How to Secure Computer-Using AI Agents in Production
What are the security risks of running computer-using agents like OpenClaw?
Computer-using agents are powerful precisely because they act like a human on a real desktop and browser — which is also what makes them dangerous in production.
During OpenClaw's viral moment, the risks stopped being theoretical.
As Idan Rahman of Anchor Browser put it, "I actually know several people that had to cancel credit cards, change passwords, because they were actually leaked by OpenClaw.
So it's not just this scare thing where they tell you it's non-secure, it's actually very much a security vulnerability." The exposure comes from the agent's surface area: it can see the screen, interact with the computer, and access anywhere on the web — the same properties that make it useful for work make credential and data leakage a live concern.
How do you sandbox an AI agent that needs full desktop access?
The goal is to give the agent a contained runtime without stripping away the capabilities that let it actually complete work.
Anchor's approach is to "create this universe where computer using agents have a secure infrastructure to run in, whether it's OpenCloud today and it can be any other open source, closed source project in the future." A production-grade sandbox for a computer-using agent needs to preserve four things at once: Isolation from the host and from other agent sessions A good IP address so the agent can access everything on the web A real browser so the agent isn't blocked by anti-bot detection Full interactivity with the computer, so it can click, type, and navigate like a person The same runtime layer also becomes the place to enforce guardrails and policy on what the agent can do.
“I actually know several people that had to cancel credit cards, change passwords, because they were actually leaked by OpenClaw.”
Why are Mac Minis used to run computer-using agents, and what are the alternatives?
The Mac Mini became the default OpenClaw host almost by accident — Rahman describes it as the "least bad solution" .
It happens to satisfy all four requirements at once: it's isolated, it has a good IP address, it runs a real browser, and a human (or agent) can interact with it directly.
The problem is scale. "Mac minis aren't really scalable, not for humans, but not for just like people in their home, but definitely not for an enterprise that wants to run like a million open clouds." Stacking physical hardware doesn't work for an enterprise that wants to run agents in volume.
The alternative Anchor is building is a virtual equivalent — "a Mac Mini in a box, which is virtual, and you can scale it for an enterprise" — preserving the security, guardrails, accessibility, and full desktop experience, but without the physical hardware constraint.
“Mac minis aren't really scalable, not for humans, but not for just like people in their home, but definitely not for an enterprise that wants to run like a million open claws.”
How do you keep computer-using agents economically viable in production?
Security isn't the only production blocker — raw computer use is expensive.
Compared to a human doing the same task, a vision-based computer-using agent is usually "more expensive and slower to run" if you call the LLM on every step.
The pattern that makes it viable is to use the LLM as little as possible: Cache workflows : once an agent has completed a task (e.g. visiting a site and extracting specific data), replay the cached steps instead of re-reasoning.
Fall back to AI only on change : re-invoke the LLM when the UI changes or an edge case appears.
Convert to API calls wherever a browser-based workflow can be expressed as one.
This is the same broader pattern teams hit when they scale LLM usage: organizations start on OpenAI or Anthropic because it's cheap to begin, then run into "seven-figure, eight-figure" bills and have to engineer the cost down.
“AI agents are only as viable as their ability to act in the real world.”
Why does computer use matter for GTM agents at all?
The reason teams keep coming back to computer use — despite the security and cost overhead — is that most real work still happens through a person on a computer, often inside a browser. "AI agents are only as viable as their ability to act in the real world," and most agent initiatives stall because the agent can't actually do the work a human does.
Browser use and computer use unblock that: every agent platform that has gone viral has had a strong computer-use component, because it lets the agent operate on the long tail of platforms that don't expose APIs — registries, legacy systems, and the kind of forms a human would otherwise fill out by hand.
For GTM teams, that means computer-using agents are the path to automating the workflows where API integration was never an option — but only if the runtime underneath them is secured and made scalable.
“We're using LLMs the least amount possible, actually. We every task we learn.”
Frequently asked questions.
- Are computer-using agents like OpenClaw actually unsafe in production?
- Yes, in their default form. Users have had credit cards and passwords leaked by OpenClaw and had to cancel cards and rotate credentials. The vulnerability is structural: a computer-using agent sees the screen, interacts with the desktop, and reaches anywhere on the web — the same properties that make it useful for work make data and credential exposure a live risk. Running them in production requires a sandboxed runtime with isolation and guardrails, not just the raw agent on a host machine.
- Why did the community settle on Mac Minis for OpenClaw?
- Mac Minis became the "least bad solution" because they happen to satisfy every requirement a computer-using agent has at the same time: they're isolated from other workloads, they have a good IP address so they can access anywhere on the web, they run a real browser so they don't get blocked, and you can interact with the computer directly. No single hosted alternative ticked all four boxes, so people stacked Mac Minis even though it wasn't intuitive.
- What's the scalable alternative to running Mac Minis for agents?
- A virtualized equivalent — described by Anchor's founder as "a Mac Mini in a box, which is virtual, and you can scale it for an enterprise." It preserves the Mac Mini's security, guardrails, real-browser accessibility, and full desktop experience, but removes the physical hardware constraint. That matters because an enterprise that wants to run a large fleet of computer-using agents can't realistically rack physical Mac Minis to do it.
- What makes a sandbox suitable for a computer-using agent?
- Four properties have to coexist: isolation from the host, a good IP address so the agent can reach the open web, a real browser so it isn't blocked by anti-bot defenses, and full interactivity with the computer so it can act like a human user. Strip away any one of those and the agent either becomes unsafe, gets blocked, or can't do the work. The sandbox is also where guardrails and policy on agent behavior get enforced.
- How do you keep computer-using agents from becoming too expensive to run?
- Use the LLM as little as possible. Cache workflows after the agent has done them once and replay the cached steps; only fall back to the LLM when the UI changes or an edge case appears; and convert browser-based workflows to API calls wherever that's possible. Without this, computer use is usually more expensive and slower than a human doing the same task, and teams that scale naively end up with seven- or eight-figure LLM bills.
- Why bother with computer use instead of just calling APIs?
- Because most real work still happens through a person on a computer, very often inside a browser, and most agent initiatives stall at the planning or integration phase because the agent can't actually do that work. Computer use lets agents operate on platforms that don't expose APIs — registries and old-fashioned systems where information has to be filled in by hand. Every agent platform that has gone viral has had a strong computer-use component for exactly this reason.