How Does OpenClaw Sandbox and Isolation Work?

OpenClaw uses multiple isolation layers to limit what the agent and its skills can do. This prevents a compromised or malfunctioning skill from affecting the rest of your system.

Skill sandboxing: Each MCP skill server runs as a separate process with configurable restrictions: - Filesystem: Skills can only access their own data directory by default - Network: Skills can be restricted to specific domains and ports - System: No access to system commands, other processes, or environment variables - Resource limits: CPU time, memory, and output size caps per request

Docker isolation: When running OpenClaw in Docker, the entire agent is contained. Combined with skill sandboxing, you get two layers of isolation. Docker provides filesystem, network, and process isolation at the OS level.

Workspace isolation: Each workspace has its own memory, config, and skills. A compromised workspace can't access another workspace's data.

Permission model: Skills declare the permissions they need (read files, send network requests, execute code). You can review and approve these during installation. The Gateway enforces permissions at runtime.

For maximum security, run OpenClaw in a Docker container with skill sandboxing enabled and strict mode on. This provides defense in depth — even if one layer is bypassed, others still protect you.

# Enable skill sandboxing
openclaw config set security.sandbox true

# View skill permissions
openclaw skill permissions tavily-search