How to Install and Configure OpenClaw on Your Device
Installing OpenClaw is not like installing a typical app. You’re giving a piece of software deep access to your computer’s file system, browser and network stack. Careful preparation and configuration are critical to avoid turning a useful assistant into a security liability. This guide walks you through everything from hardware requirements and installation methods to hardening your gateway and testing your first commands.
Preparing Your Environment for OpenClaw Installation
Before you run any scripts, decide where your agent will live and make sure the host is ready. OpenClaw can run on macOS, Windows or Linux, but it’s safest to use a dedicated machine or virtual machine rather than your primary laptop. Security researchers advise binding the agent’s gateway to localhost and never exposing the default port (18789) to the internet. Using SSH tunnelling to reach the gateway gives you secure remote access without opening the port to everyone. Create a separate user account with minimal privileges; running the agent as root or an administrator is unnecessary and increases risk. You’ll also need a recent Node runtime (version 22 or higher) to run the control scripts, and Docker if you plan to containerize the service.
It’s helpful to decide whether you will connect to cloud‑hosted language models via API or run a model locally. Connecting to a remote model keeps the agent lightweight, but your data will leave your machine; running a model on your own hardware requires more RAM and disk space but keeps everything on‑site. Consider starting with a cloud model and migrating to a local model once you’ve confirmed that the agent meets your needs.
How to Install OpenClaw
1. Download the OpenClaw Framework
The official installation script works on macOS, Linux and Windows. On Unix‑like systems you can pipe the script directly to your shell:
</> Bash
curl -fsSL https://openclaw.ai/install.sh | bash
On Windows, you can run the PowerShell equivalent:
</> PowerShell
iwr -useb https://openclaw.ai/install.ps1 | iex
These commands download the CLI and set up the necessary directories. If you prefer not to run remote scripts, clone the repository manually and run the installer from the cloned directory. Avoid unofficial mirrors to reduce the risk of tampering.
2. Run the OpenClaw Onboarding Wizard
After installation, execute the onboarding wizard to generate configuration files, create an authentication token and register the gateway as a system service:
</> Bash
openclaw onboard --install-daemon
The wizard walks you through choosing a bind mode (always select “localhost” for initial testing), setting a strong gateway password and connecting to your preferred language model. It also offers to connect messaging channels. You can skip channel setup for now and use the built‑in dashboard for your first chats.
3. Configure OpenClaw Environment Variables
OpenClaw relies on environment variables to find configuration files, state directories and API keys. The system looks for values in this order: the current process environment, a .env file in the working directory, the global .env file in ~/.openclaw, and the env block inside openclaw.json. Use environment variables or a secret manager to store sensitive keys—never hard‑code tokens in your configuration. You can override default paths by setting variables such as OPENCLAW_HOME (home directory), OPENCLAW_STATE_DIR (state directory) and OPENCLAW_CONFIG_PATH (config file path). Logging behaviour can be tuned by setting OPENCLAW_LOG_LEVEL to debug or trace.
4. Start the OpenClaw Gateway and Dashboard
Once onboarding is complete, start the gateway with:
</> Bash
openclaw gateway status # check if the service is running
openclaw dashboard # open the local control UI
If the control UI loads at http://127.0.0.1:18789/, your gateway is ready. Use the dashboard to send a test message or call openclaw message send from the CLI. Don’t expose this port to the public internet; if you need remote access, use an SSH tunnel (ssh -L 18789:127.0.0.1:18789 user@your‑server).
Securing and Hardening Your OpenClaw Deployment
Because OpenClaw runs with wide permissions, protecting the gateway and secrets is vital. Follow these practices to reduce risk:
Lock down the gateway: Never expose the gateway port to the internet. Bind it to localhost and reach it through an SSH tunnel. Set a strong gateway password and rotate it regularly.
Rotate tokens: The gateway authentication token is effectively your agent’s password. Use a long, random string and store it in your .env file, not in openclaw.json.
Containerize for isolation: Running OpenClaw inside Docker isolates its processes from your host OS. When containerizing, allocate sufficient shared memory for headless browsing (e.g., shm_size: 2gb and mount /dev/shm). Without these settings the browser may crash.
Clean up stale locks: Chromium may leave a SingletonLock file after an unclean shutdown. If the browser refuses to start, delete stale locks in the entrypoint script (find /data/.openclaw/browser -name SingletonLock -delete).
Protect environment variables: In a multi‑agent setup, one agent with shell access could read another agent’s environment variables, exposing API keys and passwords. Limit shell commands, restrict tool permissions and avoid storing secrets in plaintext.
Adopt tiered deployment: A practical guide recommends three tiers of hardening: Tier 1 forbids giving the agent sudo access or exposing it without a tunnel; Tier 2 emphasises tool restrictions to prevent agents from reading each other’s .env files; Tier 3 treats the agent as a stranger—never link personal email or calendar.
Testing and Optimizing Your OpenClaw Setup
Once the agent is running, start with low‑impact tasks. Use the dashboard to issue simple commands—opening a web page, setting a reminder or summarizing a text file. Before granting access to sensitive emails or folders, monitor the logs for unexpected behaviour. Gradually connect messaging channels and enable skills, but vet each integration carefully. If you want to run a local language model, configure your model provider in openclaw.json and allocate resources accordingly. Remember that persistent memory files (such as SOUL.md and other markdown files) will store context across sessions; keep them in a secure directory and back them up regularly.
Conclusion
Installing OpenClaw can transform your workflow, but it’s not a casual project. Choose a dedicated environment, install dependencies, run the onboarding wizard and lock down the gateway. Use environment variables to manage secrets and paths, and containerize the service for isolation. Test with simple tasks, monitor logs and scale up gradually. With care, you can enjoy a digital coworker without compromising your security or privacy.
To learn more about my work, visit ShawnKanungo.com and check out my latest insights on innovation and AI.
Frequently Asked Questions
Do I need a powerful computer to run OpenClaw?
Not necessarily. The agent itself is lightweight. If you connect to a cloud‑hosted language model, a modest laptop or VPS will suffice. Running a large model locally requires ample RAM and storage and may benefit from a GPU, but you can always start with remote models and migrate later.
Which operating systems are supported?
OpenClaw runs on macOS, Linux and Windows. The installer scripts above cover macOS and Linux; Windows users should run the PowerShell command. On any platform, ensure you have Node 22+ installed.
How can I keep my API keys safe?
Store keys in environment variables or a secret manager rather than hard‑coding them in configuration files. The agent reads environment variables in order of precedence, so placing them in a global .env file under ~/.openclaw or in your service manager’s environment keeps them out of source control.
Can I install OpenClaw inside Docker?
Yes. Containerization isolates the agent from your host system and makes it easier to deploy on servers. When running in Docker, allocate at least 2 GB of shared memory for the headless browser and mount /dev/shm. Include a cleanup step in your entrypoint to remove stale browser locks.
What’s the safest way to access the control UI remotely?
Never expose the gateway directly to the internet. Use an SSH tunnel (ssh -L 18789:127.0.0.1:18789 user@server) to forward the port securely. You can then browse to http://localhost:18789/ on your local machine as if you were on the server.
About the Author
Shawn Kanungo is a globally recognised disruption strategist and keynote speaker who helps organisations adapt to change and leverage disruptive thinking. Named one of the “Best New Speakers” by the National Speakers Bureau, he has spoken at some of the world’s most innovative organisations, including IBM, Walmart and 3M. His expertise in digital disruption strategies helps leaders navigate transformation and build resilience in an increasingly uncertain business environment.