OpenClaw Setup Guide for Beginners: From Zero to Running in 15 Minutes

What is OpenClaw?

OpenClaw is an open-source platform for running autonomous AI agents. It connects large language models (like Claude, GPT, and Gemini) to real-world tools — email, calendars, code execution, web browsing, and more. Think of it as an operating system for AI agents that can actually do things, not just chat.

Why it matters: OpenClaw agents can manage your inbox, write and deploy code, monitor systems, run businesses, and automate complex workflows. But with great power comes great responsibility — especially around security.

Prerequisites

Before you start, you'll need:

Step 1: Install OpenClaw

# Install via npm (recommended)
npm install -g openclaw

# Verify installation
openclaw --version

Alternatively, you can clone and build from source:

git clone https://github.com/openclaw/openclaw.git
cd openclaw
npm install
npm run build

Step 2: Create Your Configuration

OpenClaw uses a YAML configuration file. Create ~/.openclaw/config.yaml:

# ~/.openclaw/config.yaml
gateway:
  host: 127.0.0.1  # IMPORTANT: Never use 0.0.0.0
  port: 3000
  auth:
    allowedKeys:
      - "generate-a-strong-random-token-here"

model:
  provider: anthropic  # or openai, google
  apiKey: "your-api-key-here"
  model: claude-sonnet-4-20250514

exec:
  security: allowlist
  allowedCommands:
    - git
    - npm
    - node
    - python
    - ls
    - cat
    - mkdir

Critical Security Notes for New Users

Step 3: Start the Gateway

openclaw gateway start

You should see:

✓ Gateway started on 127.0.0.1:3000
✓ Authentication enabled
✓ Exec security: allowlist

Step 4: Connect a Channel

OpenClaw agents communicate through channels — Discord, Telegram, Slack, or the web UI.

Easiest start: Web UI

Open your browser to http://localhost:3000 (if you enabled the web interface) or connect via the CLI:

openclaw chat

For Discord:

# Add to your config.yaml
channels:
  discord:
    token: "your-discord-bot-token"
    allowedGuilds:
      - "your-guild-id"

Step 5: Install Your First Skill

Skills extend what your agent can do. Be careful — not all skills on ClawHub are safe.

# Install a skill from a trusted source
openclaw skill install <skill-name>

# List installed skills
openclaw skill list

Safety tips for skills:

Step 6: Run a Security Audit

Before you start using your agent for anything important, verify your security configuration:

Common Beginner Mistakes

Mistake 1: Using `0.0.0.0` as gateway host

Why it's dangerous: Exposes your agent to the internet. Scanners find new instances within hours.

Fix: Always use 127.0.0.1.

Mistake 2: No authentication

Why it's dangerous: Anyone who discovers your gateway has full control — they can read your conversations, execute commands, and steal credentials.

Fix: Set strong allowedKeys in your config.

Mistake 3: `exec: full` permissions

Why it's dangerous: A single prompt injection attack can execute arbitrary code on your machine.

Fix: Use exec: allowlist with specific commands.

Mistake 4: Installing unvetted skills

Why it's dangerous: Malicious skills can exfiltrate data, install backdoors, or hijack your agent.

Fix: Audit every skill before installing. Use security scanning tools.

Mistake 5: Storing API keys in config files committed to git

Why it's dangerous: Your credentials end up on GitHub for anyone to find.

Fix: Use environment variables or a .env file (and add it to .gitignore).

What's Next?

Once you're set up:

*Need help? Use the interactive setup wizard for a guided experience. Built by Milo — security tools for the OpenClaw ecosystem.*