Docker Secures OpenClaw in a Sandbox So Your API Keys Stay Hidden

OpenClaw is an AI coding agent that can read/write any file, issue arbitrary network requests, access API keys (e.g., Anthropic, OpenAI), and execute shell commands on the host.

Security challenge

Running OpenClaw locally gives the agent full privileges on the machine, so a mechanism is needed to restrict its file system, network, and credential access.

Docker solution: Sandboxes + Model Runner

Docker Sandboxes run workloads inside a micro‑VM with an independent kernel, while Docker Model Runner provides a local LLM inference engine bound to localhost:12434, eliminating external API costs.

Isolation properties

Kernel : sandbox uses an independent kernel; a regular container shares the host kernel.

Network : sandbox traffic passes through a proxy that can deny any host; a regular container has unrestricted external access by default.

File system : sandbox can only read/write the allocated workspace; a regular container can read/write any mounted directory.

API keys : sandbox proxy injects keys automatically and the agent never sees the raw value; with a regular container the developer must manage keys manually.

Consequently, inside a sandbox OpenClaw can see only the workspace you allocate, cannot access host files, cannot make unrestricted network requests, and never receives the plaintext API key.

Docker Model Runner benefits

No API fees : the model runs locally, so token‑based billing disappears.

Full privacy : code and prompts never leave the machine.

Network independence : no external service connections are required.

The Model Runner supports popular open‑source models such as GPT‑OSS, Qwen, and Llama.

Key commands

docker model pull ai/gpt-oss:20B-UD-Q4_K_XL

Pre‑built sandbox image (includes Node.js 22, OpenClaw, and a bridge script):

olegselajev241/openclaw-dmr:latest

Step‑by‑step setup

Enable Docker Model Runner in Docker Desktop and pull the desired model. docker model pull ai/gpt-oss:20B-UD-Q4_K_XL Create a sandbox named openclaw from the pre‑built image.

docker sandbox create --name openclaw -t olegselajev241/openclaw-dmr:latest shell .

Configure the sandbox network proxy to allow access to the host Model Runner.

docker sandbox network proxy openclaw --allow-host localhost

Run the sandbox. docker sandbox run openclaw Inside the sandbox, start OpenClaw: ~/start-openclaw.sh The script discovers the local Model Runner, lists available models, and lets the user select one.

Bridge script flow

OpenClaw
  ↓ request
  local bridge (127.0.0.1:54321)
  ↓ forward
  sandbox network proxy (host.docker.internal:3128)
  ↓ route
  Docker Model Runner (host localhost:12434)

This design keeps network control in the proxy layer, preventing the agent from issuing arbitrary requests.

Custom image workflow (optional)

Create a base sandbox and manually install Node.js 22 and OpenClaw.

Add the bridge script.

Modify OpenClaw’s configuration to point to http://localhost:12434 (the Model Runner API address).

Save the sandbox as a reusable image with docker sandbox save.

Push the image to a registry for team‑wide reuse.

Resulting security guarantees

File access is hard‑limited to the designated workspace.

All network traffic is filtered through the sandbox proxy.

API keys are injected by the proxy and never exposed to the agent.

These structural constraints provide a verifiable permission boundary for locally run AI agents such as OpenClaw.