How to Set Up OpenClaw AI Agent in a Secure Way (and Connect It to InfraNodus)

OpenClaw is an open source autonomous AI agent that can run on your local machine or a server. Its main advantage (and disadvantage) is that it can connect anything to anything, so any workflow you can think of that involves LLM is possible and you can orchestrate it not only through OpenClaw's chat itself but even through WhatsApp or Telegram. 

For instance, you can ask LLM to read through your Apple notes and then use InfraNodus skill (or MCP server) to find recurrent plans and then put reminders for them to turn your ideas into actionable insights. Or you can  find all the documents that you created in 2023, summarize their content, and then extract the content gaps using the InfraNodus content gap tool to see how you can develop your ideas further.

With that ability to connect all your applications and execute any command OpenClaw is also a huge security risk.Some people resolve this by running it on a dedicated machine, but even in this case to make it useful you have to give it access to some folders and services you might be interested in working with, so it kind of defeats the purpose. Instead, you can set it up in a way that keeps your data secure and doesn't allow it to execute dangerous commands. 

In this guide below, we will explain how you can set up OpenClaw in a secure way and connect it to InfraNodus. 

Note: If you're just interested in connecting OpenClaw to InfraNodus directly, please, read the article on using AI agents to generate insights with InfraNodus

1. Install OpenClaw Securely on Your Local Machine or Server

The easiest way to install OpenClaw is to use its default instructions that allow it unlimited access to your machine. That's why if you choose to install it this way, it's better to install it on a wiped clean computer (e.g an old / new Mac) or an external server (which you can get for €5 / month from Hetzner). 

You will of course have to then manually copy (or allow access to) all the data and services you want OpenClaw to work with. But this extra installation overhead ensures that you won't be as susceptible to prompt injection attacks and malicious skills that try to steal or compromise your data. 

SECURITY NOTE #1: PROTECT YOUR SETUP RIGHT AFTER INSTALLATION

This installation type exposes all your data to LLMs, so if you're installing OpenClaw this way, you should immediately protect your setup after the installation — see our guide to securing OpenClaw below. Just make sure you do not install any skills and that your Firewall is not allowing external access to your localhost at this point.

Option 1: Easy Automated OpenClaw Install on a Local Machine

If you prefer to install OpenClaw on a local machine in an easy way, it will have access to all your data. This is a super fun and easy way to work it. OpenClaw will then install in a couple of minutes, but you should be careful for the reasons we described above. 

SECURITY NOTE #2: SANDBOX INSTALLATION TO LIMIT ITS SCOPE 

There is a way to secure this setup right after the installation using the OpenClaw Sandboxing concept and we will show below how it works. This will limit which folders it has access to and also the tool use.  

MAKE SURE TO FOLLOW THESE ADDITIONAL SECURITY INSTRUCTIONS DIRECTLY AFTER YOU'RE DONE WITH THE INSTALLATION TO MAKE SURE YOU ARE NOT COMPROMISED.

To install OpenClaw the easy way, just follow the default installation instructions on OpenClaw's own quick install guide: 

https://docs.openclaw.ai/start/getting-started

The steps you will need to take are:

a) Default 1-Click OpenClaw Install

Open your Terminal and launch the installation script directly from OpenClaw's website:

curl -fsSL https://openclaw.ai/install.sh | bash

This script installs everything you need (Node.Js, if you don't have it, and other tools) to run OpenClaw and then OpenClaw itself.

Then follow the Quick Start instructions and you'll have it set up in a couple of minutes — OpenClaw will guide you through the process. See explanation of the configuration options below.

b) NPM OpenClaw Install

If you're a bit more technical and you already have npm, you can also use the installation instructions from OpenClaw's repo: https://github.com/openclaw/openclaw — 

npm install -g openclaw@latest

This command will install the OpenClaw client in your command line, so you can call it directly using openclaw — then you can call the setup daemon:

openclaw onboard --install-daemon

Option 2: Manual OpenClaw Install in a Separate Container on a Local Machine or Server

If you want to be 100% sure that OpenClaw will not have access to everything on your computer, you can install it in a separate Docker container on your local machine or on a VPS server (such as Hetzner or Fly.io). 

Docker is a tool that runs containers, so that means you can create a separate "machine" on your computer where you can choose exactly what it has access to. 

To install OpenClaw using Docker, you can follow the installation instructions at:

https://docs.openclaw.ai/install/docker

Basically, you will first need to clone the OpenClaw's repo to your computer:

git clone https://github.com/openclaw/openclaw

Then you change to the openclaw folder:

cd openclaw

Before you run the Docker installation script, you might want to review OpenClaw's Docker / Fly.Io / Hetzner installation instructions as you might want to specify some environmental variables that will install additional packages for you or expose the folders you need to your virtual Docker OpenClaw instance.

Once you decided on the configuration, run the default Docker installation script that picks up the Dockerfile from the repo's folder and follows the instructions:

bash docker-setup.sh

2. OpenClaw Installation Settings

As you will be installing OpenClaw on your machine, it will ask you some questions. Most of them are pretty straight-forward, but here are the most important choices you will have to make:

1. Connect OpenClaw to an LLM of Your Choice

The most important part of that setup is that you connect OpenClaw to an LLM. We prefer to connect it to Claude, so when OpenClaw asks you what it should connect you to, just choose Claude and follow the instructions to get the API key (usually you can auto-generate it in another Terminal window). 

You can also connect OpenClaw to a local LLM that you can easily set up on your machine using Ollama and a model of your choice (e.g. DeepSeek). Read more about setting up Ollama with a local DeepSeek model. The problem here is that if your computer is not powerful enough, you'll get a nerfed model that might make mistakes and that may be dangerous for your data. So we'd rather start with a powerful model from Claude, understand the workflows, and then see which local model suits best for your needs and install it later.

2. Configuring OpenClaw: Tools and Skills

OpenClaw has a structure where it has access to some basic tools of which the main one is the exec tool that can run Terminal commands. This is what makes it super powerful. It can also read and write your data and do many other things. These tools are activated by default, so you don't have to do anything for them to work.

Additionally, OpenClaw also has built-in skills which are basically MD files that explain how to use tools for specific purposes. For instance, reading through your Apple notes or setting reminders. All these skills basically explain how to use specific Terminal commands to operate your computer and the ones that come with OpenClaw by default are quite safe. That's where the skills are dangerous because a malicious skill could have an instruction to run rm -rf on your hard drive (and erase your data) or send your passwords to some external API using the curl command. 

SECURITY NOTE #3: REVIEW EVERY SKILL BEFORE INSTALLING!

You should carefully review each additional skill you install that is not included in the default OpenClaw bundle before attempting to install it. Check if it's trying to get your data, SSH keys, or any personal details, the CLI tools it uses, and what external API services it connects to. Do not install anything that seems suspicious.

3. Configuring OpenClaw's Gateway

Gateway is what you use to communicate to OpenClaw. The default options are your TUI (the Terminal UI you used to install it) and the chat web interface through the browser.

Upon installation, OpenClaw will also ask you if you want to configure the Telegram / WhatsApp connection so you can control your OpenClaw through a messenger. This is quite convenient, because you can basically communicate with your OpenClaw on the move even if you're away from your computer (provided that it's on and that OpenClaw is running).

We recommend that you start from setting up Telegram / WhatsApp connection upon installation (it's very easy). And choose Terminal UI (TUI) to give the bot its first instructions to avoid problems with authorization tokens.

Where to Find the OpenClaw's Configuration Files?

The OpenClaw's configuration files and workspaces are located in the ~/.openclaw folder. You can list the contents of this folder 

 ls ~/.openclaw 

Then to see the config file located at ~/.openclaw/openclaw.json

cat ~/.openclaw/openclaw.json

You will see all your configurations in there and can change them either via OpenClaw itself or following the instructions from OpenClaw's docs.

3. Talking to Your OpenClaw Agent

Once you set up OpenClaw, you will be able to talk to your bot via your browser via localhost by launching:

openclaw gateway

then it will open in browser at http://127.0.0.1:18789 

or via Terminal UI (TUI) if you launch

 openclaw tui

If you launch through your browser, you will see something like this :

You can already start talking to your OpenClaw directly in this web / TUI interface. 

When you launch it for the first time, it will guide you through some questions to learn your name, ask you to give it a new name and choose a vibe. 

You can then ask it to tell you what it can already do at this point, what is has access to, and see how it works. Just be careful, do not ask it to do any operations on your files. 

SECURITY NOTE #4: MAKE SURE YOUR INSTANCE IS NOT EXPOSED. 

Your OpenClaw is now available through the browser on your localhost (127.0.0.1). It requires a token to be authorized but as an additional security measure we recommend you to make sure that your local machine is not exposed to the internet and that you have a Firewall set up. 

The easiest way to do it is to look in the settings and also to visit a service like https://www.whatismyip.com/ and get your IP address, then attempt to open this address via https://your_ip_address:18789. Then you can also try to get your local network IP address and attempt to open it that way, e.g .https://192.168.1.129:18789 — none of that should be accessible. You should always only be able to access OpenClaw from your local computer via localhost  web chat or the channel you choose (e.g. WhatsApp).

Troubles Launching the Web Chat for OpenClaw?

You might experience problems launching the web chat for OpenClaw. The error message in browser (and in terminal) might say that there's a token mismatch and give you an instruction to fix it. 

In this case, you have to launch 

openclaw dashboard

It will attempt to open the browser chat interface with a correct token. 

Then you need to copy that whole URL, then in Terminal type:

openclaw gateway restart

This will relaunch the OpenClaw gateway and you can then paste the URL you copied in the browser. This will reset the token and open the chat without any error messages. 

4. Securing Your OpenClaw Setup

Now we come to the most important part: securing your OpenClaw to ensure that it cannot do stupid things on your computer and that malicious skills and prompt injections won't compromise or erase your data and passwords.

You only need to run this additional step if you installed OpenClaw on your local machine to ensure that it can only have access to specific folders and tools that you specify. This concept is called "sandboxing" — you are basically creating a separate environment for each agent session, so you are limiting the "blast radius" for malicious attacks and prompt injections. 

You can read more about sandboxing on OpenClaw's portal at https://docs.openclaw.ai/gateway/sandboxing but it's very confusing (probably because it was written by AI — which shows us the kind of problems we're going to run into more and more in the future). It took me hours to sort it all out and understand how to adjust permissions in the best possible way, so you can as well save your time and follow our guide below. 

Here are the steps you can follow:

4/0. Turn Off Your OpenClaw 

If you are really afraid for your data, as soon as you installed OpenClaw, you can turn it off by running in terminal:

openclaw gateway stop

Then check your browser OpenClaw web UI again and make sure it doesn't load. 

If it still loads, you can "kill" the process by running:

pkill -f openclaw

Now your OpenClaw is not active, so you (nor nobody else) won't be able to access it.

4/1. Add Tool Exec Restrictions in OpenClaw's Config

The first step is to add tool restrictions to your OpenClaw's config.

SECURITY NOTE #5: VERIFY EVERY EXEC COMMAND

If there is one security measure that you can do without the complex Docker container / sandboxing setup, it is this. This one setting prevents your OpenClaw from running any command line exec tool without your permission — a common security flaw that may result in your passwords and data compromised and stolen.

Basically want to expose the default tools that are available but ensure that every time they run OpenClaw asks you for a confirmation. This is recommended setup especially with command-line tools because you don't want your LLM to accidentally run rm -rf without you knowing or to install some malicious code because of an instruction found in some skill or a prompt injection script. 

In order to do add additinoal tool configuration, open the ~/.openclaw/openclaw.json file and add the following (make sure the "tools" is not there yet, otherwise just append the data below):

	"tools": {
		"elevated": {
			"enabled": true,
			"allowFrom": {
				"webchat": ["*"]
			}
		},
		"exec": {
			"security": "allowlist",
			"ask": "on-miss"
		}

This instructs OpenClaw to "elevate" the use of the tools to the sandbox environment, which means that all the tools installed will be available through the webchat only when running in a sandboxed environment (more on that later). 

The exec instruction tells it to always ask about the use of every tool unless it on your allowlist. 

You can create the allowlist later, for now, even if it's a bit annoying, you want to see every tool that OpenClaw launches. Over time, you might want to add some tools like ls (listing files and folders) and other innocent tool calls into the list.

This setting tools.elevated also gives OpenClaw access to the skills in your workspace — so make sure you did not download any skills earlier and only have the default ones installed. 

Now you can relaunch your OpenClaw again:

openclaw gateway

And have it attempt running any tool — for instance, ask it to list the files it has access to. 

If OpenClaw asks your permission to run a command, then you're all set up.

SECURITY NOTE #6: SETTING UP SANDBOXED DOCKER ENVIRONMENT

If you want to truly protect your data, you want to isolate what folders OpenClaw has access to. This can be done by creating a Docker container with a custom configuration and forcing OpenClaw to operate from that virtual sandboxed environment (which does not have access to your real machine). You can then gradually add more permissions as they are required.

In that case, you will also need to set elevated.enabled: false because otherwise even if you limit access to tools to your sandboxed environment and do not expose any folders, exec commands will run in your main system, so they will still be able to access everything.

BELOW ARE THE STEPS TO SET UP THIS DOCKER SANDBOXED ENVIRONMENT

4/2. Clone the OpenClaw GitHub Repo:

Choose the folder where you'd like to save OpenClaw and in your Terminal type:

git clone https://github.com/openclaw/openclaw

This will create the openclaw folder with all the code of OpenClaw on your computer.

Go to that folder in your Terminal:

cd openclaw

4/3. Create and Launch Your Own OpenClaw Docker Image

Now we're going to create a separate Docker container that will be used to spawn separate isolated instances of OpenClaw with granular tool and folder access. This is what keeps your main machine safe (but not the safest — because you could still be hacked via the internet / local network, although this becomes much less likely).

IMPORTANT: For this setup to work, you need to install Docker on your computer — just follow the instructions at https://www.docker.com/  

The installation process is pretty straight-forward and very useful because you will need Docker for a lot of LLM applications. It also helps to have Docker to isolate instances for security concerns.

4/3/1. Create OpenClaw Docker Sandbox Image

Now, the default sandboxing instruction tells you to launch scripts/sandbox-setup.sh from that repo, but that script follows the Dockerfile.sandbox instructions and won't include some important tools you may need on your machine. 

For instance, you might need node.js to run node commands (which makes it possible for you to use multiple libraries, spawn websites, etc) as well as mcporter to connect to external MCP server. This is what makes your OpenClaw super powerful and it's a shame to nerf it in such a basic way. 

That's why we recommend that you create your own Dockerfile with the packages you want to be installed. 

However, this Dockerfile will create an image based off the default sandbox image created by OpenClaw, so first you can run the default sandbox image creation script in the openclaw folder:

bash scripts/sandbox-setup.sh

Once the image is created, you'll be able to verify it using

docker images

You will see the image name in the list:

openclaw-sandbox

This means the default image can now be used for our custom secondary image.

4/3/2. Build Your Custom OpenClaw Image with the Command-Line Tools Your Need

Now we can build our custom sandbox image with the tools we need:

Go to the openclaw folder and then create that Dockerfile

nano Dockerfile.sandbox-mcporter

Then paste the following in this file and save (Ctrl + X then Yes):

FROM openclaw-sandbox:bookworm-slim
USER root
RUN mkdir -p /var/lib/apt/lists/partial \
    && apt-get update && apt-get install -y curl xdg-utils \
    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
    && apt-get install -y nodejs \
    && npm install -g mcporter \
    && rm -rf /var/lib/apt/lists/*
USER 1000

This custom installation will install nodejs and mcporter in your Docker image. Run:

docker build -f Dockerfile.sandbox-mcporter -t openclaw-sandbox-mcporter:latest .

This tells Docker to take the Dockerfile.sandbox-mcporter file and to build a new image called openclaw-sandbox-mcporter on top of the openclaw-sandbox image we created in Step 2/1. 

Verify that it exists:

docker images

You will see in the list:

openclaw-sandbox-mcporter

4/3/3. Add Sandboxing Settings in Your OpenClaw Config

Now that we have the Docker image prepared, we can tell OpenClaw to launch this image upon startup. 

In order to do that, we can edit the OpenClaw config — ~/.openclaw/openclaw.json — open it in an IDE of your choice (or Terminal using nano ~/.openclaw/openclaw.json and look for this part here:

"agents": {
    "defaults": { 

Once you found it, add the following sandbox config to the agents scope. 

Make sure NOT to delete other settings already present in the agent scope:

"agents": {
    "defaults": {
      "sandbox": {
        "mode": "all",
        "scope": "session",
        "workspaceAccess": "rw",
        "docker": {
			"network": "bridge",
			"image": "openclaw-sandbox-mcporter:latest"
		}
      }
    }
  }

This setting tells OpenClaw that:

• you will fun in a sandbox mode (the presence of sandbox in defaults indicates that)
• you will use the sandbox mode for all connections — mode: all (you could also use non-main which only sandboxes additionally spawned agents, but that is not secure enough, because you can still run any command through the web interface or Telegram / WhatsApp gateway and we don't want that — especially if a malicious skill tries to execute or if somebody gets access to your chat interface)
• sandboxes are scoped by sessions
• it should have read/write access to any files in your workspace — workspaceAccess: rw — located at ~/.openclaw/workspace. You can as well change it to ro (read-only). If you prefer, you can set it to  none (in which case it'll only have access to the .MD files that describe how the agent should behave) — but that may be too restrictive if you install your skills into that workspace. 
• the docker.image directive is telling your OpenClaw to use openclaw-sandbox-mcporter Docker image we just created earlier to launch the sandboxed instance.
• the docker.network directive allows it to be exposed to the internet. You can also remove this line if you don't want your OpenClaw to be able to access the internet, but that is probably too restrictive unless you know you don't need it and would only operate it through a local network.
   

4/3/4 Verify Your Installation is Secure with OpenClaw

Now you need to restart OpenClaw, run:

openclaw gateway stop

Check if it's still running by trying to load the chat at http://127.0.0.1:18789/ 

If it's still running, run pkill -f openclaw

then start it again:

openclaw gateway

Then load the chat at http://127.0.0.1:18789/ and ask OpenClaw's agent 

• what files it has access to
• what skills it can use

You should verify, at the very least, that you only have access to the default skills and that you can't access any other folder but your workspace one.

Congratulations! 🎉 You have now installed OpenClaw securely and it functions well!

4/4. Allow OpenClaw to Access the Data on Your Computer

Now that you have OpenClaw installed securely, it's time to give it some access to the data on your computer. The secure setup above isolates the instance, so it can't access any data and it's not so much fun to play with.

Usually, it can be nice to start from your research notes or a folder where you store PDF documents or marketing strategies. 

For instance, I have an Obsidian vault located at /Users/dmt/Software/Second Brain:/mnt/Obsidian/Second Brain (you can get the full folder path by going to that folder and running pwd from there in Terminal). So I'm going to add this because I want to use OpenClaw on my Obsidian notes. I'll also add access to the whole Research paper folder I have, because it's just public research papers and I want to analyze their content as well. 

In order to give access, you need to add it into the agents.defaults.sandbox.docker.binds configuration:

"sandbox": {
	"mode": "all",
	"scope": "session",
	"workspaceAccess": "none",
	"docker": {
		"network": "bridge",
		"image": "openclaw-sandbox-mcporter:latest",
		"dangerouslyAllowExternalBindSources": true,
		"binds": [
			"/Users/dmt/Software/Second Brain:/mnt/Obsidian/Second Brain:rw",
			"/Users/dmt/Dropbox/Research:/mnt/Dropbox/Research:ro"
		]
	}
}

Here we mapping our local folders to the Docker sandbox folders (e.g. /mnt/Dropbox/Research) and we use two parameters:

ro - means Read only (we cannot write into that folder)

rw - means Read Write (we can read and write from this folder) — I'm OK to use it on my Obsidian vault because it's a git repository where every change can be reverted (you should do it too on your Obsidian vault).

We also need to set "dangerouslyAllowExternalBindSources": true because that tells OpenClaw to provide access to the Docker folders we mounted. 

INSTALLATION NOTE: You need OpenClaw version 2026.2.24 for this to work, as the previous versions had a bug where "dangerouslyAllowExternalBindSources": true was omitted. To update your OpenClaw installation run npm update -g openclaw. Check your version using openclaw --version

SECURITY NOTE #7: SWITCH OFF ELEVATED TOOL PERMISSION

At this point, you need to switch off your elevated tool permissions because otherwise, even though you limited the scope of your OpenClaw to your Docker mounted folders, the fact that you allow the tools to run outside of the sandboxed environment means that they can still access all your data. You will be prompted every time, so you have some safety there, but for better security deactivate it for now:

"tools": {
		"elevated": {
			"enabled": false

This is basically double protection because you 

Now you restart your OpenClaw:

openclaw gateway restart

And ask it to check your Obsidian folder:

SECURITY CHECK: Verify that your installation is secure by asking OpenClaw to find some other data on your computer that you know it should not have access to. 

4/5. Use OpenClaw from Telegram or WhatsApp

You might want to ensure you have your Telegram / WhatsApp gateway connected, because it's a lot of fun to be able to interact with your notes on the go. To verify, open your Telegram / WhatsApp chat that you set up when installing OpenClaw and send any message. If you see an error, you'll probably receive a response with an approval code to run in your Terminal:

openclaw pairing approve telegram YOUR_APPROVAL_CODE

4/6. Adding the Browser Capabilities

If you’re using a sandboxed version of OpenClaw, setting up its ability to use the browser (from the sandbox) is not very trivial.

In order to do that, you need to:

4/6/1. Create the Docker container with the browser

Open the Terminal in your local OpenClaw repo to your local machine and then running

docker build -t openclaw-sandbox-browser:bookworm-slim -f Dockerfile.sandbox-browser .

After that, you’ll have the browser image available. Then you’ll need to add settings to the configuration file to make sure that the sandboxed version of OpenClaw launches the browser.

4/6/2. Change config to run the browser container

In the agents.defaults.sandbox scope add

"browser": {
  "enabled": true,
  "autoStart": true,
  "autoStartTimeoutMs": 15000,
  "enableNoVnc": true,
  "headless": false,
  "allowHostControl": false
}

In the agents.defaults.sandbox.docker.env add

"OPENCLAW_BROWSER_NO_SANDBOX": "1"

Then run openclaw browser --browser-profile sandbox status in your browser and then run OpenClaw again and ask it to open the browser in a new window.

🎉 You can now control browser automations via OpenClaw.

Learn how to use OpenClaw with InfraNodus: https://support.noduslabs.com/hc/en-us/articles/25921940639132-How-to-Make-OpenClaw-and-AI-Agents-Smarter-with-InfraNodus

5. OpenClaw Troubleshooting

If at some point your OpenClaw stops working because of permission issues, run

openclaw doctor --fix

Then run the following to restart the gateway:

openclaw gateway install --force

That should fix the auth problem.

To learn how to use InfraNodus with OpenClaw read our guide to generating better insights with OpenClaw and AI agents.

To learn more about installing OpenClaw check our complete guide to secure OpenClaw installation on Substack.

To set up InfraNodus: https://infranodus.com