OpenClaw Maintainer Releases Tank OS to Secure Enterprise AI Agent Deployments

Red Hat's OpenClaw maintainer just made enterprise Claw deployments a lot safer | TechCrunch

On Tuesday, Red Hat principal software engineer Sally O'Malley released a new open source tool called Tank OS to make it easier to deploy and manage OpenClaw agents more safely. "This was a fun project that I put together on the weekend that I knew would be a really good fit for AI and where we're going," she told TechCrunch, adding that she wanted to give it "to the masses." Tank OS is geared toward power users looking to run OpenClaw on their own computers and toward IT pros managing fleets of corporate OpenClaw agents. It makes OpenClaw safer and easier to maintain en masse. Countless people, companies, and startups are already inventing better ways to work with OpenClaw -- the open source project that installs an AI agent on a local computer. There is also a growing number of startups building competing claw alternatives that they say are safer (like NanoClaw). What makes O'Malley's project notable is that she is an OpenClaw maintainer. That means she's among the select software engineers working with creator Peter Steinberger to decide which features and bugs get worked on. In her case, she focuses on making OpenClaw work better in enterprise use cases, and with Red Hat's various flavors of the Linux operating system. (While Steinberger was hired by OpenAI, he still leads the independent open source OpenClaw project.) O'Malley joined OpenClaw because she sees it working to "enable everyone to run AI in a safe way, that's open," she said. But she got to thinking about what will happen when OpenClaw invades an enterprise and decided to build a tool for that eventuality. She began with an open source container tool called Podman, created by a colleague at Red Hat. Containers are a way to run apps separately from the underlying computer, with everything the app needs to run, bundled together. They can run a Linux app on a Windows or Mac machine, for instance. Podman is a particularly secure way to do this because it's "rootless," meaning it doesn't give the containers any privileges from the underlying machine, Red Hat says. Tank OS loads OpenClaw onto Red Hat's Fedora Linux OS in a Podman container and makes that container a bootable image, meaning it will run and launch OpenClaw when you start the computer. Her tool includes everything needed to make OpenClaw useful without human oversight, like state (the part that allows it to remember); the ability to store API keys (the credentials for accessing subscriptions and services); and other features. Users can run multiple Tank OS instances on a machine to do different tasks, never sharing passwords or credentials between them, and no OpenClaw instance can gain access to anything else running on the computer. While O'Malley knows that the OpenClaw project is working to make the agent safer, she says that "it's an incredibly powerful application," but can also be "dangerous" if not configured properly. "It's not a tool that you can use easily unless you do have some sort of technical experience," she said. Stories abound, such as the Meta AI security researcher whose Claw started deleting all of her work email, or an agent that downloaded in plain text all of a user's WhatsApp DMs. There's also a growing crop of malware aimed at OpenClaw users. To be sure, Tank OS isn't really for techno novices either, she says. You have to be comfortable installing and maintaining software on your computer, she says. Tank OS is also not the only OpenClaw implementation working in containers. NanoClaw, for instance, is doing a similar thing with well-known container company Docker. But Tank OS is intended to be especially useful for IT pros (aka, Red Hat's main customers) who may one day manage fleets of OpenClaw agents on corporate computers. It allows them to update the agents the same way they already manage other containers. "My role within OpenClaw is really my interest in it," O'Malley said. "How it's going to look scaled out when there are millions of these autonomous agents talking to one another."

OpenClaw Insider Builds the Enterprise Safety Layer the Project Never Shipped - Decrypt

With this implementation, each agent runs in an isolated container with its own credentials, and no instance can access the host machine or other agents. Red Hat principal software engineer Sally O'Malley spent a weekend solving a problem most enterprise IT teams don't know they have yet. The result is Tank OS, an open-source tool that packages OpenClaw -- the hot new software that makes it easy to deploy AI agents -- inside a secure, self-contained environment and delivers it as a ready-to-boot system image you can push to any machine: a cloud server, a virtual machine, or physical hardware. In other words, if you (or your agent) screw things up, this level of isolation would contain the damage to within "it's fine" territory. Instead of manually installing OpenClaw on each computer and hoping someone configured it correctly, you publish one image -- a complete snapshot of the operating system plus the agent -- and every machine that boots from it gets the exact same setup. Updates work the same way: swap the image, reboot, done. No manual patching. The security piece is where Tank OS earns its name. Each OpenClaw instance runs inside a container -- a kind of walled-off box inside the computer that can't reach outside its own boundaries. Critically, O'Malley used Podman, a container tool developed at Red Hat, which runs without administrator privileges. That means even if something goes wrong inside the container, it can't touch the rest of the machine. API keys -- the "passwords" that connect OpenClaw to services like email or Slack and make it possible for your machine to communicate with all those services -- are stored separately per instance. One agent can't see another's credentials. Nothing inside the container can reach the host system. O'Malley is herself an OpenClaw maintainer, meaning she helps creator Peter Steinberger decide which features ship and which bugs get fixed, with her specific focus on enterprise use cases and Red Hat's Linux ecosystem. Tank OS isn't a third-party patch. It reflects where someone inside the project thinks enterprise hardening actually needs to go. Security in the agentic AI era is extremely important, considering that now just about everyone is using these tools, but not many know what they actually do to operate. This creates an open-door invitation for technically savvy hackers and attackers. For example, security researcher Mav Levin of DepthFirst disclosed CVE-2026-25253 in late January -- a vulnerability rated 8.8 out of 10 on the severity scale used by security researchers worldwide. It was a one-click attack: visiting the wrong webpage while OpenClaw was running was enough to hand an attacker your login credentials and full control of your computer. The fix shipped January 30. More than 17,500 exposed instances were vulnerable before it did. This repository is aimed at Red Hat's customer enterprises, but the idea of running agents in containers may be good advice even for home users. "My role within OpenClaw is really my interest in it," O'Malley told TechCrunch. "How it's going to look scaled out when there are millions of these autonomous agents talking to one another."