OpenClaw gives an AI agent full access to your system. Here's why you should run it on an isolated cloud VM, and how to set that up.
OpenClaw is a self-hosted AI agent that connects to WhatsApp, Telegram, Slack, Discord, and dozens of other services. Give it a task over chat, and it executes shell commands, browses the web, reads and writes files, and calls APIs on your behalf. It exploded to over 215k GitHub stars in a matter of weeks.
But OpenClaw needs deep access to the machine it runs on: shell execution, file system access, browser automation. These capabilities are what make it useful - and also what make running it on your personal laptop a bad idea. Within weeks of going viral, reports of exposed instances, prompt injection attacks, and malicious plugins started piling up.
This post covers why you shouldn’t run OpenClaw on your main machine, what your isolation options are, and how to set it up on a cloud VM.
What OpenClaw does#
OpenClaw is a self-hosted AI agent gateway, created by Peter Steinberger (originally under the names Clawdbot and Moltbot). It runs a persistent process - the “gateway” - that connects large language models (primarily Anthropic’s Claude) to your messaging platforms. You chat with it on WhatsApp or Telegram like you’d text a friend, and it executes tasks using a rich set of tools:
Shell execution : Run commands on the host machine
: Run commands on the host machine Browser automation : Navigate websites, fill forms, take screenshots via Playwright
: Navigate websites, fill forms, take screenshots via Playwright File operations : Read, write, and edit files
: Read, write, and edit files 100+ service integrations : Gmail, GitHub, Notion, Spotify, calendars, and more
... continue reading