Setting up OpenClaw on a cloud VM

https://blog.skypilot.co/openclaw-on-skypilot/

57•hopechong•1h ago

Comments

hopechong•1h ago

We've been seeing a lot of people run OpenClaw directly on their main machine, which is a bad idea for a few reasons: it needs broad system access, it's noisy on resources, and if something goes wrong you want a clean blast radius. The obvious answer is "just isolate it," but isolation has real friction. You need to provision a machine, handle SSH keys, configure security groups, and remember to tear things down so you're not leaking money. This post walks through the three realistic options:

Docker – lowest friction, but shares your kernel and has limits depending on what OpenClaw needs to do Dedicated hardware – best isolation, but you're paying 24/7 and it takes time to set up Cloud VM – the sweet spot for most people: true isolation, pay-per-use, tear it down when you're done

For the cloud VM path, we show how to launch a hardened OpenClaw environment on AWS, GCP, Azure, or any other cloud with a single command, handling provisioning, SSH, and auto-teardown for you.

croes•1h ago

That’s only half of the problem.

People give OpenClaw access to their online services like mails where it can also do damage.

A hardened environment doesn’t prevent those kind of damage

ziml77•1h ago

As people have pointed out in other threads, you don't even need access to these services to cause problems. As long as the AI can send any bytes out, it can leak information. Like you may think of an HTTP GET as read-only, but you can pack any data you want into the URL or headers.

avoutic•1h ago

In the end it will all be about separation of duty between agents in a larger team and isolating the ones that need more access to your private stuff.

Wardgate acts like a drop in replacement for curl with full access control at the url / method / content level, so you can allow specific curl access to specific APIs but prevent all other outbound connections. That's what I use for my PA agent. She's very limited and can't access the open internet. Doesn't need it either

leptons•53m ago

You can also stuff data into a GET request body, I've seen some devs do it and I related my disapproval about it.

alt187•1h ago

There's no hardening against idiocy.

avoutic•1h ago

It does, of you use WardGate [1] and only allow read and archive access and only delete access on your inbox but nothing else for instance.

1 https://github.com/wardgate/wardgate

markb139•1h ago

It seems to be perfectly happy to run on virtual box with a Debian install. The host pc is running a local model. I’m quite impressed with what it’s capable of.

tomComb•1h ago

I think nanoclaw is actually designed to be run that way.

LostAndSmelly•1h ago

Your AI should not be in a position to submit a resignation email or send a text to your partner asking for a divorce.

stronglikedan•51m ago

As long as the email or text includes the disclaimer "generated with the assistance of artificial intelligence" then you should be fine.

irishcoffee•27m ago

You forgot the /s... at least I hope you did.

ASalazarMX•27m ago

It is a charming solution that addresses the optics with great efficiency while leaving the rot entirely undisturbed. By all means, let us proceed if the goal is to feel busy. But when the inevitable occurs, please ensure you have a second, more serious suggestion ready.

Disclaimer: generated with the assistance of artificial intelligence

bdangubic•24m ago

but if that disclaimer means that you have to verify whether or not the "sender" agrees with the content that defeats its purpose, no? if we are all going to be like "did you mean to send this text/email...?"

ljm•18m ago

Hi $wife,

You're absolutely right. Let's divorce

Sent from my OpenClaw

ok123456•1h ago

Firejail seems like the right tool for a somewhat complicated desktop application that you want isolation for, that's not simple to containerize.

sigmar•1h ago

instead of me doing 'pip install skypilot' in a terminal, why doesn't skypilot make a skypilot smartphone app that will provision the cloud resource? then could even get rid of the whatsapp/telegram dependency by making the app a messaging client (to communicate with the openclaw server)

andersmurphy•1h ago

I'm surprised people don't use Lima (quick headless local VMs where you can mount a folder). [1]

[1] - https://lima-vm.io/docs/examples/ai/

NitpickLawyer•21m ago

What's the difference between lima and vagrant?

irishcoffee•19m ago

According to _looking it up_ Lima is tailored to macOS. I encourage to look it up yourself!

alienbaby•1h ago

Put it in a box and then give it read write access to all your valuable data. That'll do it....

Spivak•1h ago

Because the VM isn't there to protect your data, it's to give the AI a space where it can do things that would be annoying or cause breakages on your own machine. It also gives you an easy save/restore mechanism.

seniorThrowaway•1h ago

It's really not that hard to run them in docker. Can give them a nestybox (with a little work) sidecar so they can run docker-in-docker. As far as permissions, the only mental model that makes sense to me is treating them like actual people. Bound their permissions in the other systems not on their own machines, basically zero trust. For instance for email, most mail apps have had delegated permissions for a while, executives use it to have their assistants read and write their mail. That's what is needed with these too.

eli•38m ago

You still have to trust your executive assistant. I would never give someone I don't trust the ability to read and write emails for me.

mr_mitm•26m ago

If this takes off, I wonder if platforms will start providing API tokens scoped for assistants. They have permissions for non destructive actions like reading mails, flagging important mails, creating drafts, moving to trash, but not more.

retinaros•46m ago

serious question why anyone on hn would run this?

nowittyusername•23m ago

For me at least its an interesting project I can take apart and build on top of. I've built 100% my own agent frameworks from scratch and have learned a lot from them. There is something to be said on learning from others projects as well, also because its an ever evolving project with so many contributes whatever fork you go with of your own, theirs a good chance the new goodies will work with your own modified version. For example I'm looking in to LCM right now, and woo-dent you know it someone ported it to openclaw. But nanobot doesn't have it, so I'm considering working on the LCM port to that. If i succeed i will learn a lot and also contribute to progress in my own little ways.

richardlblair•16m ago

Right? It's asking for trouble.

I was in the repebble comments a few days ago and this person rolled their own for very obvious reasons: https://news.ycombinator.com/item?id=47078454

ASalazarMX•6m ago

Both replies to your question give you the two sides. It is a scary, stupid thing to give your house keys to, but it is also very interesting like two trains crashing.

Maybe a middle ground would be isolating it like the article suggests, and poking it with a stick (giving it limited, or newly created accounts) to see what it can do?

insane_dreamer•42m ago

this is why we can't have nice things ...

jesse_dot_id•41m ago

Are prompt injections solved? If OpenClaw is only useful when it has access to your digital life, then why does it matter where it runs? You might as well be asking me to keep my dead man's switch safely on the moon. If you find this software useful, you are sharing a count down to a no good very bad day with everyone else who finds it useful. One zero day prompt injection technique, your e-mail on a distribution list, and that's all she wrote.

quietbritishjim•34m ago

It's a bit like the xkcd where the admin account is secure but all the useful information is in the user account anyway.

https://xkcd.com/1200/

plagiarist•27m ago

IDGI. It is reading emails, which is a vector for prompt injection. It is also reading emails, which is where all password resets are sent to. Anyone granting even read access to their primary email is playing with fire.

I personally don't see how the daily briefings or whatever are worth the risk.

m3kw9•26m ago

most people want openclaw to access their personal files, thats the big use case.

spiralcoaster•22m ago

Guys, remember, when you set up your AI-controlled automatic machine gun in your front lawn, be sure to do it safely and pour a solid concrete foundation for it to sit atop of. We wouldn't want it to cause harm or injury by tipping over.

yoyohello13•20m ago

It's hilarious watching people discover security again. Everyone plugging their favorite sandbox technology. Yes, sand boxing processes is a thing that has existed for a long time and there are a million tools that do it. Systemd has it built in for example. Even claude code itself has sandboxing and permissions built in.

Process isolation is not the danger with OpenClaw. Giving an LLM access to all your shit is the problem. My solution is to treat it like a human, give it it's own accounts, scoped to what you want it to do and accept the risks associated with that. If I had a human assistant I wanted to read my email, I'd set up an inbox for them specifically and forward what I want them to screen. I don't use OpenClaw, but have a similar harness I built that runs as an unprivileged Linux user with access to just what I want it to access.

I know it's not in vogue to actually know how technology works anymore, but we have literally decades worth of technology solutions for authentication/authorization, just fucking use it.

Frannky•19m ago

I recently installed Zeroclaw instead of OpenClaw on a new VPS(It seems a little safer). It wasn’t as straightforward as OpenClaw, but it was easy to setup. I added skills that call endpoints and also cron jobs to trigger recurrent skills. The endpoints are hosted on a separate VPS running FastAPI (Hetzner, ~$12/month for two vps).

I’m assuming the claw might eventually be compromised. If that happens, the damage is limited: they could steal the GLM coding API key (which has a fixed monthly cost, so no risk of huge bills), spam the endpoints (which are rate-limited), or access a Telegram bot I use specifically for this project

dadro•11m ago

The recent releases of OpenClaw have made running it on docker/podman much easier. I've been running it on a stand alone Lenovo Thinkcentre running inside docker. For my needs the setup works well. There are some limitations like hardware and filesystem access with my workstation (macbook) but largely solvable and I like the isolation. For locking it down further, particularly on the network level someone recently released https://nono.sh/ which seems promising. I've been using https://clawchat.dev/ on my macbook for chatting with the openclaw agent. It is rough around the edges but gets the job done.

Show HN: AO – Deploy Python agents without managing production infrastructure

Show HN: DumpCleaner – Native macOS/iPadOS app to filter SQL dumps

Why every AI coding breakthrough feels normal within 90 days

Altadena asked Edison to bury lines. That could cost some fire victims $40k

Instant LLM Updates with Doc-to-LoRA and Text-to-LoRA

Launching the Agent Protocols Tech Tree

Living with Hyperphantasia

Making Iceberg Work for Operational Data

I hacked ChatGPT and Google's AI – and it only took 20 minutes

Why every scientist needs a librarian

Against Land Value Capture

Show HN: OpenAI to Buy Babuger.com for $1B? (Just Kidding, I Built It)

Coherence at 300K

The Robotic Dexterity Deadlock

Hyprland 0.54 Released as a "Massive" Update to This Wayland Compositor

Will magnesium supplements help you relax?

Show HN: Dashboard – a runtime plugin-based desktop widget system for Linux

I never estimate on the call. Best engineering rule I made for myself

FBI was hacked and 100tb from the Epstein file deleted [pdf]

Show HN: Night Watch, zero-dependency DevOps agent

Show HN: Vector database vibe-coded in WASM, 5x faster than JavaScript

NASA announces major overhaul of Artemis moon program: "We've got to get back to

Perhaps People Are Cynical About Success in the Creative Arts for a Reason

A public startup survival tracker (30 days inactive = dead)

Natural Speech Analysis Reveals Differences in Executive Function in Adults

Claude (Code) Is Down

Apple removes environmental metrics from executive pay

Agentic Wars

I have 4Chan brainrot. this is what I coded

Intercepting messages inside Is­Dialog­Message, installing the message filter