Maximum Isolation with VMs
For the highest level of security isolation, run OpenClaw inside a dedicated virtual machine. This provides hardware-level separation between the AI agent and your host operating system, ensuring that even a complete sandbox escape cannot compromise your primary system.
Recommended VM Configurations
| Use Case | RAM | CPU | Disk |
|---|---|---|---|
| Basic agent tasks | 4 GB | 2 cores | 20 GB |
| Development workflows | 8 GB | 4 cores | 50 GB |
| Production + local LLM | 16 GB+ | 8 cores | 100 GB |
Setup with VirtualBox
- Create a new VM with Ubuntu Server 24.04 LTS
- Allocate resources based on the table above
- Install Node.js 22+ inside the VM
- Install OpenClaw using the standard installation method
- Configure port forwarding to access the dashboard from your host (host 3000 → guest 3000)
- Take a snapshot of the clean installation for easy rollback
VM-Specific Security Tips
- Snapshots: Take regular snapshots. If the agent causes damage inside the VM, you can instantly roll back.
- Network isolation: Use NAT networking with selective port forwarding rather than bridged mode.
- Shared folders: Only share specific project directories — never your entire home folder.
- Clipboard isolation: Disable clipboard sharing to prevent data leakage between host and guest.
Prompt Guardian
Protect your AI agent from prompt injection and malicious commands.