Secure OpenClaw: A Guide to Not Giving Away the Keys to Your Life
How to set up your AI assistant on a Raspberry Pi with E2E encryption, Tailscale private network, and prompt injection protection.
What is OpenClaw?
OpenClaw is an open-source AI assistant that runs on your own hardware. Think of it as a self-hosted alternative to ChatGPT or Claude, but instead of chatting through a website, it lives on your computer(or on a Raspberry Pi in your closet) and connects with you via Signal, Telegram, Discord, Matrix, or whatever you prefer.
The appeal is obvious: you can message your assistant from your phone while you're out. It can read and write files. Execute commands. Remember things between conversations. Browse the web, manage your calendar, build apps and deploy them to Vercel. It's genuinely useful in ways that are different from copying and pasting into a chat window.
⚠️ The elephant in the room
I won't be able to stop you from using OpenClaw, so at least let me teach you how to configure it so you don't give away the keys to your life — or at least, make it much harder.
By the end of this guide you'll have:
- OpenClaw on a Raspberry Pi, accessible only via Tailscale
- E2E encrypted chat via Matrix
- Prompt injection protection installed
- AI provider that claims not to keep logs
- Firewall, permissions, and habits that limit damage when something fails
Time: 30 minutes if everything goes well.
The Problem Nobody Wants to Discuss
This may sound paranoid. It's not.
When you give an AI assistant access to your files, your terminal, and your daily conversations, you're creating something unprecedented: a system that knows your work patterns, your personal relationships, your passwords (if you're not careful), your schedule, your writing style, your anxieties, your half-finished projects, and the embarrassing searches you asked for help with at 2am.
OpenClaw stores all of this. It has a MEMORY.md file that accumulates data about you over time. A credentials registry with all your secrets (API Keys, etc). Complete transcriptions of every conversation. Access to whatever tools you've enabled — which could include reading any file or executing arbitrary commands.
Three categories of risk
🔴 1. Your AI provider sees EVERYTHING
🟠 2. Prompt Injection is not solved
🟣 3. Your memory file is a psychological profile
MEMORY.md accumulates: that you prefer dark mode, that you work at X company, your partner's name, your anniversary, that you're stressed about deadlines... An infostealer that steals this file gets a psychological profile that would take a human stalker months to compile.So why bother?
Because OpenClaw is genuinely useful in ways that ChatGPT and Claude are not. A web chatbot can't read your project files, run your scripts, send you a message every morning telling you it just built 5 demos based on the latest AI trend. OpenClaw can.
That power comes with real risk. But the answer is not to avoid it — it's to run it deliberately.
Requirements
The total cost is around $100-150 if you buy everything new, although you probably already have some of this at home.
Hardware
- •Raspberry Pi 5 (4GB+ RAM) — the 4GB model works fine because the heavy lifting is done by the AI provider
- •Quality microSD card (32GB+, reputable brand — cheap ones get corrupted)
- •USB-C power supply (official Pi recommended, 5V 3A)
- •Ethernet cable (WiFi works, but cable is more reliable for a headless server)
Why a Pi instead of a VPS or your main computer?
A dedicated device means isolation. If OpenClaw gets compromised by prompt injection, the attacker has access to... a Pi running OpenClaw. Not your workstation with your SSH keys, browser sessions, and password manager.
Required accounts
🔮 Venice AI
AI provider that says "private" models don't keep logs or train on your data.
Bonus: accepts crypto. Disposable email + crypto = separation between AI use and real identity.
🔗 Tailscale
Private mesh network. Your Pi still makes outgoing connections, but no incoming port is exposed.
Free for up to 100 devices.
💬 Matrix
Messaging protocol with E2E encryption. Unlike Telegram (where bots can't use E2E), Matrix encrypts your messages end-to-end.
Step 1: Configure the Raspberry Pi
Flash the OS
- Download Raspberry Pi Imager
- Choose Device → Raspberry Pi 5
- Choose OS → Raspberry Pi OS (64-bit)
- Choose Storage → your microSD card
Configure before writing:
- • Hostname:
openclaw - • Username/password:
piwith a strong password - • WiFi if you're not using ethernet
- • Enable SSH: Yes
- • Public-key authentication only: Yes
- • Paste your public key from
~/.ssh/id_ed25519.pub
If you don't have an SSH key:
ssh-keygen -t ed25519 -C "your-email@example.com"
cat ~/.ssh/id_ed25519.pub # Copy this to Pi ImagerFirst connection
ssh pi@openclaw.local
# Or: ssh pi@192.168.1.XXXUpdate everything:
sudo apt update && sudo apt upgrade -y
sudo rebootEnable automatic security updates:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgradesStep 2: Configure Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upOpen the URL it prints, authorize the device. Get your Tailscale IP:
tailscale ip -4
# Example: 100.100.100.100Restrict SSH to Tailscale only
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on tailscale0 to any port 22
sudo ufw enable
sudo ufw statusTo test:
# This should work:
ssh pi@YOUR_TAILSCALE_IP
# This should NOT work:
ssh pi@192.168.1.XXX # Local IP - timeoutStep 3: Install OpenClaw
Install Node.js
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
. "$HOME/.nvm/nvm.sh"
# Install Node.js
nvm install 24
node -v # Should show v24.x.xInstall OpenClaw
curl -fsSL https://openclaw.ai/install.sh | bashOnboarding
openclaw onboardDuring onboarding:
- • Onboarding mode: manual
- • AI provider: Venice AI
- • Model: kimi-k2-5 (completely private)
- • Gateway bind: loopback
- • Gateway auth: token
- • Tailscale exposure: off
- • Skip messaging channel selection
- • Skip skills installation
- • Enable all hooks
- • Install gateway service
- • Skip hatching for now
Step 4: Configure Matrix (E2E)
Why Matrix instead of Telegram?
Telegram bots use the Bot API, which means Telegram's servers see every message in plain text. Matrix with E2E means only your phone and your Pi can read the messages.
Create Matrix accounts
You need two accounts on Element:
- Your personal account — to chat with the bot from your phone
- Bot account — the one OpenClaw will use
Install the plugin
openclaw plugins install @openclaw/matrixIf it fails with "npm install failed", fix it manually:
cd ~/.openclaw/extensions/matrix
sed -i 's/"workspace:\*"/"*"/g' package.json
npm installConfigure Matrix in OpenClaw
Edit ~/.openclaw/openclaw.json:
{
"channels": {
"matrix": {
"enabled": true,
"homeserver": "https://matrix-client.matrix.org",
"userId": "@your_bot:matrix.org",
"password": "YOUR_BOT_PASSWORD",
"encryption": true,
"dm": {
"policy": "pairing"
}
}
}
}Run as a service
sudo nano /etc/systemd/system/openclaw.service[Unit]
Description=OpenClaw AI Assistant
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=pi
Group=pi
WorkingDirectory=/home/pi
ExecStart=/home/pi/.npm-global/bin/openclaw start
Restart=on-failure
RestartSec=10
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/pi/.openclaw
[Install]
WantedBy=multi-user.targetsudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclawStep 5: Security Hardening
Install security skills
npx clawhub install skillguard
npx clawhub install prompt-guard- • SkillGuard: Audits skills for security issues before installing
- • Prompt-Guard: Adds layers of resistance to prompt injection
File permissions
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/*.json
chmod 600 ~/.openclaw/credentials/*Disable mDNS Broadcasting
echo 'export OPENCLAW_DISABLE_BONJOUR=1' >> ~/.bashrc
source ~/.bashrc
sudo systemctl restart openclawRun security audit
openclaw security audit --deep
# If there are issues:
openclaw security audit --fixOperational Security
Technical hardening only goes so far. How you use the bot matters just as much.
| ✅ Do | ❌ Don't |
|---|---|
| Ask for commands to configure AWS | Tell it your AWS credentials directly |
| Use the "CRITICAL" keyword in SOUL.md | Assume the bot "knows" what not to do |
| Rotate credentials every 3-6 months | Leave the same keys forever |
| Review logs periodically | Ignore strange behaviors |
| Use a vault for credentials | Paste passwords in chat |
If you get compromised
- Stop immediately:
sudo systemctl stop openclaw - Rotate all credentials
- Review logs:
less ~/.openclaw/logs/ - Look for unauthorized changes:
find ~/.openclaw -mtime -1 -ls - When in doubt: reflash the SD card — it's the only way to be sure
Limitations
Conclusion
You now have an AI assistant that:
- Runs on hardware you physically control
- Uses a provider that claims not to keep logs
- Has no public attack surface
- Uses E2E encrypted messaging
- Has prompt injection protection installed
- Only responds to your Matrix account
It's not perfectly secure. Nothing is. But it's better than pasting your life into ChatGPT.
Use your bot. Enjoy the convenience. Do it with your eyes open.
Based on the security guide from the Ethereum Foundation dAI blog
Read original article