v1.1.0

DockerClaw v1.1.0

Changes

• Media access — agent can now read inbound media files from messaging channels (#1)
• Exec access — agent can run shell commands inside the container (#3)
• Removed group:runtime from tool deny list
• Set tools.fs.workspaceOnly: false — Docker provides the filesystem boundary
• Set tools.exec.security: full and tools.exec.ask: off

Security rationale

These settings would be insecure on bare metal but are safe in Docker:

• The container can only see .openclaw/ and sandbox/ — nothing else on the host
• Port is localhost-only, capabilities dropped, no-new-privileges enforced
• Docker kernel-level isolation replaces application-level restrictions

v1.0.0

DockerClaw v1.0.0

Hardened, containerized OpenClaw deployment following official Docker and security guidelines.

Features

• One-command setup via ./dockerclaw.sh setup (onboard, configure, start, pair)
• Declarative config via openclaw.ini with zero-container JSON patch generation
• Automated device pairing for dashboard access
• Resource limits configurable via dockerclaw.env

Security

• Port bound to 127.0.0.1 only
• Linux capabilities dropped (NET_RAW, NET_ADMIN), no-new-privileges
• Shell execution denied, elevated operations disabled
• Dangerous control-plane tools blocked
• Log redaction enabled, mDNS minimized
• File permissions hardened (700/600)

Memory

• Compaction memory flush enabled
• Session memory search across memory files and session transcripts
• boot-md and session-memory hooks

Skills

• last30days skill (ClawHub)
• DuckDuckGo web search (no API key required)