The "Local-First" philosophy gives you data sovereignty, but it also gives your agent shell access. A compromised agent on localhost is a compromised machine. We must apply Zero Trust principles even to our own tools.
The Localhost Fallacy
Many developers assume that because an agent runs on 127.0.0.1, it is safe. This is false. If an agent has write access to your filesystem and network access to the web, it bridges the gap between the internet and your kernel.
Defensive Architecture
Containerization
Run OpenClaw instances inside Docker containers with restricted volume mounts. Never mount your entire home directory.
Network Whitelisting
Restrict the agent's outbound traffic. It should only talk to known API endpoints (LLM providers) and specific target sites.
Read-Only by Default
Agents should start with read-only permissions. Write access should be granted explicitly per session or per directory.
Sandboxing Configuration
Recommended Docker configuration for high-risk research tasks:
# docker-compose.yml example
services:
openclaw-agent:
image: openclaw/core:latest
network_mode: "bridge"
volumes:
- ./workspace:/app/workspace:rw # Only mount a specific workspace
- ./logs:/app/logs:rw
environment:
- ALLOWED_DOMAINS=github.com,stackoverflow.com
- PREVENT_SUDO=true
- READ_ONLY_SYSTEM=true
By enforcing these constraints, you ensure that even if an agent is tricked by a prompt injection attack, the blast radius is contained to the ephemeral container.