diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json
index ea8592c99..456f86417 100644
--- a/.openclaw-sync/source.json
+++ b/.openclaw-sync/source.json
@@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
- "sha": "95a1c915312a520c3c33d2b96943aa3e3b48a10e",
- "syncedAt": "2026-05-07T15:19:37.271Z"
+ "sha": "484a289be34e6d744d158c72cef95bba5061dd94",
+ "syncedAt": "2026-05-07T19:20:00.786Z"
}
diff --git a/docs/install/docker.md b/docs/install/docker.md
index 5f7f62b1b..6862f8455 100644
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -335,6 +335,32 @@ See [ClawDock](/install/clawdock) for the full helper guide.
`no-new-privileges` on both `openclaw-gateway` and `openclaw-cli`.
+
+ Some Docker Desktop setups fail DNS lookups from the shared-network
+ `openclaw-cli` sidecar after `NET_RAW` is dropped, which shows up as
+ `EAI_AGAIN` during npm-backed commands such as `openclaw plugins install`.
+ Keep the default hardened compose file for normal gateway operation. The
+ local override below loosens the CLI container's security posture by
+ restoring Docker's default capabilities, so use it only for the one-off CLI
+ command that needs package registry access, not as your default Compose
+ invocation:
+
+ ```bash
+ printf '%s\n' \
+ 'services:' \
+ ' openclaw-cli:' \
+ ' cap_drop: !reset []' \
+ > docker-compose.cli-no-dropped-caps.local.yml
+
+ docker compose -f docker-compose.yml -f docker-compose.cli-no-dropped-caps.local.yml run --rm openclaw-cli plugins install
+ ```
+
+ If you already created a long-running `openclaw-cli` container, recreate it
+ with the same override. `docker compose exec` and `docker exec` cannot
+ change Linux capabilities on an already-created container.
+
+
+
The image runs as `node` (uid 1000). If you see permission errors on
`/home/node/.openclaw`, make sure your host bind mounts are owned by uid 1000: