Non-Admin iMac Agent Setup: Rock-Solid Security

Deep Research Report | April 22, 2026

Executive Summary

This report covers the technical implementation of running OpenClaw and Hermes Agent on a personal iMac under a non-admin (standard) user account — completely isolated from the normal daily-use account. The goal is maximum security isolation while maintaining full functionality.

Bottom Line: OpenClaw is the right tool for this job. It installs cleanly under a standard user, runs on high ports without admin, and has first-class security controls. Hermes is undocumented and secondary. The main risk is the admin account on the same Mac — there's no technical barrier that stops an admin from reading your files, but operational and physical controls can compensate.

1. macOS Installation Without Admin

OpenClaw — ✅ Works Without Admin

Two install methods work without sudo:

# Method 1: Official installer (recommended)
curl -fsSL https://openclaw.ai/install-cli.sh | bash
# Installs to ~/.openclaw/ — no root needed

# Method 2: npm user-level install
npm install -g openclaw@latest --prefix ~/.npm-global
export PATH="$HOME/.npm-global/bin:$PATH"

Default port: 18789 — works immediately without admin (ports below 1024 are blocked for non-admin users).

Hermes — ⚠️ Uncertain

The Hermes package name and install method could not be confirmed. It appears to be a Python-based AI agent (pip-installable), but public documentation is sparse. OpenClaw's own docs don't reference a "Hermes" component with distinct multi-user capabilities.

Recommendation: Focus on OpenClaw as the primary agent. If Hermes is needed, clarify the specific package before proceeding.

What CANNOT Be Installed Without Admin

Workaround for all: User-space alternatives exist. OpenClaw on port 18789 is the primary solution.

2. macOS User Sandbox & Permissions

What Unprivileged Users CAN Do

• ✅ Write to home directory (~, ~/Library/, ~/.ssh/)
• ✅ Install user-space tools (nvm, fnm, Python via pyenv)
• ✅ Create user-level LaunchAgents in ~/Library/LaunchAgents/ — no admin needed
• ✅ Use crontab -e for scheduled tasks
• ✅ Store files in iCloud Drive, Google Drive, or external drives
• ✅ Grant own apps microphone/camera/screen permissions via System Settings

What Unprivileged Users CANNOT Do

• ❌ Bind to ports below 1024 (kernel restriction)
• ❌ Install Homebrew or MacPorts system-wide
• ❌ Modify SIP-protected paths (/System, /usr/bin, /bin)
• ❌ Install kernel extensions or system-wide LaunchAgents
• ❌ Access admin account's files or processes

LaunchAgent Setup (No Admin Required)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>ai.babu.agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/YOURUSER/.npm-global/bin/openclaw</string>
        <string>gateway</string>
        <string>start</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <dict>
        <key>Crashed</key>
        <true/>
    </dict>
    <key>ThrottleInterval</key>
    <integer>10</integer>
</dict>
</plist>

Save to ~/Library/LaunchAgents/ai.babu.agent.plist, then:

launchctl load ~/Library/LaunchAgents/ai.babu.agent.plist

This gives you: auto-start on login + crash recovery + no admin required.

3. OpenClaw Security Hardening

Gateway Binding

Critical setting — bind to localhost only, never expose publicly:

{
  "gateway": {
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "YOUR-SECURE-TOKEN-HERE"
    }
  }
}

loopback binding = only accessible from the Mac itself. No network exposure.

Session Isolation (dmScope)

For multi-user family setup, set per-channel-peer isolation:

{
  "session": {
    "dmScope": "per-channel-peer"
  }
}

This ensures each Telegram user gets their own isolated conversation history.

Telegram AllowFrom

{
  "channels": {
    "telegram": {
      "enabled": true,
      "accounts": {
        "default": {
          "botToken": "YOUR_BOT_TOKEN",
          "allowFrom": ["tg:123456789", "tg:987654321"],
          "dmPolicy": "allowlist"
        }
      }
    }
  }
}

dmPolicy: "allowlist" rejects unknown users. dmPolicy: "pairing" lets you approve new users on first contact.

Credential Storage

⚠️ OpenClaw does NOT use macOS Keychain — credentials are stored as flat JSON files in ~/.openclaw/credentials/ and ~/.openclaw/openclaw.json.

File permissions are the only access control:

chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod 700 ~/.openclaw/credentials

Run openclaw security audit --fix to auto-fix common permission issues.

Built-in Security Audit

openclaw security audit
openclaw security audit --fix   # automatically fix issues

4. Credential & Secret Storage

macOS Keychain (Per-User, No Admin Needed)

Every macOS user has their own keychain at ~/Library/Keychains/. It's encrypted with the user's login password and accessible only to that user account — admin cannot automatically access it.

Storage options: - Inline in openclaw.json — simplest, but chmod 600 is mandatory - tokenFile reference — separate secrets from config (better) - Environment variable fallback — TELEGRAM_BOT_TOKEN, etc. (less secure) - macOS Keychain — security CLI tool for programmatic access

Telegram Bot Token Security

# Create a separate token file (recommended)
echo "123456789:ABCdefGHIjklMNOpqrSTUvwxyz" > ~/.openclaw/telegram-token.txt
chmod 600 ~/.openclaw/telegram-token.txt

# Reference it in openclaw.json:
# "channels": { "telegram": { "tokenFile": "/Users/YOURUSER/.openclaw/telegram-token.txt" } }

Recommended File Permissions

5. Network Exposure & Attack Surface

The Hard Truth About Firewalls

No kernel-level firewall exists for unprivileged users on macOS. You cannot use pfctl, iptables, or any equivalent. The kernel-level packet filtering is admin-only.

Defense-in-Depth Strategy

Layer 1: Localhost Binding Never bind to 0.0.0.0 — use 127.0.0.1 exclusively.

Layer 2: Cloudflare Tunnel (Egress-Only) Cloudflared makes outbound HTTPS connections only. No inbound ports, no firewall holes, no admin needed.

# Install cloudflared (no admin required)
# Download from: https://github.com/cloudflare/cloudflared/releases
# Then:
cloudflared tunnel login
cloudflared tunnel create imac-agent
cloudflared tunnel run imac-agent -- http://localhost:18789

Layer 3: Telegram Webhook Verification Telegram signs every webhook with HMAC-SHA-256. Always verify the hash field before processing.

HTTPS Without Admin

• Cloudflare Tunnel — ✅ Best option. Free certs, auto-renew, no admin.
• Let's Encrypt DNS-01 — ✅ Viable. Requires domain + DNS API access.
• Self-signed — ❌ Not suitable for Telegram (requires valid HTTPS).
• Let's Encrypt HTTP-01 — ❌ Requires port 80 inbound — not possible without admin.

If Accidentally Exposed to Public Internet

The risks are severe: RCE, lateral movement, data exfil, credential theft. Bind to localhost + use Cloudflare Tunnel = the only safe setup.

6. Process Management & Reliability

Autostart on Login

Create a LaunchAgent in ~/Library/LaunchAgents/ (detailed above). RunAtLoad: true starts it on login. KeepAlive: { Crashed: true } restarts after crashes.

Crash Recovery

<key>KeepAlive</key>
<dict>
    <key>Crashed</key>
    <true/>
</dict>
<key>ThrottleInterval</key>
<integer>10</integer>

ThrottleInterval: 10 means launchd waits 10 seconds before restarting after a crash — prevents crash loops.

Monitoring Without Admin

All of these work without admin:

launchctl list | grep openclaw    # check if running
ps aux | grep openclaw            # find process
log stream --predicate 'processImagePath contains "openclaw"'  # live logs
tail -f ~/Library/Logs/openclaw/*.log   # log files

Log Rotation

OpenClaw logs to ~/Library/Logs/openclaw/ on macOS. Managed by Apple's logd — no manual rotation needed. For long-term log management, use log collect or pipe to an external service.

Process ID Tracking

Standard pidfile at ~/.openclaw/openclaw.pid — useful for external monitoring scripts.

7. Isolation From the Admin Account

The Brutal Truth

Admin with root access can read almost everything on the Mac. There's no technical mechanism that can fully protect a user-space directory from a determined admin with sudo. This includes: - All files in your home directory - Your running processes - Your decrypted keychain (if they know your password) - Memory contents of your processes

What You CAN Protect

• FileVault encryption — encrypts data at rest. Without the firmware password, the disk is unreadable even to admin.
• Firmware password — prevents boot from external media or Single User Mode.
• ACLs — add friction (deny rules can block casual access) but not a real barrier against root.
• Keychain — admin cannot auto-access your keychain, but if they know your password, they can unlock it.

Recommended Mitigations

1. Enable FileVault — System Settings → Privacy & Security → FileVault. Encrypts everything.
2. Set a firmware password — prevents physical access attacks.
3. Use chmod 700 on home directory — stops casual file browsing by admin.
4. Keep sensitive credentials in Keychain, not files — adds a layer beyond filesystem.
5. Understand the threat model — you're protected from casual snooping, not a determined forensic attack.

8. Disaster Recovery & Backup

OpenClaw Built-in Backup

# Create backup (everything in ~/.openclaw/)
openclaw backup create

# Restore
openclaw backup restore ~/Downloads/openclaw-backup-2026-04-22.tar.gz

The backup includes: config, credentials, sessions, agents, skills, cron jobs.

What to Back Up

Encrypted Backup

# Create encrypted archive
tar -czf - -C ~ .openclaw .ssh | gpg --symmetric --output ~/backup-$(date +%Y%m%d).tar.gz.gpg

# Restore
gpg --decrypt ~/backup-20260422.tar.gz.gpg | tar -xzf - -C ~

Never store unencrypted backups in iCloud or Google Drive.

Migration to New Mac

1. On old Mac: openclaw backup create → copy to external drive
2. On new Mac (non-admin account): install Node.js via nvm (no admin)
3. Install OpenClaw: curl -fsSL https://openclaw.ai/install-cli.sh | bash
4. Restore: openclaw backup restore backup.tar.gz
5. Re-auth Telegram channels (bot tokens restore from backup, webhook URL needs updating)

Backup Frequency

• Daily automated via cron: 0 9 * * * openclaw backup create
• Weekly full backup to external drive
• Before every update or config change

9. Setup Checklist

Phase 1: User Account Setup

• [ ] Create a dedicated non-admin user account on the iMac
• [ ] Log into the standard account for all agent activities
• [ ] Enable FileVault encryption
• [ ] Set a firmware password

Phase 2: Installation

• [ ] Install Node.js via nvm (no admin needed)
• [ ] Install OpenClaw: curl -fsSL https://openclaw.ai/install-cli.sh | bash
• [ ] Install cloudflared (for Cloudflare Tunnel)
• [ ] Create LaunchAgent plist for autostart

Phase 3: Security Configuration

• [ ] Set gateway.bind: loopback in openclaw.json
• [ ] Set session.dmScope: per-channel-peer
• [ ] Configure allowFrom with actual Telegram user IDs
• [ ] Set dmPolicy: "allowlist" or "pairing"
• [ ] Run openclaw security audit --fix
• [ ] Set chmod 600 on openclaw.json, chmod 700 on ~/.openclaw/

Phase 4: Access & Tunnels

• [ ] Create Cloudflare Tunnel for remote access
• [ ] Configure Telegram bot webhook (localhost only, HMAC verified)
• [ ] Test from external network

Phase 5: Operations

• [ ] Set up daily automated backup cron
• [ ] Configure log monitoring
• [ ] Document recovery procedure
• [ ] Test restore from backup on a test machine

Sources

• Apple Developer Documentation (launchd, TCC, Keychain)
• OpenClaw Documentation (docs.openclaw.ai)
• Cloudflare Tunnel Documentation
• launchd.info (community resource)
• macOS Security and Privacy Guide

Report generated: 2026-04-22 | Research conducted via parallel subagent investigation