OpenClaw Insider Builds the Enterprise Safety Layer the Project Never Shipped

In brief

• Tank OS packages OpenClaw as a bootable system image.
• With this implementation, each agent runs in an isolated container with its own credentials, and no instance can access the host machine or other agents.
• Security audits flagged 12–20% of ClawHub add-ons as malicious.

Red Hat principal software engineer Sally O'Malley spent a weekend solving a problem most enterprise IT teams don't know they have yet. The result is Tank OS, an open-source tool that packages OpenClaw—the hot new software that makes it easy to deploy AI agents—inside a secure, self-contained environment and delivers it as a ready-to-boot system image you can push to any machine: a cloud server, a virtual machine, or physical hardware.

In other words, if you (or your agent) screw things up, this level of isolation would contain the damage to within “it’s fine” territory.

Instead of manually installing OpenClaw on each computer and hoping someone configured it correctly, you publish one image—a complete snapshot of the operating system plus the agent—and every machine that boots from it gets the exact same setup. Updates work the same way: swap the image, reboot, done. No manual patching.

The security piece is where Tank OS earns its name. Each OpenClaw instance runs inside a container—a kind of walled-off box inside the computer that can't reach outside its own boundaries.

Critically, O'Malley used Podman, a container tool developed at Red Hat, which runs without administrator privileges. That means even if something goes wrong inside the container, it can't touch the rest of the machine.

API keys—the “passwords” that connect OpenClaw to services like email or Slack and make it possible for your machine to communicate with all those services—are stored separately per instance. One agent can't see another's credentials. Nothing inside the container can reach the host system.

O'Malley is herself an OpenClaw maintainer, meaning she helps creator Peter Steinberger decide which features ship and which bugs get fixed, with her specific focus on enterprise use cases and Red Hat's Linux ecosystem. Tank OS isn't a third-party patch. It reflects where someone inside the project thinks enterprise hardening actually needs to go.

Security in the agentic AI era is extremely important, considering that now just about everyone is using these tools, but not many know what they actually do to operate. This creates an open-door invitation for technically savvy hackers and attackers.

For example, security researcher Mav Levin of DepthFirst disclosed CVE-2026-25253 in late January—a vulnerability rated 8.8 out of 10 on the severity scale used by security researchers worldwide. It was a one-click attack: visiting the wrong webpage while OpenClaw was running was enough to hand an attacker your login credentials and full control of your computer. The fix shipped January 30. More than 17,500 exposed instances were vulnerable before it did.