alt Hacker NewsSetting up OpenClaw on a cloud VM
Comments
Your AI should not be in a position to submit a resignation email or send a text to your partner asking for a divorce.
I'm surprised people don't use Lima (quick headless local VMs where you can mount a folder). [1]
I'd add using Discord as your chat channel to limit access to your contacts, and isolating access to personal data via mcp servers https://www.appsoftware.com/blog/openclaw-running-a-secure-c...
It's really not that hard to run them in docker. Can give them a nestybox (with a little work) sidecar so they can run docker-in-docker. As far as permissions, the only mental model that makes sense to me is treating them like actual people. Bound their permissions in the other systems not on their own machines, basically zero trust. For instance for email, most mail apps have had delegated permissions for a while, executives use it to have their assistants read and write their mail. That's what is needed with these too.
The recent releases of OpenClaw have made running it on docker/podman much easier. I've been running it on a stand alone Lenovo Thinkcentre running inside docker. For my needs the setup works well. There are some limitations like hardware and filesystem access with my workstation (macbook) but largely solvable and I like the isolation. For locking it down further, particularly on the network level someone recently released https://nono.sh/ which seems promising. I've been using https://clawchat.dev/ on my macbook for chatting with the openclaw agent. It is rough around the edges but gets the job done.
Put it in a box and then give it read write access to all your valuable data. That'll do it....
I recently installed Zeroclaw instead of OpenClaw on a new VPS(It seems a little safer). It wasn’t as straightforward as OpenClaw, but it was easy to setup. I added skills that call endpoints and also cron jobs to trigger recurrent skills. The endpoints are hosted on a separate VPS running FastAPI (Hetzner, ~$12/month for two vps).
I’m assuming the claw might eventually be compromised. If that happens, the damage is limited: they could steal the GLM coding API key (which has a fixed monthly cost, so no risk of huge bills), spam the endpoints (which are rate-limited), or access a Telegram bot I use specifically for this project
I think this might be exaggerated, but some possibly relevant humor: https://use-a-vps.exe.xyz/
instead of me doing 'pip install skypilot' in a terminal, why doesn't skypilot make a skypilot smartphone app that will provision the cloud resource? then could even get rid of the whatsapp/telegram dependency by making the app a messaging client (to communicate with the openclaw server)
It's hilarious watching people discover security again. Everyone plugging their favorite sandbox technology. Yes, sand boxing processes is a thing that has existed for a long time and there are a million tools that do it. Systemd has it built in for example. Even claude code itself has sandboxing and permissions built in.
Process isolation is not the danger with OpenClaw. Giving an LLM access to all your shit is the problem. My solution is to treat it like a human, give it it's own accounts, scoped to what you want it to do and accept the risks associated with that. If I had a human assistant I wanted to read my email, I'd set up an inbox for them specifically and forward what I want them to screen. I don't use OpenClaw, but have a similar harness I built that runs as an unprivileged Linux user with access to just what I want it to access.
I know it's not in vogue to actually know how technology works anymore, but we have literally decades worth of technology solutions for authentication/authorization, just fucking use it.
To be honest, anyone with a Claude Code subscription can just write their own in moments. My own assistant has its own email address and Apple ID and interacts primarily via a Telegram bot. I share my calendar with it and my email syncs down and is indexed, but it sends email via its own Gmail account.
The interesting part about OpenClaw is that if you give a world-class model an arbitrary number of skills then emergent behavior mimicking intelligent assistance appears. The structural pieces of that are just long-term memory, an agentic loop, a messaging system, and self-modification.
You can get something quite functional out of:
* A memory.md
* A hand-rolled agent loop (this is just "keep calling till num tries exhausted or agent says stop") - claude knows how to write openai function call syntax and codex tool call syntax
* A Telegram bot
* Access to a persistent filesystem for it to build itself skills
It can be quite expensive to run, but a trick that is supported[0] is to use a Codex subscription by getting a codex cli token and using that. OpenAI explicitly supports this, so you can just use it.
You can try to make improvements to this structure in all sorts of ways using all sorts of tools and get somewhere but this much is all you need. You really have to just give yourself 2 hours with Claude Code and a similar prompt to get somewhere. This is the first time in history that personal software has been this accessible to everyone.
0: someone here told me about it https://news.ycombinator.com/item?id=47151310
I think nanoclaw is actually designed to be run that way.
Firejail seems like the right tool for a somewhat complicated desktop application that you want isolation for, that's not simple to containerize.
most people want openclaw to access their personal files, thats the big use case.
Guys, remember, when you set up your AI-controlled automatic machine gun in your front lawn, be sure to do it safely and pour a solid concrete foundation for it to sit atop of. We wouldn't want it to cause harm or injury by tipping over.
this is why we can't have nice things ...
[dead]
We've been seeing a lot of people run OpenClaw directly on their main machine, which is a bad idea for a few reasons: it needs broad system access, it's noisy on resources, and if something goes wrong you want a clean blast radius. The obvious answer is "just isolate it," but isolation has real friction. You need to provision a machine, handle SSH keys, configure security groups, and remember to tear things down so you're not leaking money. This post walks through the three realistic options:
Docker – lowest friction, but shares your kernel and has limits depending on what OpenClaw needs to do Dedicated hardware – best isolation, but you're paying 24/7 and it takes time to set up Cloud VM – the sweet spot for most people: true isolation, pay-per-use, tear it down when you're done
For the cloud VM path, we show how to launch a hardened OpenClaw environment on AWS, GCP, Azure, or any other cloud with a single command, handling provisioning, SSH, and auto-teardown for you.
Are prompt injections solved? If OpenClaw is only useful when it has access to your digital life, then why does it matter where it runs? You might as well be asking me to keep my dead man's switch safely on the moon. If you find this software useful, you are sharing a count down to a no good very bad day with everyone else who finds it useful. One zero day prompt injection technique, your e-mail on a distribution list, and that's all she wrote.