Open Source
The OpenClaw alternative that doesn't compromise your security.
Docker isolation. Hard guardrails. Zero inbound ports.
"RIP OpenClaw. How to deploy a secure, autonomous AI agent available on all your devices — in 60 seconds"
The setup that went viral. We made it 1-click.
Why we built seclaw
68K+ stars on GitHub. Zero container isolation. Your API keys, SSH keys, and browser cookies — all accessible to any tool the agent decides to install.
OpenClaw passes all environment variables to every MCP container. Your Anthropic key, Stripe key, database credentials — all visible to any tool the agent installs.
The agent has full read/write access to your entire home directory. It can read ~/.ssh/id_rsa, ~/.aws/credentials, browser cookies, and anything else on your machine.
MCP containers run with full root privileges. Combined with host mounts, this means the agent can modify system files, install backdoors, or escalate to host root.
OpenClaw has a "permissions" system, but it's enforced in the prompt — not in the runtime. A jailbroken agent can ignore all rules and send emails, delete files, or post on your behalf.
OpenClaw exposes n8n on port 5678 with no authentication. Anyone who finds your IP can access your workflow editor, see your credentials, and modify your agent.
No memory or CPU limits on any container. A runaway agent or cryptominer can consume all system resources, crash your machine, or mine crypto on your hardware.
These aren't theoretical — they're in the default docker-compose.yml that 68K+ people cloned.
Security model
OpenClaw enforces rules in the system prompt. We enforce them in Docker. One can be jailbroken. The other can't.
Can't access your API keys
Keys live in the agent's env only. MCP containers have zero access to secrets.
env isolation per containerCan't modify its environment
Filesystem is immutable. The agent can't install backdoors or modify its own code.
read_only: trueCan't access folders you haven't shared
Only the /workspace mount is visible. Your home directory, SSH keys, and browser data are invisible.
explicit volume mounts onlyCan't escalate privileges
Zero Linux capabilities. Can't become root, can't mount filesystems, can't access raw network.
cap_drop: ALL + no-new-privilegesCan't use unlimited resources
512MB RAM, 1 CPU core. A runaway agent or cryptominer gets killed, not your machine.
deploy.resources.limitsMust get your confirmation
Sending emails, posting on social media, deleting files — all require explicit approval via Telegram.
permissions.yml whitelistThe goal: maximum capability within minimum attack surface. Your agent does real work — it just can't escape its sandbox.
Every row is a real security boundary. Green means it exists. Red means it doesn't.
| Security Boundary | OpenClaw | seclaw |
|---|---|---|
| Container isolation | None — shared env | Per-container with bridge networks |
| API key protection | All keys in every container | Env-only, sealed per service |
| Filesystem access | Entire home directory | /workspace mount only |
| Root privileges | Running as root | Non-root + cap_drop ALL |
| Permission enforcement | Prompt-based (bypassable) | Runtime guardrails (permissions.yml) |
| Network exposure | Port 5678 open to internet | Zero inbound via CF Tunnel |
| Resource limits | None (infinite) | 512MB / 1 CPU per container |
| Filesystem mutability | Full read/write | read_only: true + tmpfs |
| Setup time | 30+ minutes manual config | 60 seconds via CLI |
How it works
Every component is open source. Every container is isolated. Your data never leaves your machine.
# Your machine
agent-net (internal network)
Lightweight Node.js server with Telegram Bot API, OpenAI SDK (multi-provider), and Composio for integrations. No framework overhead — just a single agent.js handling webhooks, LLM calls, and tool execution.
Self-hosted workflow engine for scheduled tasks. Cron with timezone support, step-level retries, and human-in-the-loop approvals via Telegram. Dashboard at localhost:8288. Free forever.
Opus 4.6, Sonnet 4.5, Haiku 4.5 — or GPT-4o, Gemini, 100+ models via OpenRouter. Smart routing picks the right model per task. Complex reasoning? Opus. Quick reply? Haiku.
Gives your agent file read/write and terminal access — inside a locked-down container. read_only filesystem, zero Linux capabilities, 512MB limit. The agent can work, but can't escape.
Managed OAuth for Gmail, Google Calendar, GitHub, Slack, Notion, Linear, and more. Your agent never sees raw credentials — Composio handles token refresh and API auth.
Access your agent from anywhere — phone, laptop, any device. Outbound-only connection: zero inbound ports. No firewall rules. No exposed IPs. Auto-created by CLI in 30 seconds.
Self-hosted, free forever
No cloud fees, no execution limits. Runs as a single Docker container with SQLite storage. Dashboard included.
Human-in-the-loop
Scheduled actions can pause and wait for your Telegram approval before executing. Approve or reject with one tap.
Durable execution
Each step retries independently. If the LLM call fails, it retries without re-fetching data. No lost work.
Without tunnel
Port 3000 open to the internet. Anyone who finds your IP can send requests to your agent. Port scanning bots find these in hours.
With Cloudflare Tunnel
Zero open ports. Your server makes an outbound connection to Cloudflare's edge. Access via your custom domain with Cloudflare Access for authentication. Auto-created by our CLI in 30 seconds.
17 agent templates from $0 to $149. Scheduled tasks, human-in-the-loop approval, real integrations.
Morning report ready when you wake up. Task management, daily reports, email drafting, and file organization — all running locally on your machine.
3 urgent, 5 action needed, 12 FYI, 8 newsletter. AI inbox manager that categorizes, summarizes, and triages your Gmail. Urgent items arrive instantly via Telegram.
Know when competitors change anything — in 5 minutes. Monitors X, Hacker News, Reddit, and RSS feeds for industry intelligence with scheduled briefings.
Your X account grows while you sleep. Research trending topics, draft posts in your voice, publish with human-in-the-loop approval, and track engagement.
Find leads overnight, inbox full by morning. Detect buying signals on X, qualify prospects, draft personalized outreach, and log to CRM automatically.
6 AI agents running your company for $8/month. Coordinator, Executor, Observer, Analyst, Content, Growth — with quality gates and multi-agent orchestration.
Three steps. That's it.
npx seclaw
Pick a template, enter your LLM provider and Telegram token. The CLI scaffolds Docker Compose, permissions, and Cloudflare Tunnel.
docker compose up
Agent, Inngest scheduler, Desktop Commander, and Cloudflare Tunnel — all start in isolated containers.
Open Telegram
Your agent is live. Scheduled tasks run automatically, integrations are connected, and every action is sandboxed.
npx seclawNo subscriptions. Self-hosted. Your data stays on your machine.
17 agent templates from Free to $149
2 free templates included. 15 paid templates, one-time purchase.
Browse All TemplatesEverything else is free — Docker, Inngest, Cloudflare Tunnel, Telegram, Composio free tier.
~$6
/month — Haiku only
~$15-30
/month — Smart routing
~$100+
/month — Opus heavy