Running OpenClaw in Docker

Category: guide Last updated: 2026-04-03 Status: complete

Summary

OpenClaw (also known as Clawdbot or Moltbot) is an open-source personal AI assistant that carries significant security risks when run directly on a personal machine. Running it inside a Docker container isolates it, limiting the blast radius of any prompt injection or misbehavior. This guide, based on entities/simon-willison's TIL post from February 2026, documents the working Docker setup including Telegram integration and web UI access.

Why Docker?

OpenClaw has access to your file system, can run shell commands, browse the web, and take actions on your behalf — making it a textbook example of the lethal trifecta if connected to a private inbox. Docker containment:

• Limits file system access to mounted volumes only
• Prevents direct access to host system tools
• Makes it easy to tear down and restart
• Allows running as a non-root user by default (safer)

Setup

1. Clone and Run

git clone https://github.com/openclaw/openclaw
cd openclaw
./docker-setup.sh

Two directories are created on the host and mounted as volumes: - ~/.openclaw — configuration, memory, third-party API keys - ~/openclaw/workspace — files the agent can read and write

2. First-Run Questions

OpenClaw asks many questions on first run. Key choices:

Question	Recommended answer
Onboarding mode	manual
What to set up	Local gateway (this machine)
Model provider	OpenAI Codex with ChatGPT OAuth (uses your $20/month subscription, caps spend)
Tailscale	Skip — configuring it on first attempt can break the machine

ChatGPT OAuth flow: OpenClaw gives you a URL to open in your browser. It redirects to a localhost address showing an error (the local service isn't running yet). Copy and paste that localhost URL back into OpenClaw to complete authentication.

3. Verify It's Running

docker ps
# Look for: openclaw:local / openclaw-openclaw-gateway-1

4. Administrative Commands

Run via the openclaw-cli container — must be run from the same directory as docker-compose.yml:

docker compose run --rm openclaw-cli status

Setting Up Telegram (Recommended)

Telegram lets you control OpenClaw from your phone.

1. Create a bot: chat with @BotFather on Telegram → /newbot → follow prompts → get token
2. Provide the token to OpenClaw during setup
3. Pair your Telegram account:

   docker compose run --rm openclaw-cli pairing approve telegram <CODE>
   

   (OpenClaw sends you the pairing code via Telegram)

Web UI

Default address: http://localhost:18789

Requires a token URL parameter. Get it:

docker compose run --rm openclaw-cli dashboard --no-open

If you get disconnected (1008): pairing required, use this alternative:

# List devices
docker compose exec openclaw-gateway node dist/index.js devices list

# Approve a pending device
docker compose exec openclaw-gateway node dist/index.js devices approve <REQUEST_ID>

The web UI includes: chat interface, channel/instance/session management, skills, cron jobs, config, debug, logs.

Installing Extra Packages

OpenClaw runs as a non-root user inside the container. To install packages:

docker compose exec -u root openclaw-gateway bash
apt-get update && apt-get install -y ripgrep

Available Tools (as of Feb 2026)

Category	Tools
File & workspace	read, write, edit
Shell / processes	exec, process
Web	web_search, web_fetch, browser
UI / rendering	canvas
Devices / nodes	(additional)

Security Notes

⚠ CVE-2026-33579 (patched April 2026): A critical privilege escalation vulnerability allowed any caller with the lowest-level operator.pairing permission to silently obtain full admin access. 63% of 135,000 internet-exposed OpenClaw instances were running without authentication, making them trivially exploitable. If you ran an internet-exposed instance without authentication before the patch, assume compromise and audit all /pair approval events. See concepts/openclaw-security for full details.

• Do not connect OpenClaw to your primary personal email inbox — give it a dedicated address
• Do not grant it access to sensitive files by placing them in ~/openclaw/workspace
• Docker isolation reduces but does not eliminate prompt injection risk — see concepts/prompt-injection
• If you connect to an email inbox, anyone who can email you can potentially instruct OpenClaw (the lethal trifecta)
• For a full picture of OpenClaw's security risk profile, see concepts/openclaw-security

Related Articles

• concepts/openclaw-security
• concepts/prompt-injection
• entities/simon-willison

Sources

• Running OpenClaw in Docker — Simon Willison's TIL post, Feb 2026; step-by-step account of working Docker setup