Lesson 03 · OpenClaw, Safely Pro ~10 min 5 isolation rules

Before you install: the safe-setup checklist.

Every exposed OpenClaw in those scans was a setup decision, not a sophisticated hack. Which means safety is also a setup decision — made before the installer runs. This is the 30 minutes of choices that keep your agent private for as long as you run it.

The principle behind everything

Shrink the blast radius.

One sentence worth memorizing: assume your agent will eventually be tricked, and build so that a tricked agent can't hurt you. Prompt injection can't be fully prevented (Lesson 2), so we don't rely on the agent behaving — we limit what a misbehaving one can reach. Security people call that the blast radius. Every choice below shrinks it.

Do it · choose where it lives

Pick a home — see what it costs you if it's breached.

The hardware decision sets the floor for everything else. Tap each to see its blast radius.

Do it · the five isolation rules

Make each safe choice and watch the radius shrink.

Five decisions stand between "private assistant" and "scan-report statistic." Pick the safe option for each.

🛡 Blast radiusExposed
0 / 5 safe choices made
The 30-second self-test

Finish this sentence honestly: "If a stranger fully controlled my agent's machine right now, the worst they could do is ______." If the blank contains your real email, files, passwords, or anything involving your employer — your setup isn't done. If it's "read an empty box and spend $20 of API credit," you're ready to install.

Your pre-flight checklist

Pick your hardware, create the agent's dedicated email + a spend-capped API key, install Tailscale if you want remote access, and write the kill-switch sticky note. That's the whole assignment. When those four things exist you've done the hard part — the install itself is the easy 20 minutes.

What you can do now

  • Explain blast radius: build so a tricked agent can't reach anything that matters
  • Choose the right home: spare machine, Pi, VPS, or (carefully) a VM on your main computer
  • Bind the gateway to localhost and use Tailscale instead of ever exposing a port
  • Provision dedicated accounts and a spend-capped, revocable API key
  • Write the agent's data scope before connecting anything
  • Keep a three-move kill switch: stop service, revoke key, pull the plug
Pro
Up next in OpenClaw, Safely

Lesson 04 · Install and onboard, step by step

The openclaw onboard walkthrough on your prepared machine — Node, the gateway, running as a service, picking your model — and verifying you're NOT publicly visible before you go further. Start lesson 04 →

🎓
AI Coach
Ask anything about this lesson
Hey! I'm your AI Coach for this lesson. Ask me anything about safe setup — hardware, localhost binding, key hygiene, the kill switch. What's on your mind?
Free lesson coaching is limited to 3 questions. Upgrade to Pro for unlimited coaching on every lesson.