diff --git a/systems/ful/openclaw.nix b/systems/ful/openclaw.nix
index 8757f4e..af92de4 100644
--- a/systems/ful/openclaw.nix
+++ b/systems/ful/openclaw.nix
@@ -43,11 +43,11 @@
       ProtectClock = true;
       ProtectControlGroups = true;
       ProtectHostname = true;
-      ProtectProc = "invisible";
       ProcSubset = "pid";
       RemoveIPC = true;
+      AmbientCapabilities = ["CAP_NET_RAW"]; # access chromium websockets
       RestrictSUIDSGID = true;
-      RestrictNamespaces = true;
+      RestrictNamespaces = false; # might be used by websocket library
       RestrictRealtime = true;
       LockPersonality = true;
       UMask = "0077";