Why Installing OpenClaw on Your Main PC Is Risky and How to Isolate It Safely

Why installing OpenClaw on a primary workstation is risky

Official security documentation states that risk originates from who drives the model, what resources it can reach, and how far it can act. Installing OpenClaw in a daily‑use environment adds multiple layers of exposure:

The browser is already logged into personal email, messaging apps, password managers, cloud storage, and social accounts.

The file system contains contracts, photos, financial spreadsheets, project data, API keys, and download directories.

Adding browser control, open chat entry points, third‑party plugins, and uncontrolled Skills exposes the most sensitive runtime to a message‑driven system.

When a breach occurs, the primary concern is not whether the model answers incorrectly but whether it gains access to data it should never see. The official docs repeatedly advise using a dedicated computer for such agents.

Minimal security baseline – four required actions

Provide an isolated runtime environment – prioritize from highest to lowest: dedicated machine → dedicated OS account → virtual machine → container → at least a separate browser profile. Do not share these environments with daily office accounts or password managers.

Run the official security audit – execute the following commands:

openclaw security audit
openclaw security audit --deep
openclaw security audit --fix

The audit checks gateway exposure, browser control, open policies, file permissions, plugins, and model‑policy drift.

Enable sandboxing with default no read/write – the sandbox configuration defines three workspaceAccess levels: none, ro, and rw. Start with none and avoid jumping directly to rw. Example configuration:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "session",
        "workspaceAccess": "none"
      }
    }
  }
}

If the tool only needs to read data, use ro; otherwise keep none.

Treat ~/.openclaw/ as a sensitive area – the directory, openclaw.json, credentials, auth‑profiles.json, session files, and logs must have permissions that prevent group or other users from reading them.

Browser control – the most easily underestimated risk

OpenClaw can control a browser, but this capability is not equivalent to simple automation. The official browser documentation requires a dedicated, controlled browser account separate from everyday use.

Use a dedicated browser account; never point to a regular personal account.

Disable password sync, browser sync, and unnecessary auto‑login.

Isolate the download directory; treat browser downloads as untrusted input.

Treat remote CDP nodes, remote nodes, and open relay/control ports as high‑risk remote operations.

One‑sentence reminder: if the browser can reach personal accounts, OpenClaw can reach them too.

Shared entry points – additional precautions

When a corporate chat bot (e.g., WeChat or Feishu) backs OpenClaw, the risk expands from “who can talk to it” to “who can use its hands to touch the system.” Required safeguards include:

Operate within the same trusted boundary; avoid mixing personal and corporate usage.

Restrict tool permissions; keep sensitive capabilities disabled by default.

Separate by business, team, and environment; avoid a single gateway serving all workloads.

Prefer an allowlist over fully open access.

Recommended installation sequence

1. Prepare an isolated environment (machine / VM / container / OS user)
2. Install OpenClaw
3. Immediately run openclaw security audit
4. Set sandbox workspaceAccess to none or ro
5. Enable browser control
6. Finally connect shared chat entry points, webhooks, and third‑party plugins

Installing all features first and retrofitting security later is error‑prone and difficult to remediate.