How to Securely Run an OpenClaw AI Agent on a Dedicated Machine

Objective

Provide a reproducible, security‑first deployment of OpenClaw on an isolated host, using read‑only tokens, a command whitelist, Tailscale private networking, and one‑way data flow.

Machine Hardening (Phase 1)

Create a non‑admin user openclaw with limited filesystem access.

Enable the macOS firewall, hide the host (no ping response), and block all inbound connections.

Configure SSH: disable password and root login, allow only key‑based login for openclaw, limit login attempts.

Install Tailscale and join a private Tailnet; no public ports are exposed. Access the host only via authorized devices (e.g., MacBook, iPhone) using Tailscale SSH.

Disable unnecessary services (remote management, screen sharing, file sharing, AirDrop).

OpenClaw Installation (Phase 2)

Store the Claude API key with file permissions readable only by the owner; rotate the key monthly.

Configure the Telegram bot to accept commands from a single owner ID; never add the bot to group chats.

Enable sandbox mode so that risky operations run inside containers.

Define a command whitelist: allow curl, cat, ls, echo, node, npx. Explicitly forbid rm, sudo, ssh, and any other destructive commands.

Agent Configuration (Phase 3)

The SOUL.md file specifies the agent’s identity and constraints.

Responsibilities : monitor Twitter/X keywords, track industry news, generate daily summaries and real‑time alerts.

Prohibitions : no posting, no messaging other users, no financial transactions, no file modifications outside the agent’s workspace, no unsanctioned skill installations.

Heartbeat interval set to 30 minutes to reduce API cost and error surface.

Scope each external token to read‑only permissions (Twitter API, Google Calendar, email).

One‑Way System Integration (Phase 4)

OpenClaw writes output files to an inbox folder. Existing personal knowledge‑management tools ingest these files; there is no bidirectional sync, eliminating drift or corruption risk.

Security Validation (Phase 5)

Run audit commands before production. Example validation steps:

Disable Tailscale on the client device and verify the host is unreachable.

Attempt SSH from outside the Tailnet; connection must fail.

Send a Telegram message from an unauthorized account; the bot must ignore it.

Lessons Learned

Connectivity : Enable Tailscale SSH before traveling to avoid loss of remote access.

Context overflow : Reset sessions or enforce a maximum context size to prevent “prompt too large” errors.

Rate‑limit exhaustion : Use a cheaper model for heartbeat checks; reserve the expensive model for core tasks.

Cost Estimate (Phase 1)

Claude API (30‑min heartbeat): $30‑100 / month

Tailscale (free tier): $0

Twitter/X read‑only API: $100 / month

Total: $130‑200 / month

Emergency Procedures

Immediately stop the OpenClaw gateway locally or via Tailscale SSH.

If compromise is suspected, revoke all API tokens, audit logs, replace the Telegram bot token, and verify modified files before any reboot.

Recommendations for New Deployments

Start in read‑only mode; avoid posting or financial actions.

Use a single agent and a single Telegram channel.

Never expose public ports; rely exclusively on Tailscale.

Employ a strict command whitelist instead of a full shell.

Scope each token to the least privilege required.

Enable Tailscale SSH before it is needed.

Only add new features after at least two weeks of stable, issue‑free operation.

References

Full command list and configuration scripts are available in the accompanying Gist: https://gist.github.com/jordanlyall/8b9e566c1ee0b74db05e43f119ef4df4