/GPT)
    |
    +-- Firewall: deny all inbound, allowlist outbound

Residual Risks

Even with all of the above:

  1. Prompt injection via ingested content -- a webpage the agent reads could contain instructions that redirect its behavior
  2. LLM API key exposure -- if the container is compromised, your API key is exposed. Use a dedicated API key with spend limits
  3. Data exfiltration via LLM API -- a compromised agent could encode sensitive data into its LLM requests. Mitigated by not having sensitive data on the machine
  4. Supply chain -- OpenClaw itself or its npm dependencies could be compromised. Mitigated by running on a disposable, isolated machine