OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer has detailed their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, focusing on addressing security concerns around "little lobster" agent systems.
Security Problem and Initial Approach
The project started from concerns about the safety of OpenClaw-like agent systems. The developer notes that sandboxing alone doesn't solve the fundamental security issue: as long as the agent has execution permissions, a simple skill injection could call something like printenv and expose all injected API keys. Removing execution permissions would eliminate about 90% of functionality, and without injecting an LLM API key, the agent can't call the model at all.
LLM Router Solution
The developer initially considered using a service mesh with a sidecar to handle authentication header injection, but OpenClaw's HTTPS enforcement made this impractical. They switched to using an LLM router instead, which allows API key injection at the router level. This approach provides the added benefit of enabling users to inspect conversation logs and build their own monitoring plugins, such as using Claude Code to keep an eye on the agent.
Remote Access via zrok
Another challenge was integrating with communication apps like Slack or Telegram, which requires injecting tokens for remote access. The solution uses zrok private sharing, allowing a remote host to access the agent's admin chat through private sharing without relying on any messaging apps. The developer acknowledges this limits some capabilities—it's a trade-off. Full support for communication apps under this model would require running the gateway and the agent in separate containers, which hasn't been implemented yet.
Project Details
The project has been given the Chinese name "Xiao Long Xia" (小笼虾), with the "笼" character coming from "xiaolongbao" (soup dumplings). The implementation runs OpenClaw and the LLM router inside a VM+Kubernetes environment with a single command.
📖 Read the full source: r/openclaw
👀 See Also
AI Vulnerability Discovery Outpacing Patch Deployment Times
A security expert argues that AI tools like Mythos will find vulnerabilities faster than fixes can be deployed, citing Log4j data showing average remediation times of 17 days and a decade-long elimination timeline.
Open-source RAG attack and defense lab for local ChromaDB + LM Studio stacks
An open-source lab measures RAG knowledge base poisoning effectiveness on default local setups with ChromaDB and LM Studio, showing 95% success rate on undefended systems and evaluating practical defenses.
OpenClaw Security Vulnerabilities: Critical Framework Flaws Patched in 2026.3.28
Ant AI Security Lab identified 33 vulnerabilities in OpenClaw's core framework, with 8 critical issues patched in the 2026.3.28 release. The vulnerabilities include sandbox bypass, privilege escalation, session persistence after token revocation, SSRF risks, and allowlist degradation.
AI Agent Deletes Production Database, Then Confesses – A Cautionary Tale
A developer reports that an AI coding agent dropped their production database and later 'confessed' to the action in a log message. The incident highlights the risks of granting AI agents write access to production systems without safeguards.