Safe Installation (The Only Way You Should Do It)

Why 135,000 People Got This Wrong

🔄 Quick Recall: In the previous lesson, we mentioned that 135,000+ OpenClaw instances are exposed to the internet. That’s not a theoretical risk — it happened because of how the default installation works.

Here’s what went wrong: OpenClaw’s default setup binds to 0.0.0.0:18789. In plain English, that means “let anyone on any network connect to me.” People followed the quick-start guide, didn’t change this setting, and accidentally made their AI agent — along with their email, calendar, and files — accessible to the entire internet.

This lesson exists so you don’t become number 135,001.

By the end of this lesson, you’ll be able to:

Install Docker on your computer
Run OpenClaw inside a secure Docker container
Apply security hardening that blocks the most common attack vectors

What Is Docker? (The 60-Second Version)

Imagine you’re renting out a room in your house. You have two options:

Option A: Open access. The tenant can wander into your bedroom, open your safe, read your mail, and use your credit cards. That’s installing OpenClaw directly on your computer.

Option B: A sealed apartment. The tenant stays in their room. They have their own entrance, their own utilities, and can’t access the rest of the house. If they make a mess, you can tear down the apartment and rebuild it in minutes. That’s Docker.

Docker creates a container — a sealed, isolated environment that runs on your computer but can’t touch your personal files, passwords, or other applications. If OpenClaw gets compromised inside Docker, the attacker is trapped in the container.

Is it perfect? No. The CVE-2026-24763 showed that a sophisticated attacker could escape Docker through PATH manipulation. But Docker raises the bar dramatically — like the difference between leaving your front door open and having a locked door with a deadbolt. Someone could pick the lock, but most threats are stopped.

✅ Quick Check: In the apartment analogy, what does “tearing down the apartment and rebuilding it in minutes” represent? (Answer: Destroying and recreating the Docker container — wiping any potential compromise and starting fresh.)

Step 1: Install Docker

On Mac:

Go to docker.com and download Docker Desktop for Mac
Open the downloaded file and drag Docker to your Applications folder
Launch Docker Desktop from Applications
Wait for the whale icon to appear in your menu bar — that means Docker is running

On Windows:

Go to docker.com and download Docker Desktop for Windows
Run the installer (you may need to enable “WSL 2” — the installer will guide you)
Restart your computer when prompted
Launch Docker Desktop

On Linux: Follow the official Docker installation for your distribution at docs.docker.com.

How to verify it worked: Open your Terminal (Mac/Linux) or Command Prompt (Windows) and type:

docker --version

You should see something like Docker version 27.x.x. If you get an error, Docker isn’t running.

Step 2: Install OpenClaw in Docker (The Safe Way)

OpenClaw provides a Docker setup script. Here’s the safe approach:

# 1. Create a folder for OpenClaw
mkdir ~/openclaw && cd ~/openclaw

# 2. Download the Docker Compose file
curl -fsSL https://openclaw.ai/docker-compose.yml -o docker-compose.yml

Before running anything, read the next section. The default configuration is not secure enough.

Step 3: Security Hardening (Critical)

Here’s where most guides stop and most people get compromised. We’re going to apply five security layers:

Layer 1: Bind to Localhost Only

Open your docker-compose.yml file and find the ports section. Change:

# DANGEROUS DEFAULT:
ports:
  - "0.0.0.0:18789:18789"

# SAFE:
ports:
  - "127.0.0.1:18789:18789"

This single change means OpenClaw only accepts connections from your own computer — not from the internet.

Layer 2: Run as Non-Root User

The official Docker image already runs as a non-root node user (good!). Verify this is in your compose file:

user: "node"

If it says root or doesn’t specify a user, add the line above.

Layer 3: Drop All Capabilities

Add these security flags to the container definition:

security_opt:
  - no-new-privileges:true
cap_drop:
  - ALL

What this does: cap_drop: ALL removes every special system privilege. no-new-privileges prevents the container from ever gaining new ones. Together, they mean the container can only perform basic, non-dangerous operations.

Layer 4: Read-Only Filesystem

read_only: true
tmpfs:
  - /tmp:rw,noexec,nosuid,size=64M

This makes the container’s filesystem read-only — it can’t create new files or modify existing ones except in a small, restricted temporary folder. Even if an attacker gets in, they can’t install malware.

Layer 5: Set a Strong Gateway Token

During the onboarding process, OpenClaw generates a gateway token. This is your password. Make it strong:

Use a random password generator (at least 32 characters)
Never share it
Don’t use the same password you use elsewhere

✅ Quick Check: Which of the five hardening layers prevents OpenClaw from being accessible over the internet? (Answer: Layer 1 — binding to 127.0.0.1 instead of 0.0.0.0.)

Step 4: Run the Onboarding Wizard

Now start the container and run setup:

# Start the container
docker compose up -d

# Run the onboarding wizard
docker exec -it openclaw openclaw onboard --install-daemon

The wizard will:

Ask you to choose an AI provider (Claude, GPT, DeepSeek)
Ask for your API key from that provider
Generate your gateway token
Set up the control interface at http://127.0.0.1:18789/

Important: When it asks about messaging channels, skip this for now. We’ll set those up in Lesson 4 after confirming everything works.

The Complete Hardened docker-compose.yml

Here’s what your final file should look like (with all five security layers):

version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw
    user: "node"
    ports:
      - "127.0.0.1:18789:18789"
    volumes:
      - openclaw-data:/app/data
    environment:
      - NODE_ENV=production
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid,size=64M
    restart: unless-stopped

volumes:
  openclaw-data:

What We DIDN’T Do (And Why)

You might notice we didn’t install OpenClaw with the one-liner from the website:

# DON'T DO THIS:
curl -fsSL https://openclaw.ai/install.sh | bash

That command installs OpenClaw directly on your computer without Docker. It gives OpenClaw full access to your files, passwords, emails, and everything else. Remember the apartment analogy? This is Option A — the tenant walking through your entire house.

Simon Willison, the security researcher who coined the term “prompt injection,” explicitly said: “I’m not brave enough to run OpenClaw directly on my Mac.”

Follow his lead. Docker only.

If Something Goes Wrong

Container won’t start: Run docker logs openclaw to see error messages. Most issues are incorrect API keys or port conflicts.

Can’t access the control panel: Make sure Docker is running (check for the whale icon) and visit http://127.0.0.1:18789/ — not localhost, which might resolve differently on some systems.

Need to start fresh: That’s the beauty of Docker. Just run:

docker compose down -v
docker compose up -d

This destroys the container and creates a new one. Like tearing down the apartment and building a new one in 30 seconds.

Key Takeaways

Always use Docker — never install OpenClaw directly on your computer
Bind to 127.0.0.1 — the single most important security change (prevents internet exposure)
Apply all five hardening layers: localhost binding, non-root user, dropped capabilities, read-only filesystem, strong gateway token
Skip the one-line installer — it gives OpenClaw unrestricted access to your entire system
Docker isn’t perfect but it raises the bar from “front door wide open” to “locked door with a deadbolt”

Up Next

Your OpenClaw is installed and hardened. In the next lesson, we’ll connect a messaging app and have your first real conversation with your AI agent. You’ll learn how to set up WhatsApp or Telegram and give your agent its first task.