DEV Community

Cover image for I saw someone give OpenClaw a 4-node Proxmox cluster and now I think most of us are doing agent security backwards
Lars Winstand
Lars Winstand

Posted on • Originally published at standardcompute.com

I saw someone give OpenClaw a 4-node Proxmox cluster and now I think most of us are doing agent security backwards

I had one of those "hold on, this is way too normal now" moments reading OpenClaw threads.

Not because people were building toy demos.

Because they weren’t.

People are already using OpenClaw like a browser operator, shell assistant, file mover, client responder, and infra helper. And once an agent can touch client messages, browser sessions, internal docs, and production-ish systems from one place, your main problem is no longer prompting.

It’s blast radius.

That applies way beyond OpenClaw too. If you run agents in n8n, Make, Zapier, OpenClaw, or a custom OpenAI-compatible stack, the easiest path is always the same: keep adding more tools and credentials to one worker until it becomes a giant do-everything agent.

That is convenient.

It is also how you end up with one weird model call away from a very bad day.

The Reddit comment that made me stop scrolling

In a thread on r/openclaw, one user wrote:

“I use OC daily and it has full and unencumbered access to not just my pc but to my lab that has a 4 node Proxmox cluster, 3 GPUs, 1 mid-capacity (~30TB) NAS and another higher capacity (~70TB) NAS. At this point about 75% of my work is OC based.”

That is an incredible demo.

It is also a perfect example of how agent security gets framed backwards.

A lot of people still talk about safety like the solution is:

  • better prompts n- more guardrails in the system message
  • a different model
  • more explicit instructions

No.

If OpenClaw can reach your NAS, Proxmox VE, browser sessions, Telegram bot, Discord account, and client messages, the important skill is containment.

Not whether GPT-5, Claude, Qwen, or Llama follows instructions 4% better on a benchmark.

OpenClaw’s docs are actually pretty honest

This is the part I respect.

OpenClaw’s security model is not pretending to be something it isn’t. The docs frame it more like a trusted personal assistant than a hostile multi-tenant boundary.

That means:

  • one gateway should map to one trust boundary
  • mixed-trust users should not share the same gateway
  • stronger separation means separate OS users or separate hosts

That is the right default mental model.

The problem is that users often hear "I installed it in Docker" and translate that into "I solved isolation."

You didn’t.

Docker can help. It is not a security architecture by itself.

OpenClaw even ships with audit commands that are worth actually running:

openclaw security audit
openclaw security audit --deep
openclaw security audit --fix
openclaw security audit --json
Enter fullscreen mode Exit fullscreen mode

That’s not security theater. That’s a project telling you, pretty directly, that permissions and exposure matter.

If a tool gives you a security audit command and your response is still "yeah but it’s just on my homelab," you are probably skipping the hard part.

“It’s behind Tailscale” is not a complete answer

This one annoys people, but it needs saying.

I keep seeing setups like this:

  • OpenClaw on a VPS
  • reachable via Tailscale
  • maybe behind Nginx or Caddy
  • maybe connected to Telegram or WhatsApp
  • maybe with browser automation that can log into client dashboards

That sounds neat.

It also sounds incomplete.

Tailscale is great. I use it too. But Tailscale is not automatic least privilege. If you don’t define ACLs or grants, the default tailnet posture is much more open than people seem to assume.

These are not the same thing:

Approach What it really means
Tailscale with default tailnet policy Devices can often communicate more broadly than you intended
Tailscale with explicit ACLs or grants Specific sources can reach specific destinations and ports
Public VPS behind reverse proxy You now have an exposed network surface and auth becomes critical

A minimal ACL shape looks like this:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:laptop"],
      "dst": ["tag:openclaw:3000"]
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

That’s the kind of boring setup work that actually reduces blast radius.

The weird part: the surrounding tools already support safer designs

This is why I think most of us are doing agent security backwards.

The ecosystem already gives you decent primitives:

  • Proxmox VE supports scoped API tokens and privilege separation
  • Linux gives you separate users
  • Docker gives you process and filesystem isolation options
  • Telegram bots can be limited
  • separate Google accounts are free
  • separate VPS instances are cheap compared to incidents

And yet people still hand one agent the equivalent of the whole keyring.

Why?

Because broad access is easier on day one.

You don’t need to think about boundaries if one OpenClaw instance can do everything.

Until it does the wrong thing.

The best advice I saw: make the agent smaller

In another OpenClaw discussion, a user asking about security got a very practical answer: if the agent is going to do external work, create another user on the VPS, don’t give it root, run OpenClaw in Docker, and use that instance only for client communication.

That’s it.

That’s the whole idea in one sentence.

Don’t make the prompt safer.

Make the agent smaller.

3 containment patterns that matter more than prompt tuning

If I were setting up OpenClaw for anything beyond narrow personal use, I’d prioritize these three things.

1. Separate gateways by trust boundary

Don’t use one gateway for everything.

Better:

  • gateway A: personal assistant tasks
  • gateway B: client-facing comms
  • gateway C: infrastructure actions

If one of them goes weird, the others should not inherit the same reach.

2. Separate identities and credentials

Do not hand the same credentials to every workflow.

Better:

  • non-root Linux user
  • Proxmox token with only required permissions
  • separate Telegram bot for external comms
  • separate Google account for client-facing tasks

Bad:

# one agent, one box, one giant pile of power
/root/.ssh/id_rsa
~/.config/gcloud
~/.aws/credentials
browser session with saved passwords
full Proxmox admin token
Telegram bot with broad message access
Enter fullscreen mode Exit fullscreen mode

Better:

# separate identities per job
/home/openclaw-client/
/home/openclaw-research/
/home/openclaw-infra/
Enter fullscreen mode Exit fullscreen mode

3. Separate network reachability

An agent should not be able to laterally move just because it lives on the same network.

Better:

  • Tailscale ACLs or grants
  • no direct access to NAS unless required
  • no direct access to hypervisor unless required
  • reverse proxy only where exposure is unavoidable
  • firewall rules that match the actual job

If a client-reply bot can also hit your Proxmox API, that’s not flexibility. That’s sloppy boundary design.

What this looks like in practice

Here’s a rough pattern I’d trust more than the common "just wire it all together" setup.

Use case Better isolation choice
One trusted user on one private machine Single gateway can be acceptable
Personal tasks plus client-facing tasks Separate gateway per trust boundary
Infra automation with external integrations Separate gateway, separate OS user, scoped credentials
Mixed-trust or adversarial access Separate host and separate identities

And for credentials:

Credential pattern Risk level
Root or full-account credentials Maximum blast radius
Shared browser profile with saved passwords High risk
Scoped API token with privilege separation Much safer
Separate client-facing account with minimal access Best default for comms workflows

A practical example: split one super-agent into three narrow workers

Let’s say your current setup looks like this:

  • one OpenClaw instance
  • reads Gmail
  • replies to clients in Telegram
  • logs into dashboards with browser automation
  • restarts services in Proxmox
  • reads internal docs from a NAS

That is exactly the kind of setup that feels efficient and is hard to defend.

A better design:

Worker 1: client comms

Can:

  • read a limited inbox
  • draft or send approved client replies
  • access a small knowledge base

Cannot:

  • reach Proxmox
  • mount NAS shares
  • access internal admin dashboards

Worker 2: browser automation

Can:

  • log into one specific dashboard
  • use a dedicated browser profile
  • write results to a queue or database

Cannot:

  • send client messages directly
  • access shell tools
  • reuse your normal browser session

Worker 3: infra actions

Can:

  • hit a narrow Proxmox API surface
  • restart one service or one VM group
  • write logs to a dedicated location

Cannot:

  • browse the web freely
  • access client comms
  • read general internal docs

Yes, this creates more moving parts.

That is the point.

This same mistake shows up in n8n, Make, and Zapier too

OpenClaw just makes the issue obvious because the permissions are so tangible.

But the same pattern shows up everywhere.

In n8n

One AI node gets access to:

  • Slack
  • Gmail
  • Notion
  • HubSpot
  • internal webhooks
  • production APIs

because nobody wanted to split the workflow.

In Make or Zapier

One scenario can:

  • read inbound leads
  • update CRM records
  • send client messages
  • trigger backend actions

with the same credentials.

In custom agent stacks

One OpenAI-compatible worker holds every API key because it was easier than designing boundaries.

Different tools, same bad habit.

One agent gets too much authority because convenience wins early.

The cost model quietly makes this worse

This is the part people underestimate.

Better security usually means:

  • more agents
  • more gateways
  • more narrow workers
  • more background jobs
  • more model calls

That is operationally healthier than one giant super-agent.

But under per-token pricing, people start doing weird math:

  • "Do we really need a separate worker for client replies?"
  • "Can’t the browser agent also handle internal docs?"
  • "Let’s just reuse the same model worker for everything."

That is a bad incentive.

When every extra worker feels like another meter spinning, teams collapse boundaries to save money.

This is exactly why predictable flat-rate compute is useful for agent systems.

If you can use an OpenAI-compatible endpoint with a fixed monthly cost, you can split workers by function and trust boundary without babysitting token spend all day.

That matters whether you’re building in OpenClaw, n8n, Make, Zapier, or your own stack.

Standard Compute is interesting here for a simple reason: it gives you an OpenAI-compatible API with flat monthly pricing, so you can afford to run more narrowly scoped workers instead of cramming everything into one expensive general-purpose agent. That’s not just a finance benefit. It makes safer architecture easier to justify.

A few concrete checks I’d do before trusting an agent with real work

If you already run OpenClaw or similar agents, here’s a quick review list.

Check 1: what can this instance reach?

List it explicitly.

  • filesystems
  • browser sessions
  • admin panels
  • internal docs
  • hypervisors
  • NAS shares
  • messaging platforms

If the answer is "basically everything," stop there.

Check 2: what credentials does it actually need?

Replace broad credentials with scoped ones.

Examples:

  • use a Proxmox API token instead of a full admin account
  • use a separate Telegram bot for external comms
  • use a dedicated browser profile instead of your daily profile
  • use a non-root OS user

Check 3: what happens if the agent gets confused?

Assume the model hallucinates.

Assume a tool call is wrong.

Assume a prompt injection lands.

Now ask: what can it still damage?

That answer is your real security posture.

Check 4: are you paying a pricing penalty for isolation?

If the honest answer is yes, your architecture will drift toward overpowered workers.

That’s not a people problem. That’s an incentive problem.

My opinion: the real flex is blast-radius design

The most impressive OpenClaw setup is not the one with the most power.

It’s the one where the operator can say:

  • this gateway can touch Telegram but not Proxmox
  • this OS user can access one directory and nothing else
  • this Tailscale node can hit one service on one port
  • this browser worker can log into one tenant only
  • this client bot cannot see internal notes

That’s real engineering.

Not "I gave my agent root and it mostly behaves."

If you only remember one question, make it this one

If OpenClaw is still a private sidekick on your own machine for one narrow job, fine.

But the second it starts doing client work, browser work, or infrastructure work, stop asking how to make it smarter.

Ask this instead:

If this agent goes weird, what exactly can it reach?

If your answer is "basically everything," you do not have an agent architecture.

You have a future Reddit post.

Top comments (0)