OpenClaw Machines
Run as many isolated OpenClaw agents as you need, on hardware you own.
OpenClaw Machines is an open-source platform for running OpenClaw in secure AI sandboxes on your own infrastructure. A control plane orchestrates your hosts, and each agent runs in its own Firecracker microVM on them — hardware-isolated, safe for untrusted and agent-generated code. A Cloudflare data plane is the front door: every machine gets its own subdomain behind edge auth, reached through a tunnel that terminates inside the VM — no host port is exposed for user-to-VM traffic. The current control plane still needs private or firewall-restricted access to each agent's authenticated control API on 9090 . See it running at openclawmachines.com.
The Apache-2.0 public core ships every piece of that stack:
The ocm CLI lives in the separate mathaix/ocm-cli Apache-2.0 repository.
Video link
Click the screenshot to watch the 43-second demo on YouTube. This is a linked image, not an embedded player.
The demo covers host onboarding, agent spin-up, the running Firecracker VM terminal, workspace MCP integrations, and an agent tool call end to end.
Why OpenClaw Machines
Security. Real isolation, not containers: one Firecracker microVM per agent, with its own guest kernel behind a KVM hardware boundary — and auth enforced at the edge and again inside every VM.
... continue reading