tomComb 2026-02-27 18:29 UTC link

I think nanoclaw is actually designed to be run that way.

LostAndSmelly 2026-02-27 18:30 UTC link

Your AI should not be in a position to submit a resignation email or send a text to your partner asking for a divorce.

ok123456 2026-02-27 18:31 UTC link

Firejail seems like the right tool for a somewhat complicated desktop application that you want isolation for, that's not simple to containerize.

sigmar 2026-02-27 18:33 UTC link

instead of me doing 'pip install skypilot' in a terminal, why doesn't skypilot make a skypilot smartphone app that will provision the cloud resource? then could even get rid of the whatsapp/telegram dependency by making the app a messaging client (to communicate with the openclaw server)

andersmurphy 2026-02-27 18:37 UTC link

I'm surprised people don't use Lima (quick headless local VMs where you can mount a folder). [1]

[1] - https://lima-vm.io/docs/examples/ai/

alienbaby 2026-02-27 18:39 UTC link

Put it in a box and then give it read write access to all your valuable data. That'll do it....

seniorThrowaway 2026-02-27 18:51 UTC link

It's really not that hard to run them in docker. Can give them a nestybox (with a little work) sidecar so they can run docker-in-docker. As far as permissions, the only mental model that makes sense to me is treating them like actual people. Bound their permissions in the other systems not on their own machines, basically zero trust. For instance for email, most mail apps have had delegated permissions for a while, executives use it to have their assistants read and write their mail. That's what is needed with these too.

retinaros 2026-02-27 19:18 UTC link

serious question why anyone on hn would run this?

insane_dreamer 2026-02-27 19:23 UTC link

this is why we can't have nice things ...

jesse_dot_id 2026-02-27 19:23 UTC link

Are prompt injections solved? If OpenClaw is only useful when it has access to your digital life, then why does it matter where it runs? You might as well be asking me to keep my dead man's switch safely on the moon. If you find this software useful, you are sharing a count down to a no good very bad day with everyone else who finds it useful. One zero day prompt injection technique, your e-mail on a distribution list, and that's all she wrote.

m3kw9 2026-02-27 19:39 UTC link

most people want openclaw to access their personal files, thats the big use case.

spiralcoaster 2026-02-27 19:43 UTC link

Guys, remember, when you set up your AI-controlled automatic machine gun in your front lawn, be sure to do it safely and pour a solid concrete foundation for it to sit atop of. We wouldn't want it to cause harm or injury by tipping over.

yoyohello13 2026-02-27 19:44 UTC link

It's hilarious watching people discover security again. Everyone plugging their favorite sandbox technology. Yes, sand boxing processes is a thing that has existed for a long time and there are a million tools that do it. Systemd has it built in for example. Even claude code itself has sandboxing and permissions built in.

Process isolation is not the danger with OpenClaw. Giving an LLM access to all your shit is the problem. My solution is to treat it like a human, give it it's own accounts, scoped to what you want it to do and accept the risks associated with that. If I had a human assistant I wanted to read my email, I'd set up an inbox for them specifically and forward what I want them to screen. I don't use OpenClaw, but have a similar harness I built that runs as an unprivileged Linux user with access to just what I want it to access.

I know it's not in vogue to actually know how technology works anymore, but we have literally decades worth of technology solutions for authentication/authorization, just fucking use it.

Frannky 2026-02-27 19:46 UTC link

I recently installed Zeroclaw instead of OpenClaw on a new VPS(It seems a little safer). It wasn’t as straightforward as OpenClaw, but it was easy to setup. I added skills that call endpoints and also cron jobs to trigger recurrent skills. The endpoints are hosted on a separate VPS running FastAPI (Hetzner, ~$12/month for two vps).

I’m assuming the claw might eventually be compromised. If that happens, the damage is limited: they could steal the GLM coding API key (which has a fixed monthly cost, so no risk of huge bills), spam the endpoints (which are rate-limited), or access a Telegram bot I use specifically for this project

dadro 2026-02-27 19:53 UTC link

The recent releases of OpenClaw have made running it on docker/podman much easier. I've been running it on a stand alone Lenovo Thinkcentre running inside docker. For my needs the setup works well. There are some limitations like hardware and filesystem access with my workstation (macbook) but largely solvable and I like the isolation. For locking it down further, particularly on the network level someone recently released https://nono.sh/ which seems promising. I've been using https://clawchat.dev/ on my macbook for chatting with the openclaw agent. It is rough around the edges but gets the job done.

skybrian 2026-02-27 20:09 UTC link

I think this might be exaggerated, but some possibly relevant humor: https://use-a-vps.exe.xyz/

arjie 2026-02-27 20:22 UTC link

To be honest, anyone with a Claude Code subscription can just write their own in moments. My own assistant has its own email address and Apple ID and interacts primarily via a Telegram bot. I share my calendar with it and my email syncs down and is indexed, but it sends email via its own Gmail account.

The interesting part about OpenClaw is that if you give a world-class model an arbitrary number of skills then emergent behavior mimicking intelligent assistance appears. The structural pieces of that are just long-term memory, an agentic loop, a messaging system, and self-modification.

You can get something quite functional out of:

* A memory.md

* A hand-rolled agent loop (this is just "keep calling till num tries exhausted or agent says stop") - claude knows how to write openai function call syntax and codex tool call syntax

* A Telegram bot

* Access to a persistent filesystem for it to build itself skills

It can be quite expensive to run, but a trick that is supported[0] is to use a Codex subscription by getting a codex cli token and using that. OpenAI explicitly supports this, so you can just use it.

You can try to make improvements to this structure in all sorts of ways using all sorts of tools and get somewhere but this much is all you need. You really have to just give yourself 2 hours with Claude Code and a similar prompt to get somewhere. This is the first time in history that personal software has been this accessible to everyone.

0: someone here told me about it https://news.ycombinator.com/item?id=47151310

appsoftware 2026-02-27 20:58 UTC link

I'd add using Discord as your chat channel to limit access to your contacts, and isolating access to personal data via mcp servers https://www.appsoftware.com/blog/openclaw-running-a-secure-c...

croes 2026-02-27 23:46 UTC link

The real problem isn’t that OpenClaw needs access to your system.

> and calls APIs on your behalf

This is the problem.

How does a (cloud) VM prevent that OpenClaw does something bad with that access.

That like giving somebody your credit card but it’s ok because they don’t use it from your house but a place you rented for them.

dSebastien 2026-02-28 06:51 UTC link

I wrote a security-minded setup guide here: https://www.dsebastien.net/how-to-self-host-openclaw-securel...

Spivak 2026-02-27 19:04 UTC link

Because the VM isn't there to protect your data, it's to give the AI a space where it can do things that would be annoying or cause breakages on your own machine. It also gives you an easy save/restore mechanism.

stronglikedan 2026-02-27 19:14 UTC link

As long as the email or text includes the disclaimer "generated with the assistance of artificial intelligence" then you should be fine.

eli 2026-02-27 19:27 UTC link

You still have to trust your executive assistant. I would never give someone I don't trust the ability to read and write emails for me.

quietbritishjim 2026-02-27 19:31 UTC link

It's a bit like the xkcd where the admin account is secure but all the useful information is in the user account anyway.

https://xkcd.com/1200/

plagiarist 2026-02-27 19:37 UTC link

IDGI. It is reading emails, which is a vector for prompt injection. It is also reading emails, which is where all password resets are sent to. Anyone granting even read access to their primary email is playing with fire.

I personally don't see how the daily briefings or whatever are worth the risk.

nowittyusername 2026-02-27 19:42 UTC link

For me at least its an interesting project I can take apart and build on top of. I've built 100% my own agent frameworks from scratch and have learned a lot from them. There is something to be said on learning from others projects as well, also because its an ever evolving project with so many contributes whatever fork you go with of your own, theirs a good chance the new goodies will work with your own modified version. For example I'm looking in to LCM right now, and woo-dent you know it someone ported it to openclaw. But nanobot doesn't have it, so I'm considering working on the LCM port to that. If i succeed i will learn a lot and also contribute to progress in my own little ways.

NitpickLawyer 2026-02-27 19:44 UTC link

What's the difference between lima and vagrant?

richardlblair 2026-02-27 19:48 UTC link

Right? It's asking for trouble.

I was in the repebble comments a few days ago and this person rolled their own for very obvious reasons: https://news.ycombinator.com/item?id=47078454

ASalazarMX 2026-02-27 19:58 UTC link

Both replies to your question give you the two sides. It is a scary, stupid thing to give your house keys to, but it is also very interesting like two trains crashing.

Maybe a middle ground would be isolating it like the article suggests, and poking it with a stick (giving it limited, or newly created accounts) to see what it can do?

brotchie 2026-02-27 20:05 UTC link

The way I solved this was that my open claw doesn't interact directly with any of my personal data (calendar, gmail, etc).

I essentially have a separate process that syncs my gmail, with gmail body contents encrypted using a key my openclaw doesn't have trivial access to. I then have another process that reads each email from sqlite db, and runs gemini 2 flash lite against it, with some anti-prompt injection prompt + structured data extraction (JSON in a specific format).

My claw can only read the sanitized structured data extraction (which is pretty verbose and can contain passages from the original email).

The primary attack vector is an attacker crafting an "inception" prompt injection. Where they're able to get a prompt injection through the flash lite sanitization and JSON output in such a way that it also prompt injects my claw.

Still a non-zero risk, but mostly mitigates naive prompt injection attacks.

amelius 2026-02-27 20:13 UTC link

Can't these claws build their own personalities, and along with it their own personal files?

The claw community is clearly not thinking big enough.

Veen 2026-02-27 20:16 UTC link

It's not a soluble problem, at least not completely. The big frontier models are better at resisting prompt injection, but any LLM is vulnerable to some degree. If you give it access to arbitrary inputs like the web and to your personal data, there's a risk it'll disclose stuff you don't want it to.

It's annoying, because I love OpenClaw as an idea, but I don't trust it enough to give it what it needs to be useful.

MetaWhirledPeas 2026-02-27 20:21 UTC link

I've never used OpenClaw but as I understand it, it has a way of keeping a pseudo memory for context? That alone would be interesting, even if it was only allowed to read the generic internet. Like having a little robot buddy that remembers you and past conversations. Maybe you could have it give you reminders and stuff like you'd do with Alexa?

justinhj 2026-02-27 22:55 UTC link

It's fun to explore how we will communicate and work with our new AI colleagues. We discover with play and play is not always safe.

j-conn 2026-02-28 01:27 UTC link

Have you tried docker sandboxes? https://docs.docker.com/ai/sandboxes/

The docker desktop license requirement is a factor, though. You need a paid subscription if your company has something like 250 employees or $10 million in annual revenue

ekropotin 2026-02-28 01:28 UTC link

Now imagine your human assistant is hypnotised, so that every time they hear a certain word, they loose self control and would follow any command from malicious actor. Would you still hire this person? This is exactly the state of things with OpenClaw.

jzkdroid2 2026-02-28 03:45 UTC link

I tested openclaw for a few days. The way I got around this was creating openclaw it's own gmail. Any email sent would be from that email. I gave that email access to a shared calendar so it could add events to mine. It gets to act as a second email.

Edit: the costs were through the roof at the time so I discontinued use rather than using some hacky workaround. I ran it in a docker container on an undraid server with nothing else running on the server. I also tested it in ubuntu server.

Editorial Channel

What the content says

Structural Channel

What the site does