OpenClaw Quickstart Setup
Production-tested setup flow for OpenClaw/Moltbot. Every step comes from real deployments — not theory.
Prerequisites Check
node --version # Needs 22.16+ (24 recommended)
npm --version
If Node is too old: nvm install 24
Step 1: Install & Initialize
npm i -g openclaw
openclaw init
Step 2: Security Hardening (DO THIS FIRST)
Bind to localhost (prevent public exposure)
// openclaw.json
{
"gateway": {
"bind": "127.0.0.1"
}
}
Why: CVE-2026-25253 ("Clawbleed") exploited default 0.0.0.0 binding. 63% of 42K+ exposed instances had zero auth. This is literally 30 seconds of work.
Enable authentication
{
"gateway": {
"auth": true
}
}
For remote access: Use Tailscale. Never expose directly.
Step 3: Cost-Effective Model Routing
The biggest money-saver. Route simple tasks to cheap models, reserve expensive ones for complex reasoning:
{
"agents": {
"defaults": {
"model": {
"primary": "deepseek/deepseek-chat",
"fallbacks": ["nvidia/nemotron-nano-12b-v2"]
},
"imageModel": {
"primary": "moonshotai/kimi-k2.5"
}
}
}
}
Cost comparison (monthly for moderate use):
- All Claude Opus: ~$420/month
- All GPT-5.4: ~$300/month
- Routed (DeepSeek + Kimi + fallback): ~$15-30/month
- Savings: 70-90%
Task-based routing in prompts
For simple tasks (formatting, lists, translations): use default model
For complex reasoning (debugging, architecture, analysis): use /model command to switch
For vision/image tasks: uses imageModel automatically
Step 4: Channel Connection
Telegram (most popular)
- Message @BotFather on Telegram
/newbot→ get API token- Configure:
{
"channels": {
"telegram": {
"adapter": "telegram",
"token": "YOUR_BOT_TOKEN"
}
}
}
WhatsApp (via WA CLI)
openclaw skills install wacli
Follow WA CLI skill instructions for QR code pairing.
Discord
{
"channels": {
"discord": {
"adapter": "discord",
"token": "YOUR_BOT_TOKEN"
}
}
}
Step 5: Starter Workflows
Daily Brief (cron)
{
"cron": [{
"name": "daily-brief",
"schedule": {"kind": "cron", "expr": "0 8 * * *", "tz": "UTC"},
"sessionTarget": "main",
"payload": {"kind": "systemEvent", "text": "DAILY BRIEF: Check email, calendar, weather. Summarize priorities."}
}]
}
Email Triage (via Maton)
# Install Maton skill for Gmail/Outlook access
openclaw skills install maton
Heartbeat (periodic self-check)
{
"cron": [{
"name": "heartbeat",
"schedule": {"kind": "every", "everyMs": 1800000},
"sessionTarget": "main",
"payload": {"kind": "systemEvent", "text": "HEARTBEAT: Read HEARTBEAT.md. Execute priority tasks."}
}]
}
Step 6: Memory Setup
MEMORY.md (long-term memory)
- Keep under 20K chars (silently truncated above that)
- Distilled wisdom, not raw logs
Daily notes (raw logs)
memory/YYYY-MM-DD.md
Compaction warning
Default compaction mode "safeguard" silently fails above 180K tokens. Enable active memory if you want automatic context pulls.
Common Issues & Fixes
| Issue | Fix |
|---|---|
| SyntaxError on startup | Node.js too old. nvm install 24 |
| Telegram breaks after update | Pin version: npm i -g openclaw@4.15 |
| MEMORY.md content disappears | Keep under 20K chars |
| Gateway binds 0.0.0.0 | Change to 127.0.0.1 immediately |
| API costs too high | Route simple tasks to DeepSeek/Kimi |
| Cron jobs 403 errors | Use sessionTarget "main" with systemEvent, not "isolated" |
| Dreams cron breaks in 4.12 | Disable dreams, use regular cron |
ClawHub Safety
⚠️ 20%+ of ClawHub skills are malicious (per the founder). 1,184+ confirmed malicious skills since January 2026. Snyk found 36% have prompt injection patterns.
Protection:
{
"skills": {
"allowListOnly": true
}
}
Only install skills you've verified. Check publisher GitHub repos. Never paste install commands from SKILL.md without reading them first.
Verification
After setup, confirm everything works:
openclaw gateway status # Should show "running"
openclaw skills list # Should show installed skills
Send a test message through your connected channel. If the agent responds — you're live.