Don't Run OpenClaw on Your Main Machine 🛡️

Originally published on SkyPilot Blog by Alex Kim.

🤖 What is OpenClaw?

OpenClaw is a self-hosted AI agent that connects to WhatsApp, Telegram, Slack, Discord, and dozens of other services. It exploded to over 215k GitHub stars in a matter of weeks.

It runs a persistent "gateway" process connecting LLMs (primarily Anthropic's Claude) to your messaging platforms. You chat with it like texting a friend, and it executes tasks using powerful tools:

• 🖥️ Shell execution — Run commands on the host machine
• 🌐 Browser automation — Navigate websites, fill forms, take screenshots via Playwright
• 📁 File operations — Read, write, and edit files
• 🔌 100+ integrations — Gmail, GitHub, Notion, Spotify, calendars, and more
• 🧠 Persistent memory — Vector-based memory across conversations
• ⏰ Scheduled tasks — Cron-like "heartbeats" that run autonomously

OpenClaw also powers Moltbook, a social network for AI agents with 770,000+ active agents in its first week. Covered by The New York Times, The Economist, and CACM.

⚠️ Why Not Run It on Your Main Machine?

OpenClaw gives the AI agent roughly the same level of access you have. The agent can:

• Execute shell commands as your user (or root)
• Read SSH keys, .env files, browser cookies
• Send emails and interact with APIs using your credentials
• Install software and modify system configs

A single prompt injection — a malicious instruction hidden in an email or web page — can turn all of this against you.

Andrej Karpathy warned: "giving my private data/keys to 400K lines of vibe coded monster that is being actively attacked at scale is not very appealing at all."

🔓 Real Vulnerabilities Found

The OpenClaw maintainers themselves acknowledge: "There is no 'perfectly secure' setup."

🏗️ Your Isolation Options

☁️ Setting Up on a Cloud VM with SkyPilot

SkyPilot is an open-source framework for running workloads on any cloud. Launch OpenClaw with one command on AWS, GCP, Azure, and more.

Step 1: Install SkyPilot

pip install 'skypilot[aws]'
sky check

Step 2: Launch OpenClaw

sky launch -c openclaw openclaw.yaml --env ANTHROPIC_API_KEY

SkyPilot provisions a VM, installs OpenClaw, generates an auth token, and starts the gateway.

Step 3: Access via SSH Tunnel

ssh -L 18789:localhost:18789 openclaw

Then open http://localhost:18789 — no ports exposed to the public internet!

💬 Connect Messaging Channels

ssh openclaw
openclaw onboard

Or connect directly:

openclaw channels login --channel whatsapp
openclaw channels login --channel telegram
openclaw channels login --channel discord

🔄 Manage Your Cluster

sky stop openclaw    # Pause (preserves state)
sky start openclaw   # Resume
sky down openclaw    # Permanently destroy

✅ What Isolation Buys You

• 🔐 Credentials stay local — SSH keys, cookies, VPN creds never touch the VM
• 💥 Bounded blast radius — Compromise is limited to bare Linux + OpenClaw
• 🚫 No exposed ports — SSH tunnel only, avoiding the 21,000+ exposed instances problem
• 🧹 Real cleanup — sky down destroys everything completely
• 💰 Low cost — ~$0.03–0.05/hour, under $30/month 24/7 (vs $599+ Mac Mini)

🎯 Conclusion

OpenClaw is one of the first AI agents to see real adoption beyond demos. But the security tradeoffs are real — prompt injection is unsolved, vulnerabilities have been exploited in the wild, and the tool requires broad system access.

A cloud VM keeps OpenClaw away from your personal data. Use the SkyPilot YAML to automate it across any cloud.

For more, star the SkyPilot GitHub repo, follow @skypilot_org, or join the SkyPilot Slack.