HomeBlogBlog Feed
Blog Feed

Avoid Running OpenClaw on Your Primary Device

SL
Shoeb Lodhi
March 2, 2026
Avoid Running OpenClaw on Your Primary Device

Avoid Running OpenClaw on Your Primary Device

OpenClaw provides an AI agent with unrestricted access to your system. This article discusses the reasons to operate it on a separate cloud VM and outlines how to do so.

Shoeb Lodhi · Feb 26, 2026 · 13 min read

Table of Contents

  • What OpenClaw does
  • Why you shouldn’t run it on your main machine
  • Prompt injection problem
  • Real vulnerabilities have already surfaced
  • Your isolation options
  • Setting up OpenClaw on a cloud VM
  • Simplifying with SkyPilot
  • Quickstart
  • Connecting messaging channels
  • Managing the cluster
  • What isolation buys you
  • Wrapping up
  • Appendix A: Persistent storage with S3
  • Appendix B: Syncing state with rsync

What OpenClaw does

OpenClaw serves as a self-hosted AI agent that interfaces with services like WhatsApp, Telegram, Slack, Discord, and many others. By assigning it tasks via chat, it can execute shell commands, navigate the web, manage files, and call APIs on your behalf. It gained significant popularity, amassing over 215k stars on GitHub within just weeks.

The AI agent requires extensive access to the machine it operates on, including shell execution, file system access, and browser automation. While these features enhance its functionality, they also pose risks when installed on a personal laptop. Following its rapid rise, numerous reports emerged detailing exposed instances, prompt injection attacks, and harmful plugins.

This article will delve into why you should avoid running OpenClaw on your primary device, explore your isolation options, and guide you through setting it up on a cloud VM.

Why you shouldn’t run it on your main machine

The architecture of OpenClaw grants the AI agent a level of access that closely resembles your own permissions on the machine. When security experts assert that it has “root access,” their claims are not unfounded. The capabilities of the agent include:

  • Executing shell commands as your user (or as root with elevated permissions)
  • Reading any file accessible to your user, including SSH keys, .env files, and browser cookies
  • Sending emails, posting messages, and interfacing with APIs using your stored credentials
  • Installing software, altering system configurations, and running processes in the background

These features are integral to the agent’s functionality. However, a single prompt injection—an insidious instruction concealed in an email, webpage, or chat message—can leverage all that access against you.

Andrej Karpathy expressed his concerns after acquiring a Mac Mini for OpenClaw experimentation, stating he felt “a bit sus’d to run OpenClaw specifically – giving my private data/keys to 400K lines of vibe coded monster that is being actively attacked at scale is not very appealing at all.” He highlights troubling reports of exposed instances, remote code execution vulnerabilities, supply chain attacks, and malicious skills within the registry, labeling the situation as “a complete wild west and a security nightmare.”

Prompt injection problem

The primary challenge lies in the fact that large language models (LLMs) struggle to differentiate between legitimate commands and harmful ones embedded in the content they process. As security researcher Nathan Hamiel articulated in Gary Marcus’s analysis: “These systems are operating as ‘you.’ They operate above the security protections provided by the operating system and the browser. Application isolation and same-origin policy don’t apply to them.”

This is not a hypothetical scenario. Within days of its launch, Moltbook encountered an attack, with researchers demonstrating that AI-to-AI manipulation is “both effective and scalable.” A malicious plugin titled “What Would Elon Do?” was discovered to be exfiltrating session tokens via hidden prompt injection.

Real vulnerabilities have already surfaced

Several vulnerabilities have come to light, including:

  • CVE-2026-25253: An unauthenticated WebSocket vulnerability that enabled malicious websites to silently extract authentication tokens and send commands to OpenClaw instances.
  • 21,000+ exposed instances: Researchers uncovered thousands of publicly accessible OpenClaw gateways on the internet.
  • Moltbook database leak: The Moltbook database was exposed, granting anyone control over any agent on the platform.
  • Supply chain attacks: Each rebranding of OpenClaw (Clawdbot -> Moltbot -> OpenClaw) left behind abandoned package names that attackers exploited to push malicious updates.

The maintainers of OpenClaw acknowledge the difficulties in their documentation, stating: “There is no ‘perfectly secure’ setup.”

The consensus among security researchers is unambiguous: run OpenClaw in a controlled environment. This could be through a Docker container, a dedicated virtual machine, or even a separate physical device—keeping it isolated from your personal data and credentials.

Your isolation options

If you intend to run OpenClaw while safeguarding your personal machine, it is essential to explore isolation options.

Key Takeaways

  • Run OpenClaw in an isolated environment.
  • Be aware of security vulnerabilities and risks.
  • Consider using cloud VMs for safer operation.

Frequently Asked Questions

What is OpenClaw?

OpenClaw is a self-hosted AI agent that connects to various messaging platforms and executes tasks.

Why is it risky to run OpenClaw on a personal machine?

It grants deep access to the machine, making it vulnerable to security threats like prompt injection.

What are the recommended isolation methods for OpenClaw?

Using a Docker container, a dedicated VM, or a separate physical device is advised.

Ready to Build Revenue Systems That Scale?

Book a strategy call to discuss how AI automation applies to your business.

Book Strategy Call →