OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer has detailed their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, focusing on addressing security concerns around "little lobster" agent systems.
Security Problem and Initial Approach
The project started from concerns about the safety of OpenClaw-like agent systems. The developer notes that sandboxing alone doesn't solve the fundamental security issue: as long as the agent has execution permissions, a simple skill injection could call something like printenv and expose all injected API keys. Removing execution permissions would eliminate about 90% of functionality, and without injecting an LLM API key, the agent can't call the model at all.
LLM Router Solution
The developer initially considered using a service mesh with a sidecar to handle authentication header injection, but OpenClaw's HTTPS enforcement made this impractical. They switched to using an LLM router instead, which allows API key injection at the router level. This approach provides the added benefit of enabling users to inspect conversation logs and build their own monitoring plugins, such as using Claude Code to keep an eye on the agent.
Remote Access via zrok
Another challenge was integrating with communication apps like Slack or Telegram, which requires injecting tokens for remote access. The solution uses zrok private sharing, allowing a remote host to access the agent's admin chat through private sharing without relying on any messaging apps. The developer acknowledges this limits some capabilities—it's a trade-off. Full support for communication apps under this model would require running the gateway and the agent in separate containers, which hasn't been implemented yet.
Project Details
The project has been given the Chinese name "Xiao Long Xia" (小笼虾), with the "笼" character coming from "xiaolongbao" (soup dumplings). The implementation runs OpenClaw and the LLM router inside a VM+Kubernetes environment with a single command.
📖 Read the full source: r/openclaw
👀 See Also
llm-hasher: Local PII Detection and Tokenization for Hybrid LLM Workflows
llm-hasher is a tool that detects personally identifiable information locally using Ollama before data reaches external LLMs like OpenAI or Claude, tokenizes the PII, and restores originals after processing. It uses regex for structured data types and a local LLM for contextual detection, with encrypted storage for mappings.
Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection
Bitwarden's new Agent Access SDK enables AI agents to access credentials from Bitwarden's vault with human approval, while OneCLI acts as a gateway that injects credentials at the network layer without exposing raw values to agents.
Privacy Concerns in OpenClaw: Skills, SOUL MD, and Agent Communication
A developer raises privacy concerns about OpenClaw's architecture, specifically around skills having unrestricted access to sensitive data, SOUL MD being writable, and agents sharing information without filters.
ClawCare: Security Guard for AI Coding Agents After AWS Key Leak
ClawCare is a Python tool that scans commands before execution in AI coding agents like Claude Code, blocking risky patterns like bulk environment dumps and reverse shells. It was built after a developer accidentally leaked an AWS key through an agent.