--network=host bypasses all Docker network isolation and should never be used in production.--security-opt=no-new-privileges prevent the vast majority of container escape techniques.trivy or Docker Scout and pull updated base images regularly to patch known CVEs.Container security isn't a checkbox — it's a set of specific, enforceable configurations. We've reviewed dozens of OpenClaw production deployments and the same seven mistakes appear repeatedly. Each one is easy to fix once you know it exists. The mistake most people make here is assuming Docker's defaults are secure. They aren't.
The Security Baseline Before You Start
Before running any OpenClaw container in a network-accessible environment, establish these three non-negotiables: no root process, no hardcoded secrets, no default bridge network. Everything else in this article is defense in depth. These three are the foundation.
Mistake 1: Running Containers as Root
Docker containers run as root by default. That means if a process inside the container is compromised, the attacker has root-equivalent access to the container's filesystem — and potentially the host if any volume mounts or socket paths are exposed.
The fix is a non-root user defined directly in the Dockerfile:
FROM python:3.11-slim
# Create a non-root user with fixed UID
RUN groupadd -r openclaw --gid=1001 && \
useradd -r -g openclaw --uid=1001 --home=/app openclaw
WORKDIR /app
COPY --chown=openclaw:openclaw . .
RUN pip install --no-cache-dir -r requirements.txt
USER openclaw
CMD ["python", "-m", "openclaw.agent"]The fixed UID (1001) matters for volume permissions. If you use a random UID, volume mounts may fail when the container restarts because the filesystem ownership doesn't match the new random UID.
Mistake 2: Baking API Keys into Images
Every ENV instruction in a Dockerfile and every hardcoded value in a docker-compose.yml becomes part of the image layer history. Anyone with read access to the image — including anyone who pulls it from a registry — can run docker history --no-trunc image-name and see every environment variable ever set during the build.
The correct pattern: never set secrets during build, always inject at runtime:
# WRONG — key is baked into the image layer
FROM openclaw/agent:latest
ENV OPENAI_API_KEY=sk-prod-abc123
# CORRECT — inject at runtime only
docker run -d \
--env-file /secure/location/.env \
--name openclaw-agent \
openclaw/agent:latestgit log -S "your-key" to check if a key appears in history.Mistakes 3–4: Network Exposure
Mistake 3: Using the Default Bridge Network
Docker's default bridge network connects all containers on a host into the same flat network. Any container can reach any other container by IP. For OpenClaw, this means a compromised agent container could directly communicate with your Postgres or Redis containers, bypassing any application-level authentication.
Create a dedicated network for the OpenClaw stack:
# In docker-compose.yml
networks:
openclaw-net:
driver: bridge
ipam:
config:
- subnet: 172.28.0.0/16
services:
gateway:
networks:
- openclaw-net
agent:
networks:
- openclaw-net
redis:
networks:
- openclaw-netMistake 4: Using --network=host
Host networking bypasses all Docker network isolation. The container shares the host's network stack directly. This is sometimes used to "fix" connectivity issues — but it's the wrong fix. Use it only for specific diagnostic troubleshooting, never in production.
Mistakes 5–7: Runtime Hardening
Mistake 5: Writable Container Filesystems
By default, containers can write anywhere in their filesystem. Running OpenClaw with a read-only root filesystem eliminates an entire class of attack vectors:
docker run -d \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=64m \
-v openclaw-data:/app/data \
openclaw/agent:latestMistake 6: Not Setting Resource Limits
Without resource limits, a misbehaving agent can consume all available CPU and memory, taking down other containers and the host system. Always set limits:
docker run -d \
--memory="768m" \
--memory-swap="768m" \
--cpus="1.0" \
openclaw/agent:latestMistake 7: Skipping Image Vulnerability Scanning
Images accumulate CVEs over time as vulnerabilities are discovered in their base layers. Scan before deployment:
# Using Trivy (free, open source)
trivy image openclaw/agent:latest
# Using Docker Scout (built into Docker CLI)
docker scout cves openclaw/agent:latestThe Complete Hardened Run Command
Combining all seven fixes into a single hardened configuration:
| Security Control | Flag / Config | What It Prevents |
|---|---|---|
| Non-root user | USER openclaw in Dockerfile | Root-level container compromise |
| Runtime secrets | --env-file .env | Key exposure in image layers |
| Custom network | docker network create | Cross-container lateral movement |
| Read-only FS | --read-only | Filesystem persistence attacks |
| No new privileges | --security-opt=no-new-privileges | Privilege escalation via setuid |
| Resource limits | --memory --cpus | Resource exhaustion / DoS |
| Image scanning | trivy / docker scout | Known CVE exploitation |
trivy image --exit-code 1 --severity HIGH,CRITICAL openclaw/agent:latest to your CI pipeline. The --exit-code 1 flag fails the build if any HIGH or CRITICAL CVE is found. This prevents vulnerable images from ever reaching production without manual review.What Goes Wrong in Practice
Mounting the Docker socket. Some monitoring setups mount /var/run/docker.sock into containers for container introspection. Any process with access to the Docker socket has full control over every container and image on the host — it's effectively root on the host. Never do this for OpenClaw containers.
Exposing the gateway on 0.0.0.0. Publishing port 8080 binds it to all interfaces by default, including public-facing ones. Use -p 127.0.0.1:8080:8080 to bind only to localhost, then use a reverse proxy (nginx, Caddy) to handle TLS termination and external access.
Not rotating secrets after incidents. If a container logs environment variables (many frameworks do this in debug mode), or if you've ever run docker inspect and piped the output somewhere, those secrets may be in log files or shell history. Rotate API keys after any security review, not just after confirmed incidents.
Frequently Asked Questions
Should OpenClaw containers run as root?
Never run OpenClaw containers as root in production. Create a dedicated non-root user in your Dockerfile with a fixed UID and run the process under that user. Root containers can modify the host filesystem if the container is ever compromised — a non-root process is contained even if the image is breached.
How do I prevent API key leaks in OpenClaw Docker containers?
Never bake API keys into Docker images as ENV instructions. Pass them at runtime using --env-file with a .env file that lives outside your repository. Rotate any key that appears in a Dockerfile or docker-compose.yml that was ever committed to version control, regardless of whether you've since removed it.
What Docker network mode should OpenClaw use?
Use a custom bridge network, not the default bridge. Custom networks provide DNS-based service discovery and prevent unrelated containers from communicating with your OpenClaw stack. Never use --network=host in production — it bypasses all Docker network isolation and exposes container ports directly on the host network stack.
How do I scan OpenClaw Docker images for vulnerabilities?
Use docker scout cves openclaw/gateway:latest (requires Docker Scout) or trivy image openclaw/gateway:latest for a free standalone scan. Run image scans in your CI pipeline before promoting any image to production. Pull updated OpenClaw base images regularly to receive patched base layers.
What read-only filesystem options should I use for OpenClaw?
Run containers with --read-only and mount writable tmpfs for /tmp and named volumes for /app/data. This prevents any process inside the container from writing to the image filesystem. Combine with --security-opt=no-new-privileges to prevent privilege escalation through setuid binaries.
How do I limit what syscalls an OpenClaw container can make?
Apply a custom seccomp profile with --security-opt seccomp=/path/to/profile.json. Docker's default seccomp profile already blocks about 44 dangerous syscalls. For OpenClaw specifically, you can additionally restrict ptrace, mount, and kexec_load since the agent process never needs them at runtime.
Should I use Docker Content Trust for OpenClaw images?
Enable Docker Content Trust with DOCKER_CONTENT_TRUST=1 to verify image signatures before pulling. This ensures you're running an image signed by the OpenClaw maintainers, unmodified in transit. As of early 2025, official OpenClaw images are signed — any unsigned pull attempt will fail, alerting you to a potential supply chain issue.
T. Chen specializes in container security and AI infrastructure hardening, with direct experience auditing OpenClaw deployments across SaaS and enterprise environments. Has identified and helped remediate container escape vulnerabilities in production agent setups, and regularly contributes security configuration guidance to the OpenClaw community.
You now have a complete picture of the seven Docker security mistakes that expose OpenClaw agents — and the exact fixes for each. Apply them in order: non-root user, runtime secrets, custom network, read-only filesystem, no-new-privileges, resource limits, image scanning. Start with the first three today; they eliminate the highest-risk exposures immediately with no performance cost. The hardened configuration in this guide takes under 15 minutes to implement from scratch.