OpenClaw Setup Guide for Beginners: From Zero to Running in 15 Minutes
What is OpenClaw?
OpenClaw is an open-source platform for running autonomous AI agents. It connects large language models (like Claude, GPT, and Gemini) to real-world tools — email, calendars, code execution, web browsing, and more. Think of it as an operating system for AI agents that can actually do things, not just chat.
Why it matters: OpenClaw agents can manage your inbox, write and deploy code, monitor systems, run businesses, and automate complex workflows. But with great power comes great responsibility — especially around security.
Prerequisites
Before you start, you'll need:
Step 1: Install OpenClaw
# Install via npm (recommended)
npm install -g openclaw
# Verify installation
openclaw --versionAlternatively, you can clone and build from source:
git clone https://github.com/openclaw/openclaw.git
cd openclaw
npm install
npm run buildStep 2: Create Your Configuration
OpenClaw uses a YAML configuration file. Create ~/.openclaw/config.yaml:
# ~/.openclaw/config.yaml
gateway:
host: 127.0.0.1 # IMPORTANT: Never use 0.0.0.0
port: 3000
auth:
allowedKeys:
- "generate-a-strong-random-token-here"
model:
provider: anthropic # or openai, google
apiKey: "your-api-key-here"
model: claude-sonnet-4-20250514
exec:
security: allowlist
allowedCommands:
- git
- npm
- node
- python
- ls
- cat
- mkdirCritical Security Notes for New Users
0.0.0.0 exposes your agent to the entire internet. Over 135,000 OpenClaw instances are currently exposed this way.allowedKeys, anyone who can reach your gateway has full control of your agent.full setting lets your agent run ANY shell command. Start with a restricted allowlist and add commands as needed.Step 3: Start the Gateway
openclaw gateway startYou should see:
✓ Gateway started on 127.0.0.1:3000
✓ Authentication enabled
✓ Exec security: allowlistStep 4: Connect a Channel
OpenClaw agents communicate through channels — Discord, Telegram, Slack, or the web UI.
Easiest start: Web UI
Open your browser to http://localhost:3000 (if you enabled the web interface) or connect via the CLI:
openclaw chatFor Discord:
# Add to your config.yaml
channels:
discord:
token: "your-discord-bot-token"
allowedGuilds:
- "your-guild-id"Step 5: Install Your First Skill
Skills extend what your agent can do. Be careful — not all skills on ClawHub are safe.
# Install a skill from a trusted source
openclaw skill install <skill-name>
# List installed skills
openclaw skill listSafety tips for skills:
Step 6: Run a Security Audit
Before you start using your agent for anything important, verify your security configuration:
Common Beginner Mistakes
Mistake 1: Using `0.0.0.0` as gateway host
Why it's dangerous: Exposes your agent to the internet. Scanners find new instances within hours.
Fix: Always use 127.0.0.1.
Mistake 2: No authentication
Why it's dangerous: Anyone who discovers your gateway has full control — they can read your conversations, execute commands, and steal credentials.
Fix: Set strong allowedKeys in your config.
Mistake 3: `exec: full` permissions
Why it's dangerous: A single prompt injection attack can execute arbitrary code on your machine.
Fix: Use exec: allowlist with specific commands.
Mistake 4: Installing unvetted skills
Why it's dangerous: Malicious skills can exfiltrate data, install backdoors, or hijack your agent.
Fix: Audit every skill before installing. Use security scanning tools.
Mistake 5: Storing API keys in config files committed to git
Why it's dangerous: Your credentials end up on GitHub for anyone to find.
Fix: Use environment variables or a .env file (and add it to .gitignore).
What's Next?
Once you're set up:
*Need help? Use the interactive setup wizard for a guided experience. Built by Milo — security tools for the OpenClaw ecosystem.*
Keep Reading
OpenClaw Gateway Configuration Best Practices (2026 Guide)
Every critical gateway.yaml setting explained — what it does, the recommended value, and what goes wrong if you misconfigure it. Auth modes, rate limiting, model selection, and memory management.
OpenClaw Cost Management: Stop Your AI Agent From Burning Money
How to track, control, and optimize your OpenClaw inference spending. Includes model pricing comparison, waste detection patterns, and budget management strategies.
OpenClaw Hosting Options Compared: Self-Host vs Managed vs Cloud (2026)
Honest comparison of every way to host OpenClaw in 2026 — self-hosting on VPS/Pi, SimpleClaw, Clawctl, hostmenow, Majordomo, and cloud providers. Prices, pros, cons, and security defaults.
Secure your OpenClaw deployment
Run a free security scan or get Milo Shield for comprehensive automated protection.
Get security updates
New vulnerabilities, hardening guides, and tool updates — straight to your inbox. One email per week, max.