Secure mode switcher for OpenClaw - runs your existing installation in a sandboxed Docker container
Project description
OpenClaw Secure
Run OpenClaw in a secure, sandboxed Docker container with automatic device pairing and dashboard access.
Quick Start
1. Install Prerequisites
- Docker Desktop (Windows/Mac) or Docker Engine (Linux)
- Python 3.10+
- pip or pipx
2. Install openclaw-secure
# Using pipx (recommended - isolated environment)
pipx install openclaw-secure
# Using pip
pip install openclaw-secure
3. Enable Secure Mode
# Interactive mode (will ask for config path, port, etc.)
openclaw-secure enable
# Non-interactive mode (uses defaults)
openclaw-secure enable --yes
# With custom config location
openclaw-secure enable --config "G:\\MyProjects\\openclaw\\config"
# With custom port
openclaw-secure enable --port 8080
# Maximum security sandbox
openclaw-secure enable --sandbox maximum --yes
What Happens
- Detects your OpenClaw config (or lets you specify location)
- Preserves all settings, API keys, and models
- Configures sandbox mode and gateway binding
- Starts container with port mapping
- Auto-approves any pending devices
- Opens browser with authenticated URL
Dashboard Access
After enabling, the dashboard URL with token is displayed:
Click to open: http://127.0.0.1:18789/#token=...
Or get it later:
openclaw-secure dashboard --no-open
Fresh Install Setup (No Existing OpenClaw)
If you don't have OpenClaw installed, openclaw-secure can create a fresh config.
Step 1: Enable Secure Mode
openclaw-secure enable --yes
When no config is detected, it will create a fresh one automatically (or ask you in interactive mode).
Step 2: Run Onboard Wizard
After the container starts, set up your API keys:
# Interactive setup (recommended for first time)
docker exec -it openclaw-secure openclaw onboard
# Or use exec command
openclaw-secure exec onboard
This wizard will guide you through:
- Adding your AI provider API keys (Anthropic, OpenAI, etc.)
- Setting your default model
- Configuring workspace preferences
Step 3: Verify Setup
# Check version
openclaw-secure exec --version
# List agents
openclaw-secure exec agents list
# Open dashboard to configure API keys via web UI
openclaw-secure dashboard
Or use Docker directly for interactive setup:
docker exec -it openclaw-secure openclaw onboard
Running OpenClaw CLI Commands
Execute any OpenClaw command inside the secure container:
# List agents
openclaw-secure exec agents list
# Add an agent
openclaw-secure exec agents add my-agent
# Check OpenClaw version
openclaw-secure exec --version
# Run onboard wizard (interactive - use docker directly)
docker exec -it openclaw-secure openclaw onboard
# Run any command
docker exec openclaw-secure openclaw <command>
Common CLI Commands
# Check version
openclaw-secure exec --version
# List agents
openclaw-secure exec agents list
# Create new agent
openclaw-secure exec agents add my-agent
# Run onboard wizard (interactive)
docker exec -it openclaw-secure openclaw onboard
# Check container logs
docker logs openclaw-secure --tail 50
Device Management
# List devices
openclaw-secure devices --list
# Approve a pending device
openclaw-secure devices --approve <device_id>
# List with docker directly
docker exec openclaw-secure openclaw devices list
# Approve with docker directly
docker exec openclaw-secure openclaw devices approve <device_id>
Disable Secure Mode
openclaw-secure disable
This stops the container and restores your previous OpenClaw setup.
Commands
| Command | Description |
|---|---|
enable |
Start secure container mode |
disable |
Return to normal mode |
status |
Check current mode |
dashboard |
Open dashboard in browser |
devices |
Manage device pairing |
exec |
Run OpenClaw CLI commands inside container |
doctor |
Run diagnostics |
emergency-restore |
Force recovery |
Options
openclaw-secure enable [OPTIONS]
Options:
--config PATH Custom config directory
--port INTEGER Custom port (default: 18789)
--sandbox [chat-only|maximum|none] Sandbox mode
--network [none|bridge] Network mode
--disable-device-auth Skip device pairing (not recommended)
--yes / -y Non-interactive mode
--no-backup Skip backup creation
Prerequisites
Before installing openclaw-secure, ensure you have the following installed:
Required
| Software | Version | Purpose | Download |
|---|---|---|---|
| Docker Desktop | Latest | Container runtime | docker.com |
| Python | 3.10+ | Runtime for openclaw-secure | python.org |
| pip or pipx | Latest | Package installer | Included with Python |
Optional (for fresh OpenClaw installs)
| Software | Purpose |
|---|---|
| OpenClaw CLI | Only needed if you want to run openclaw commands locally outside the container |
Platform-Specific Notes
Windows:
- Docker Desktop with WSL2 backend recommended
- Run PowerShell or Command Prompt as Administrator if you encounter permission issues
macOS:
- Docker Desktop for Mac (Apple Silicon or Intel)
- May need to allow Docker in System Preferences > Security & Privacy
Linux:
- Docker Engine (Docker Desktop not required)
- Add your user to the
dockergroup:sudo usermod -aG docker $USER - Log out and back in for group changes to take effect
Verify Installation
# Check Docker
docker --version
docker ps
# Check Python
python --version
# Check pip
pip --version
How It Works
- Container: Runs official
ghcr.io/openclaw/openclaw:latestimage - Port Mapping: Exposes port 18789 to localhost
- Volume Mounts:
- Config directory (read-write for API key updates)
- Workspace directory
- Cache directory
- Gateway Binding: Configures
0.0.0.0binding for Docker compatibility - Auto-pairing: Automatically approves devices on startup
Security Notes
- Config files remain editable on your host
- Device auth is enabled by default (disable with
--disable-device-auth) - Sandbox modes protect your system from AI-generated code
- Network is isolated (bridge mode) by default
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file openclaw_secure-0.1.0.tar.gz.
File metadata
- Download URL: openclaw_secure-0.1.0.tar.gz
- Upload date:
- Size: 33.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3f91f8f75c3768b1715f0babcf088a63042fc480d59464baad421acc3efe790a
|
|
| MD5 |
868359b98f3a9e11c5fc41da36b0bbf5
|
|
| BLAKE2b-256 |
e89e341cfdfb1dce7326c9146b4a25dc19ebb1052286ba180e917add37706811
|
File details
Details for the file openclaw_secure-0.1.0-py3-none-any.whl.
File metadata
- Download URL: openclaw_secure-0.1.0-py3-none-any.whl
- Upload date:
- Size: 32.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5be810a51a2770af56827879ab131663b646d89dc73f895ae9eac75f110a710c
|
|
| MD5 |
e5b8be3ce7d976f8dc36d5e1b578d8d8
|
|
| BLAKE2b-256 |
47b24777c583d81f96fcdd333d550b02f6f7d66d634774d288e022ba9edfbef8
|