ClawHosters
by Daniel Samer
6 min read
Your ClawHosters instance can query your PostgreSQL database, search the web through Brave, read files from Google Drive, and post messages to Slack. All without you writing a single line of integration code. That's what OpenClaw MCP servers do.
MCP stands for Model Context Protocol. Anthropic introduced it in November 2024 as an open standard for connecting AI applications to external tools and data sources. The analogy that stuck: MCP is the USB-C port for AI. Before it existed, every data source required a custom integration. Now there's one protocol that works across clients and servers.
The ecosystem grew faster than probably anyone expected. Downloads went from roughly 100,000 to over 8 million in five months after launch. There are now over 1,200 quality-verified servers in directories, with tens of thousands more on GitHub. Anthropic, OpenAI, Google, and Microsoft all back the standard. It won.
And MCP isn't Claude-specific. OpenClaw acts as an MCP client regardless of which LLM you're running behind it.
What Ships with ClawHosters
Every ClawHosters instance comes with three built-in MCP servers, pre-installed in the base snapshot:
| Server | What It Does |
|---|---|
| Filesystem | Read and write files inside your instance |
| Shell | Execute terminal commands in the container |
| Browser | Browse the web via Playwright (Chromium included) |
These cover the most common use cases out of the box. You can configure them through the ClawHosters web UI or by editing openclaw.json directly via SSH. For full setup instructions, check the MCP servers documentation.
OpenClaw MCP Configuration
MCP servers live in the mcpServers object inside your openclaw.json. Each entry needs a command, arguments, and optionally environment variables for API keys:
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_your_token_here"
}
},
"brave-search": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-brave-search"],
"env": {
"BRAVE_API_KEY": "your_key_here"
}
}
}
}
That npx -y pattern is the standard way most MCP servers run. It downloads and executes an npm package without manual installation. The -y flag auto-confirms the install prompt.
You can also configure servers through the ClawHosters dashboard without touching JSON at all. The web UI handles the same fields.
Popular OpenClaw MCP Servers Worth Adding
These are verified working on ClawHosters instances. Builder.io's developer guide covers a broader list, but here are the ones I see used most:
| Use Case | Package |
|---|---|
| GitHub repos | @modelcontextprotocol/server-github |
| PostgreSQL queries | @modelcontextprotocol/server-postgres |
| Google Drive files | @modelcontextprotocol/server-gdrive |
| Slack messages | @modelcontextprotocol/server-slack |
| Web search | @modelcontextprotocol/server-brave-search |
| Notion pages | @notionhq/mcp |
One thing to watch: memory. Built-in servers use 20 to 50 MB each. Node.js custom servers run 50 to 150 MB each. The Browser server can hit 200 to 400 MB when active. If you're on a smaller ClawHosters tier, adding four custom servers on top of the built-in ones might push you close to limits. Two or three custom servers is a reasonable starting point for most setups.
Custom OpenClaw MCP installations persist across container restarts. But they get wiped on a rebuild. If you trigger a rebuild, you'll need to re-add any custom MCP servers afterward.
Security: The Part You Shouldn't Skip
I'm going to be direct about this. MCP servers run with the same permissions as the container, which is root. That means a malicious or compromised MCP server has full access to everything inside your instance: files, credentials, API keys, conversation history.
This isn't a bug in ClawHosters. It's how MCP works everywhere. The official MCP specification documents the risks explicitly, including arbitrary code execution via malicious server packages.
Real incidents have already happened. In January 2026, The Register reported that Anthropic quietly fixed three chained vulnerabilities in their own Git MCP server. These enabled remote code execution. Even the protocol creators' first-party server had these bugs.
Then there's tool poisoning. Security researchers at Invariant Labs demonstrated that a malicious MCP server can embed hidden instructions in its tool description. The AI sees and follows these instructions. The user never sees them. In one demo, this technique silently exfiltrated a user's WhatsApp message history.
According to Pillar Security, compromising one MCP server can grant attackers access to all connected service tokens. Think email, calendar, file storage.
So what should you actually do?
Only install MCP servers from sources you understand. The @modelcontextprotocol packages from Anthropic are the most scrutinized. Verify the npm package name before running npx -y on anything. And don't mix trusted and untrusted servers on the same instance if you're storing sensitive credentials. ClawHosters provides container isolation from the host, but data inside the container is accessible to any MCP server running there.
For more on securing your instance overall, the security hardening guide covers the full picture. And the ClawHosters docs on security explain what protections ship out of the box.
