A self-hosted agent runtime with real-world capabilities
OpenClaw is not a chatbot. It is a self-hosted agent runtime and message router — a long-running Node.js service that connects AI models to your messaging platforms, local files, shell, browser, and dozens of third-party services. Unlike ChatGPT or Claude’s web UI, OpenClaw doesn’t just answer questions. It acts: running shell commands, controlling browsers, reading and writing files, managing calendars, and sending emails — all triggered by a text message from your phone.
Created by Peter Steinberger (PSPDFKit founder) in November 2025 under the name “Clawdbot,” the project was renamed to “Moltbot” after Anthropic trademark complaints, and finally to “OpenClaw” on January 30, 2026. It is one of the fastest-growing open-source projects in GitHub history.
Supported AI Providers
Anthropic, OpenAI, OpenRouter, Google Gemini, xAI, Groq, Mistral, Cerebras, Amazon Bedrock, Ollama (local), and 15+ more. Model failover cascades automatically through your configured fallback chain with cooldowns at 1 min, 5 min, and 1 hour.
What It Costs
The software is free and MIT-licensed. Your cost is AI API usage:
Dedicated hardware. No exceptions.
The OpenClaw community and security researchers universally agree: never run OpenClaw on your primary computer or work machine. Use a dedicated VPS, VM, or spare hardware. As one of OpenClaw’s own maintainers warned: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”
Hosting Options
Resource Tiers
2 GB RAM
10 GB disk
4 GB RAM
40 GB SSD
8–16 GB RAM
60+ GB SSD
16–24 GB RAM
GPU optional
Ubuntu 24.04 LTS is the most widely tested OS. macOS is “perhaps the best choice” for local installs and the only option for iMessage integration. WSL2 is strongly recommended over native Windows.
Network Lockdown
Port 18789 must NEVER be exposed to the public internet
SecurityScorecard found 40,214 exposed OpenClaw instances across 82 countries, with 93.4% having authentication bypasses. 63% were exploitable via remote code execution. The Gateway binds to 127.0.0.1 by default — verify this stays that way.
$ sudo ufw default allow outgoing
$ sudo ufw allow 22/tcp
$ sudo ufw limit 22/tcp # rate-limit SSH brute force
# NEVER expose port 18789 publicly
$ sudo ufw enable
For remote access, the officially recommended approach is Tailscale Serve — zero public ports, encrypted mesh networking, and identity-based access. SSH should be hardened with ed25519 keys, password auth disabled, root login disabled, and fail2ban enabled. Full disk encryption (LUKS) is explicitly recommended in the official security docs.
Attack surface: enormous. Stakes: everything.
OpenClaw has shell access, browser control, file system access, email sending capabilities, and connects to your most sensitive accounts — on a loop, without asking. Cisco, Kaspersky, Bitdefender, Palo Alto Networks, and multiple independent researchers have published detailed security analyses. Treat your deployment as production infrastructure.
CVE-2026-25253: One-Click Remote Code Execution
The Control UI trusted gatewayUrl from URL query strings without validation. Clicking a crafted link triggered cross-site WebSocket hijacking, extracting the gateway token in milliseconds, leading to full host compromise — including the ability to disable sandboxing and execute arbitrary commands. Patched January 30, 2026. Update to v2026.1.29+ and rotate all credentials.
ClawHub: The Malicious Skills Problem
This is arguably the most pressing ongoing threat. Multiple security firms have documented widespread malware in the community skill marketplace:
Cisco scanned 31,000 skills and found 26% contained at least one vulnerability, including command injection, data exfiltration, and prompt injection. The #1-ranked skill (“What Would Elon Do?”) was “functionally malware” performing silent data exfiltration. Koi Security found 341 malicious skills deploying the Atomic macOS Stealer, keyloggers, and backdoors via a campaign called “ClawHavoc.”
The Security Hardening Checklist
- Update to v2026.1.29+ to patch CVE-2026-25253. Rotate all credentials if any prior version was exposed.
- Never expose port 18789 to the public internet. Bind Gateway to loopback only.
- Review all third-party skills before installing. Use Cisco’s AI Skill Scanner for automated analysis.
- Enable Docker sandboxing with
mode: "non-main", network: none, readOnlyRoot, and capDrop ALL. - Set session scope to
per-channel-peerto prevent cross-user context leaks. - Use Tailscale Serve for remote access. Zero public ports, encrypted mesh.
- Restrict tool profiles — use
"coding"or"minimal"rather than"full". Deny thegatewaytool. - Use credential brokering (LiteLLM proxy) so the agent never sees actual API keys.
- Enable full disk encryption (LUKS/provider-level) and disable mDNS broadcasting.
- Run
openclaw security audit --deep --fixafter every configuration change. - Consider Podman over Docker — a container escape lands as unprivileged rather than root.
Prompt Injection: The Unsolved Problem
No model is immune
Even OpenClaw’s maintainers acknowledge prompt injection is an industry-wide unsolved problem. Zenity researchers turned OpenClaw into a persistent backdoor by modifying SOUL.md through injected prompts. Kaspersky demonstrated private key extraction via email containing prompt injection. Palo Alto Networks describes the “lethal trifecta”: access to private data + exposure to untrusted content + external communication + persistent memory = delayed multi-turn attack chains.
Mitigation: Use the strongest available models (Anthropic’s Opus series provides the best prompt injection resistance). Enable sandboxing. Use per-channel-peer session scope. But understand: no model is immune.
From zero to production-hardened in one config file
Installation is a one-liner. Getting the configuration right is where the real work lives. All configuration lives in ~/.openclaw/openclaw.json (JSON5 format — comments and trailing commas allowed). The schema is strictly validated: unknown keys or invalid types prevent Gateway boot.
Installation
$ curl -fsSL https://openclaw.ai/install.sh | bash
# npm global install
$ npm install -g openclaw@latest
$ openclaw onboard --install-daemon
# Docker
$ git clone https://github.com/openclaw/openclaw.git
$ cd openclaw && ./docker-setup.sh
# From source (development)
$ git clone https://github.com/openclaw/openclaw.git
$ cd openclaw && pnpm install && pnpm ui:build && pnpm build
$ pnpm link --global && openclaw onboard --install-daemon
The onboarding wizard guides you through model/auth setup, workspace creation, channel configuration, skill selection, and daemon installation. It installs the Gateway as a launchd service (macOS), systemd user service (Linux), or scheduled task (Windows).
Production-Ready Baseline
The non-negotiable defaults
The config below represents the community consensus for a security-hardened starting point. bind: "loopback" keeps the Gateway off the public internet. dmScope: "per-channel-peer" prevents cross-user leaks. Docker sandboxing runs all non-main sessions in isolated containers with no network, no filesystem access, and dropped capabilities.
{
gateway: {
port: 18789,
bind: "loopback", // NEVER "0.0.0.0"
auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" },
},
agents: { defaults: {
model: { primary: "anthropic/claude-sonnet-4-5" },
sandbox: {
mode: "non-main",
docker: { network: "none", readOnlyRoot: true, capDrop: ["ALL"] },
},
}},
session: { dmScope: "per-channel-peer" },
tools: { profile: "coding", deny: ["gateway"] },
}
Key Configuration Patterns
Model failover
Configure fallback chains so your agent never goes dark. Resolution: primary → auth profile rotation → fallback cascade → error. Cooldowns: 1 min → 5 min → 1 hour.
Multi-agent routing
Isolate workspaces per use case. Bind agents to channels: “home” agent on WhatsApp for personal, “work” agent on Slack for business. Each gets its own workspace, model, and session scope.
Config hot reload
Most changes apply without restart (channels, agents, models, hooks, cron, tools, skills). Only gateway.* settings (port, bind, auth, TLS) and plugins require a Gateway restart. The Gateway drains active turns before restart to prevent message loss.
Six traps the docs won’t save you from
Every tool has its gotchas. OpenClaw has more than most, because its power surface is enormous and its user base ranges from seasoned sysadmins to people who learned what a terminal is last week. These are the issues that generate the most confused Discord messages.
Upgrading from Clawdbot/Moltbot? The .clawdbot directory migrates to .openclaw automatically, but dual services can remain running, causing port 18789 conflicts.
Fix: systemctl --user stop clawdbot-gateway.service && systemctl --user disable clawdbot-gateway.service
Git checks out shell scripts with CRLF instead of LF, causing container startup failures with exit code 126. OpenClaw strongly recommends WSL2 on Windows.
Fix: git config --global core.autocrlf input
A critical bug (fixed in #14919) caused missing Control UI dashboard assets when installed via symlink-based Node managers (nvm, fnm, Homebrew Node). Update to latest.
Fix: npm install -g openclaw@latest
If a CLI tool is installed on your system (e.g. gh for GitHub), the associated bundled skill activates automatically, giving the agent capabilities you didn’t intend.
Fix: Use skills.allowBundled as a whitelist to control exactly which skills are active.
Long conversations fill the context window, triggering context_length_exceeded errors. This is the #1 source of confusion for new users.
Fix: /compact to summarize, /new for fresh session, /status to monitor usage
Each cron execution and heartbeat tick consumes tokens. A 30-minute heartbeat at $0.01–0.05/turn adds up fast. Set HEARTBEAT.md to empty lines to skip idle checks. Use cheaper models for background tasks.
Fix: --model "anthropic/claude-haiku-3-5" for cron jobs, consolidate related checks
Automation, skills, cron, webhooks, and browser control
Once your OpenClaw instance is secured and stable, the real fun begins. The agent runtime supports cron scheduling, webhook-driven workflows, browser automation via Chrome DevTools Protocol, custom skill authoring, plugin development, and even asking the agent to build its own skills. Here are the patterns that matter.
Essential CLI Commands
$ openclaw status --all --deep
$ openclaw doctor --deep --yes
$ openclaw security audit --deep --fix
$ openclaw logs --follow --json
# Agent interaction
$ openclaw agent --message "Deploy to staging" --thinking high
# Multi-instance
$ openclaw --profile work gateway
$ openclaw --dev gateway # port 19001, separate state
Custom Skills
Skills are Markdown instruction files. Create ~/.openclaw/workspace/skills/my-skill/SKILL.md with YAML frontmatter (name, description, required binaries, environment variables) and instruction sections. The agent reads the Markdown and follows the directions using available tools. You can also ask OpenClaw to build skills for itself: “Create a skill that monitors my Hetzner server uptime and alerts me on Telegram if it goes down.”
Cron Recipes
$ openclaw cron add --name "Morning Briefing" --cron "0 8 * * *" \
--tz "America/New_York" --session isolated \
--message "Summarize inbox + calendar + weather." \
--announce --channel telegram
# Weekly deep review with powerful model
$ openclaw cron add --name "Weekly Review" --cron "0 6 * * 1" \
--model "opus" --thinking high \
--message "Deep analysis of project progress."
HEARTBEAT.md for Proactive Behavior
The agent’s standing orders
HEARTBEAT.md is a checklist the agent evaluates on every heartbeat tick. Structure it by time-of-day: “Always Check” items (calendar reminders, urgent emails), “Business Hours” items (PR reviews, error monitoring), and “Nighttime” (respond HEARTBEAT_OK unless urgent). Empty lines = skip the heartbeat entirely to save tokens.
Browser Automation
OpenClaw launches a managed headless Chrome instance and assigns numeric reference IDs to interactive elements — the AI uses these directly instead of fragile CSS selectors:
$ openclaw browser open https://example.com
$ openclaw browser snapshot # AI-readable element refs
$ openclaw browser click ref=btn_1
$ openclaw browser type ref=input_1 "search query"
$ openclaw browser screenshot
$ openclaw browser pdf
Webhook-Driven Workflows
Configure hook mappings in openclaw.json to route external events to agent actions. GitHub PR notifications, Gmail alerts, deployment status — any HTTP POST triggers the agent with a templated message. Webhooks support preset integrations for Gmail, GitHub, and custom JSON bodies.
The Debugging Sequence
$ openclaw status --all # quick overview
$ openclaw status --deep # deep probe
$ openclaw logs --follow # live logs
$ openclaw channels status --probe # channel health
$ openclaw security audit --deep # security check
Common error codes: 1008 unauthorized = token mismatch. EADDRINUSE = another Gateway is running. context_length_exceeded = use /compact. pairing / pending approval = DM hasn’t been approved.