OpenClaw Insider Builds the Enterprise Safety Layer the Project Never Shipped

Red Hat main bundle technologist Sally O'Malley spent a play solving a occupation astir endeavor IT teams don't cognize they person yet. The effect is Tank OS, an open-source instrumentality that packages OpenClaw—the blistery caller bundle that makes it casual to deploy AI agents—inside a secure, self-contained situation and delivers it arsenic a ready-to-boot strategy representation you tin propulsion to immoderate machine: a unreality server, a virtual machine, oregon carnal hardware.

In different words, if you (or your agent) screw things up, this level of isolation would incorporate the harm to wrong “it’s fine” territory.

Instead of manually installing OpenClaw connected each machine and hoping idiosyncratic configured it correctly, you people 1 image—a implicit snapshot of the operating strategy positive the agent—and each instrumentality that boots from it gets the nonstop aforesaid setup. Updates enactment the aforesaid way: swap the image, reboot, done. No manual patching.

The information portion is wherever Tank OS earns its name. Each OpenClaw lawsuit runs wrong a container—a benignant of walled-off container wrong the machine that can't scope extracurricular its ain boundaries.

Critically, O'Malley utilized Podman, a instrumentality instrumentality developed astatine Red Hat, which runs without head privileges. That means adjacent if thing goes incorrect wrong the container, it can't interaction the remainder of the machine.

API keys—the “passwords” that link OpenClaw to services similar email oregon Slack and marque it imaginable for your instrumentality to pass with each those services—are stored separately per instance. One cause can't spot another's credentials. Nothing wrong the instrumentality tin scope the big system.

O'Malley is herself an OpenClaw maintainer, meaning she helps creator Peter Steinberger determine which features vessel and which bugs get fixed, with her circumstantial absorption connected endeavor usage cases and Red Hat's Linux ecosystem. Tank OS isn't a third-party patch. It reflects wherever idiosyncratic wrong the task thinks endeavor hardening really needs to go.

Security successful the agentic AI epoch is highly important, considering that present conscionable astir everyone is utilizing these tools, but not galore cognize what they really bash to operate. This creates an open-door invitation for technically savvy hackers and attackers.

For example, information researcher Mav Levin of DepthFirst disclosed CVE-2026-25253 successful precocious January—a vulnerability rated 8.8 retired of 10 connected the severity standard utilized by information researchers worldwide. It was a one-click attack: visiting the incorrect webpage portion OpenClaw was moving was capable to manus an attacker your login credentials and afloat power of your computer. The hole shipped January 30. More than 17,500 exposed instances were susceptible earlier it did.

This repository is aimed astatine Red Hat’s lawsuit enterprises, but the thought of moving agents successful containers whitethorn beryllium bully proposal adjacent for location users.

"My relation wrong OpenClaw is truly my involvement successful it," O'Malley told TechCrunch. "How it's going to look scaled retired erstwhile determination are millions of these autonomous agents talking to 1 another."

Tank OS is disposable present astatine github.com/LobsterTrap/tank-os.