points
1 month ago
| 3 comments
| HN
We've been seeing a lot of people run OpenClaw directly on their main machine, which is a bad idea for a few reasons: it needs broad system access, it's noisy on resources, and if something goes wrong you want a clean blast radius. The obvious answer is "just isolate it," but isolation has real friction. You need to provision a machine, handle SSH keys, configure security groups, and remember to tear things down so you're not leaking money. This post walks through the three realistic options:

Docker – lowest friction, but shares your kernel and has limits depending on what OpenClaw needs to do Dedicated hardware – best isolation, but you're paying 24/7 and it takes time to set up Cloud VM – the sweet spot for most people: true isolation, pay-per-use, tear it down when you're done

For the cloud VM path, we show how to launch a hardened OpenClaw environment on AWS, GCP, Azure, or any other cloud with a single command, handling provisioning, SSH, and auto-teardown for you.

croes
1 month ago
[-]
That’s only half of the problem.

People give OpenClaw access to their online services like mails where it can also do damage.

A hardened environment doesn’t prevent those kind of damage

reply
ziml77
1 month ago
[-]
As people have pointed out in other threads, you don't even need access to these services to cause problems. As long as the AI can send any bytes out, it can leak information. Like you may think of an HTTP GET as read-only, but you can pack any data you want into the URL or headers.
reply
avoutic
1 month ago
[-]
In the end it will all be about separation of duty between agents in a larger team and isolating the ones that need more access to your private stuff.

Wardgate acts like a drop in replacement for curl with full access control at the url / method / content level, so you can allow specific curl access to specific APIs but prevent all other outbound connections. That's what I use for my PA agent. She's very limited and can't access the open internet. Doesn't need it either

reply
leptons
1 month ago
[-]
You can also stuff data into a GET request body, I've seen some devs do it and I related my disapproval about it.
reply
alt187
1 month ago
[-]
There's no hardening against idiocy.
reply
avoutic
1 month ago
[-]
It does, of you use WardGate [1] and only allow read and archive access and only delete access on your inbox but nothing else for instance.

1 https://github.com/wardgate/wardgate

reply
ekropotin
1 month ago
[-]
I think you can't see the forest for the trees. The issue is not a process isolation, it’s pretty trivial to solve in a lot of ways. The actual problem is LLMs proneness to the prompt injection. The second you give an agent ability to consume the info from the outside world - like reading emails; you expose yourself to this ginormous security vulnerability. I genuinely don’t understand how people able to sleep at night knowing anyone can trick the magic process with access to their digital lives to do absolutely anything.
reply
markb139
1 month ago
[-]
It seems to be perfectly happy to run on virtual box with a Debian install. The host pc is running a local model. I’m quite impressed with what it’s capable of.
reply