42,665 exposed OpenClaw instances prove that "just Docker it" does not end well. Here is what DIY actually costs.
TL;DR
Running OpenClaw with raw Docker on a VPS gives you full control. It also gives you full responsibility for security, updates, backups, and monitoring. 93.4% of self-hosted instances have no authentication. Clawctl exists because DIY security consistently fails.
Raw Docker on VPS: 2 wins · Clawctl: 6 wins · Tie: 0
You are a DevOps engineer who enjoys infrastructure work
You have specific networking or isolation requirements
Full root access and custom Docker configurations are needed
You are confident in your ability to secure the deployment
You do not want to be one of the 42,665 exposed instances
Security, audit trails, and approvals are requirements
You want to spend time on your agent, not on Docker configs
You want updates, backups, and monitoring handled for you
DIY Docker is how 42,665 OpenClaw instances ended up exposed on the internet with no authentication. Clawctl exists to make that impossible. 60 seconds to deploy, security by default, audit everything.
Yes. Research shows 93.4% of self-hosted OpenClaw instances have no authentication. Exposed API keys, file system access, and agent credentials. DIY security fails consistently.
Docker knowledge does not equal security knowledge. Clawctl provides audit trails, approval workflows, egress filtering, and encrypted secrets that take weeks to build yourself.
If you have specific Docker requirements (custom networks, volume mounts, GPU passthrough), self-hosted may be necessary. For standard OpenClaw deployments, Clawctl covers everything.
Audit trail (50+ events), human approvals (70+ risky actions), egress filtering, encrypted secrets, health monitoring, auto-recovery, one-click updates, and automated backups. Building this yourself takes months.