We Built Clawbake: Open-Source Multi-User Instance Management for OpenClaw
Use OpenClaw inside your company with Clawbake
Today we’re releasing Clawbake, an open-source system that lets every person on your team spin up their own isolated OpenClaw AI agent instance in Kubernetes, managed through a web dashboard or Slack, deployed via a single Helm chart.
AI is having a Napster moment. OpenClaw, the open-source autonomous AI agent, surpassed 250,000 GitHub stars in roughly four months, making it the most-starred non-aggregator software project in GitHub history, ahead of Linux and React. For context, React took 13 years to accumulate a comparable number. Alexander Feick at eSentire put it plainly in The New Stack: “Users are embracing risk because the utility is tangible and immediate.”
The risk part is real. Palo Alto Networks warned of a “lethal trifecta” of vulnerabilities: access to private data, exposure to untrusted content, and broad system permissions. Cisco’s AI security team documented live data exfiltration and prompt injection from a third-party skill without user awareness. A security incident dubbed “ClawHavoc” found roughly 12% of OpenClaw’s public skill registry compromised with malware. Several Silicon Valley firms banned it from work devices entirely.
Whether OpenClaw proves to be enduring infrastructure or a stepping stone to something more purpose-built is still an open question. But autonomous agents with broad system access are not going away, and the pattern is worth exploring now.
When you try to move from one person tinkering to a whole team running their own instances, you hit real friction fast. We hit several of those problems ourselves. Clawbake solves one of them: getting every person their own isolated instance without the manual cluster work.
What It Does
Every team member gets their own isolated OpenClaw environment. They can’t reach each other’s instances. Admins control the config template. Users supply their own API keys. Nobody has to babysit the cluster.
Under the hood, Clawbake uses the Kubernetes CRD+Operator pattern. When a user creates an instance, the system writes a ClawInstance custom resource to the cluster. An operator reconciles the actual state, provisioning a dedicated namespace, deployment, persistent volume, service, and network policy per user. If something drifts, the operator fixes it. Full architecture details are in the docs.
The Slack integration is worth calling out. Getting OpenClaw connected to Slack natively is its own project. Clawbake handles that for you. A /clawbake command lets users create, check, and delete their own instances without touching a terminal. Direct-message the bot and it forwards your message to your running OpenClaw instance as a chat completion, and the response comes back right in the conversation. For teams that live in Slack, that’s the whole workflow.
Three Problems Clawbake Solves
Network Isolation: users can’t reach each other’s instances, and the NetworkPolicy in each namespace enforces that at the cluster level. Credential Isolation: each person has their own API keys, gateway config, and persistent storage, so there’s no shared state to collide on. Workload Isolation: one person’s heavy workload doesn’t degrade someone else’s session.
These aren’t glamorous problems but they’re a few issues that can block adoption at the team level.
GitHub: github.com/NeurometricAI/clawbake
Release: v0.1.0, with docs covering architecture, deployment, and usage all live in the repo. This is an early release and has not undergone a security audit. It’s built for teams that want to move fast and evaluate the pattern, not a hardened production system. Treat it accordingly.
The tinkerers already have it. Now your team can too.
The Neurometric Team