I’m looking to run OpenClaw on my homelab. Has anyone successfully got it running with Docker? I followed the Docker instructions on their website, got Ollama running with a lightweight model, but couldn’t get the openclaw dashboard working.
I was hoping to have it everyday, look through the hundreds of job alert emails I get, and output a list of jobs for me to apply for. It’ll compare my resume to the listing, check the age of the listing, etc.
I know it’s highly susceptible to prompt injection, but if I have it in a container, with a email made specifically for OpenClaw I’m hoping it will be relatively safe?
You must log in or register to comment.
Best security: avoid it
Simple put, no. In order to be save with a LLM that can execute stuff on its own it needs to be completely sandboxed.
A very nice talk about flaws in agentic AI can be found here: https://media.ccc.de/v/39c3-agentic-probllms-exploiting-ai-computer-use-and-coding-agents
I would use their LXC install, it’s much more flexible. It does not need to be local but it does simplify things like email. I had to put a bit of effort into getting it to be able to connect to IMAP mailboxes to process, but it wasn’t any more than just asking it to get the necessary libraries etc. But things like that are why using it as an LXC is a better choice. It might be able to do that as a docker, but there’s potential problems with network connectivity and docker in docker issues.
You can also firewall that LXC off without having to mess up your own workstation, as well as snapshot it and back it up.
And the first thing I would do is have it keep token budgets when you build tasks, and report it’s token use to you every hour or two. It takes some time to learn how to structure reminders and task processing to not create loops that eat up scads of tokens. Don’t ask me how I know.
But holy hell, can it be useful.
To work it needs local access (like scan your emails), otherwise what’s the point of it… I suggest to read this blog post
https://www.macsparky.com/blog/2026/02/i-built-the-perfect-ai-robot-then-i-pulled-the-plug/
I thought I was being smart by running it on an isolated Mac mini with custom safeguards. I created secret passphrases, limited access, tried to lock it down. Then I woke up at 2 AM wondering if my secret passphrase was sitting in plain text in the robot’s logs. It was.
Yup. Forget running this.
It appears the image runs as a non root user at least… You can drop unnecessary capabilities https://oneuptime.com/blog/post/2026-01-16-docker-drop-capabilities/view
You can also add firewall redfrictions to container to only allow it to connect to services you want to limit injection attacks.
This would help, but still could be open to a lot of security problems I’d imagine.
