The OpenClaw Guide

What Is OpenClaw?

The Elevator Pitch

OpenClaw is a free, open-source program that turns AI models like Claude, ChatGPT, or open-source alternatives into a personal assistant that can actually do things on your behalf — not just answer questions.

Think of it this way: ChatGPT is like having a very smart friend you can text for advice. OpenClaw is like hiring that smart friend as your full-time personal assistant, giving them the keys to your house, your email password, and your calendar, and saying “handle it.”

It was created by Peter Steinberger and released in early 2026. In just 60 days it became the fastest-growing open-source project in history — faster than Linux, WordPress, or any other community-built software before it. By May 2026 it had passed 340,000 GitHub stars and was being run by hundreds of thousands of people. Governance moved to an independent non-profit foundation in February when Steinberger joined OpenAI; the project itself stays MIT-licensed and provider-neutral.

An analogy: Imagine a universal remote control, but instead of controlling just your TV, it can control your email, calendar, smart lights, music, and dozens of other things. And instead of pressing buttons, you just tell it what you want in plain English.

Imagine This

It’s 6:45 AM. Before your alarm goes off, a text arrives on your phone — from your AI assistant, through the same messaging app you use to text your friends:

“Good morning. Two emails need replies today — one from your kid’s school about the field trip permission slip (deadline Friday), one from the dentist confirming Thursday at 2pm. Your Amazon package arrives today by 8pm. Weather: 64°F and sunny, perfect for that run you’ve been skipping.”

Over breakfast, you text back: “What can I make with the chicken thighs in the fridge? We need something quick tonight.” A few seconds later, three recipes appear, sorted by prep time, with a grocery list for the one ingredient you’re missing.

At lunch, your partner texts the assistant in your family group chat: “What time is soccer practice on Saturday and where?” It checks the shared calendar and responds with the time, address, and a note that it conflicts with the dentist appointment it mentioned earlier.

Driving home, you text: “Turn on the AC, I’ll be there in 20 minutes.” The thermostat drops. After dinner, you walk into the kitchen and say “Hey Q, what’s on the calendar tomorrow?” and a voice reads back your schedule from the speaker on the counter. At bedtime, you say “goodnight” and the lights dim, the porch light turns on, and the thermostat adjusts for sleeping.

None of this required opening an app, visiting a website, or remembering a special command. You just texted. That’s the whole point.

This isn’t science fiction. People are running setups exactly like this right now, on a spare laptop, a Raspberry Pi, or a Mac Mini tucked in a closet. The rest of this guide shows you how.

What Can It Actually Do?

OpenClaw uses a skills system — modular add-ons that teach it how to interact with different services. Here’s what people are actually building:

The key difference from existing AI chatbots: OpenClaw doesn’t just tell you what to do. It does it. When you say “reschedule my 2pm to Thursday,” it actually moves the meeting.

Each use case has different risk levels. We cover the details in Section 4.

How Is It Different from ChatGPT or Claude?

For Claude Code, Cowork, and Channels comparison, see Section 5.

The Honest Truth

OpenClaw is genuinely exciting, but you should go in with open eyes.

Security is on you. 170+ security vulnerabilities have been found and patched in OpenClaw’s first six months — including 13 new CVEs in April 2026 alone (one a CVSS 8.7 privilege escalation). That’s a lot — it means you need to keep it updated and properly configured.

The skills marketplace has a trust problem. The “ClawHavoc” attack planted 1,400+ malicious skills, including one with 340,000+ installs that silently exfiltrated credentials. ClawHub added a verified-publisher program in March, but most skills are still unverified. Be careful what you install.

The AI providers are cracking down. In Feb 2026 Google started permanently banning paid AI Pro/Ultra accounts for routing Gemini through OpenClaw. Anthropic followed, then partially reversed — but starting June 15, programmatic Claude usage through OpenClaw lives on a separate metered credit pool (Pro $20, Max 5x $100, Max 20x $200) that doesn’t roll over and won’t spill into your chat allowance. Translation: if you want OpenClaw on a flat-rate plan, you can’t. See Decision 3.

It can make mistakes with real consequences. An AI agent that takes actions can send an email to the wrong person or turn off your alarm system.

It requires some technical comfort. “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”

Your Setup Journey: Five Decisions

Before you install anything, you need to make five choices. Each one shapes what your setup looks like, what it costs, and how safe it is.

Decision 1: OpenClaw or NemoClaw?

OpenClaw is the employee. NemoClaw is the building with locked doors, security cameras, and badge readers.

OpenClaw is the AI agent itself. Default: everything allowed unless you restrict it.

NemoClaw is NVIDIA’s security wrapper. Default: everything blocked unless you allow it.

Decision 2: Where Will It Run?

OpenClaw needs a computer that stays on. The community overwhelmingly favors dedicated local hardware — it keeps your data physically in your house, costs almost nothing to run, and can serve local AI models without paying for a GPU-equipped VPS.

Decision 3: Which AI Brain?

This comes down to one question: how much do you trust cloud AI with your data?

Path A: Cloud models (easiest, best quality)

Path B: Local models (private, free after hardware)

Nothing leaves your machine. Community favorite: Qwen 3.5 27B via Ollama (90% PinchBench). See Qwen Deep Dive.

ollama pull qwen3.5:27b && ollama serve

Path C: Both (the smart move)

Route different tasks to different models. See Model Routing Config.

Decision 4: How Will You Talk to It?

Two options: text (via messaging apps) or voice (via smart speakers). Most people start with text and add voice later.

Option A: Messaging Apps

Option B: Voice (The Alexa Replacement)

If you’d rather talk to OpenClaw than text it, you can — but not through Alexa or Google Home directly. Those devices are locked to their cloud services. Instead, you replace them with hardware that runs Home Assistant’s voice pipeline, with OpenClaw as the brain behind it.

The chain works like this:

Custom wake word → speech-to-text (Whisper, runs locally) → OpenClaw processes your request → text-to-speech (Piper or ElevenLabs) → response plays on the device you spoke to

Everything runs on your network. No cloud. No subscription. No data leaves your house.

Hardware Options

Either device plugs into Home Assistant’s Assist pipeline. The OpenClaw HA integration registers as a native conversation agent, so voice commands flow straight to your OpenClaw instance.

You pick your own wake word — “Hey Q,” “OK Claw,” whatever you want. You can even clone a voice for responses.

Voice vs Alexa: Honest Trade-offs

Decision 5: What Should It Do First?

Setting It Up

You’ve made your decisions. Now let’s build.

How It Works Under the Hood

OpenClaw runs in the background listening for messages and doing tasks. Three parts:

• The Gateway — The front door. Receives messages from Telegram, Signal, etc.
• The AI connection — Forwards messages to an AI to figure out what to do.
• Skills — Apps within OpenClaw. Each one teaches it a new capability.

It also has memory (SOUL.md and MEMORY.md files) so it remembers between conversations.

Installation

Tell us about your setup and we’ll show you exactly the right steps:

Step 1: Prerequisites

Step 2: Open a Terminal

curl -fsSL https://openclaw.ai/install.sh | bash

irm https://openclaw.ai/install.ps1 | iex

docker run -d --name openclaw \
  -p 127.0.0.1:18789:18789 \
  --read-only \
  --tmpfs /tmp \
  -v ./openclaw-data:/app/data \
  -v ./openclaw-config:/home/node/.openclaw \
  ghcr.io/openclaw/openclaw:latest

docker ps

# Instead of: openclaw devices list
# Run:
docker exec openclaw openclaw devices list

# Instead of: openclaw security audit --fix
# Run:
docker exec openclaw openclaw security audit --fix

curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

irm https://www.nvidia.com/nemoclaw.ps1 | iex

Step 4: Set Up Your Agent

cat ./openclaw-config/openclaw.json | grep token

Step 5: Verify Everything Works

openclaw doctor
openclaw security audit --fix

nemoclaw my-assistant health

Think of this like a virus scan — run it regularly, ideally once a week.

Your First Conversation

Open your messaging app and send: “What day is it?” If OpenClaw responds, you’re connected. Try: “What’s the weather?” and “Set a reminder for tomorrow at 9am.”

If something isn’t working, run openclaw doctor. Most common: messaging bridge not connected.

Connecting Services

Start with these five: Weather, Calendar (read-only), Reminders, Web search, Smart home (lights/thermostat only).

Setting Up Model Routing

models:
  default: ollama/gemma4:e2b

models:
  default: ollama/gemma4:e4b

models:
  default: ollama/qwen3.5:27b

  providers:
    ollama:
      host: http://host.docker.internal:11434

models:
  default: xai/grok-4.1-mini           # Cheap cloud for most tasks
  routing:
    - match:
        categories: [health, finance, journal, personal]
      provider: ollama/gemma4:e2b       # Sensitive data stays local
      force_local: true

models:
  default: xai/grok-4.1-mini           # Cheap cloud for most tasks
  routing:
    - match:
        categories: [health, finance, journal, personal]
      provider: ollama/gemma4:e4b       # Sensitive data stays local
      force_local: true
    - match:
        keywords: [complex, analyze, plan, research]
        fallback_on_failure: true
      provider: openai/gpt-5.4         # Hard tasks get a premium model

models:
  default: ollama/qwen3.5:27b          # Local for most tasks (free)
  routing:
    - match:
        categories: [health, finance, journal, personal]
      provider: ollama/qwen3.5:27b     # Sensitive data never leaves
      force_local: true
    - match:
        keywords: [complex, analyze, plan, research]
        fallback_on_failure: true       # If local struggles, escalate
      provider: openai/gpt-5.4         # Cloud for hard tasks

  providers:
    ollama:
      host: http://host.docker.internal:11434

Locking the Front Door

By default, OpenClaw might accept connections from anyone on your network — or worse, the internet. These settings lock it down. Open your OpenClaw configuration file (openclaw.yaml) in a text editor:

1. Only accept local connections. Add this line to your config file:

gateway_host: 127.0.0.1

This tells OpenClaw: “Only accept connections from this computer. Ignore everyone else.”

2. Disable network broadcasting. By default, OpenClaw announces itself to other devices on your Wi-Fi (like AirDrop). Turn this off by adding:

disable_bonjour: true

3. Need remote access? If you want to reach OpenClaw from your phone or another computer, use Tailscale (free for personal use). It creates a private, encrypted tunnel between your devices — much safer than opening OpenClaw to the internet. Never expose OpenClaw’s port directly.

4. Credential hygiene.

• Least access possible — if OpenClaw only needs to read your email, don’t give it permission to send
• Separate passwords — create dedicated passwords for OpenClaw, never reuse your personal login
• Never type passwords into the chat — always use the config file. Chat history is less secure

Managing Costs

OpenClaw itself is free. The AI it talks to is not (unless you run local models). Each task triggers 5–10 API calls, so costs add up faster than you’d expect. Here’s what real usage looks like:

This is why model routing matters — use a cheap model for 90% of tasks and only escalate to a premium model when it actually matters. One community member cut their bill from $200 to under $20/month this way.

• Set a spending cap with your AI provider — start at $20–50/month and adjust
• Use local models for always-on tasks like morning briefings — free after hardware
• Watch for unusual spikes — could mean a stuck loop or someone misusing your setup
• Use API keys, not subscription OAuth — Anthropic’s June 15 split puts agent traffic on a separate, non-rollover credit pool (Pro $20, Max 5x $100, Max 20x $200) that won’t cover a real workload. Google permanently bans paid AI subscribers for routing Gemini through OpenClaw. Always connect via a billing-enabled API key, never your personal subscription account

Keeping It Updated

openclaw update

docker pull ghcr.io/openclaw/openclaw:latest
docker stop openclaw && docker rm openclaw
docker run -d --name openclaw \
  -p 127.0.0.1:18789:18789 \
  --read-only --tmpfs /tmp \
  -v ./openclaw-data:/app/data \
  -v ./openclaw-config:/home/node/.openclaw \
  ghcr.io/openclaw/openclaw:latest

nemoclaw update

Regular maintenance:

• Weekly: openclaw security audit --fix
• Monthly: Check SOUL.md/MEMORY.md for unexpected content — strange text you didn’t write could be a sign of tampering

What to Do With It

Detailed guidance for each use case, organized from lowest risk to highest. Start at the top.

LOW RISK Start Here

LOW-MEDIUM RISK Some Caution

MEDIUM RISK Personal Data

HIGH RISK Proceed With Care

VERY HIGH RISK Expert Territory

How OpenClaw Compares

The Claude Ecosystem vs OpenClaw

Anthropic has four pieces that overlap with what OpenClaw does:

• Claude Code — terminal/dev tool. Code lives on your machine.
• Cowork — desktop app for documents and long-running work; Pro/Max can give it computer-use permissions (open files, click buttons, drive a browser, all unattended). Computer-use rolled out broadly in April 2026.
• Dispatch — queues background jobs; in May 2026 it gained the ability to launch full Claude Code sessions, not just Cowork tasks.
• Channels — a structured event stream from a running Claude Code session that messaging bridges can subscribe to. May 2026 added a permission-relay so tool-approval prompts can pop up on your phone. This is the piece that most directly overlaps with OpenClaw’s “text the agent” experience.

OpenClaw is like texting an assistant with keys to many rooms. The Claude stack is like texting a specialist at your desk who happens to have a remote control for your laptop. The specialist knows more about what’s in front of them; the assistant can go to more places and works with any model.

OpenClaw wins: 7+ messaging platforms, always-on, any AI model, 50+ life-service integrations, no subscription required (just an API key).

Claude stack wins: security managed by Anthropic, full computer use on your desktop, no DIY infrastructure, official mobile approval flow.

When to Use Which

Claude Code + Channels for developers who want to text their dev environment and get tool-approval prompts on their phone. Cowork + Dispatch for non-technical desktop work, especially since Cowork added computer-use for Pro/Max in April. OpenClaw for automating your life across messaging apps with any AI model — including local ones the Claude stack can’t touch.

vs Hermes Agent

The other open-source personal-agent framework worth taking seriously in May 2026 is Hermes Agent from Nous Research. It launched in February with a different architectural bet — a closed learning loop, agent-curated memory, secure-by-default sandboxing — and as of mid-May has zero published CVEs against OpenClaw’s 170+. It’s the most direct competitor.

I wrote a full, opinionated head-to-head: OpenClaw vs Hermes Agent — The Blunt Comparison →

Security for Experts

If you followed Section 3, you’re already reasonably secure. This is for sysadmins and security professionals.

10 Security Principles

1. Start small: Low-risk use cases first
2. Least privilege: Minimum permissions
3. Human in the loop: Approve all changes
4. Defense in depth: Container + firewall + auth + scoped tokens
5. Assume compromise: Limit blast radius
6. Local AI for sensitive data: Ollama + Qwen 3.5 27B
7. Regular audits: Weekly security audit, monthly memory review
8. Stay updated: 170+ CVEs in 6 months; 13 new in April 2026
9. Vet all skills: Never install unaudited skills
10. Monitor costs: Spending limits detect abuse

Verification Checklist

1. openclaw security audit --fix — zero findings
2. Port scan — 18789 not externally accessible
3. Gateway rejects unauthenticated WebSocket
4. API spending limits set
5. mDNS disabled (OPENCLAW_DISABLE_BONJOUR=1)
6. Test benign prompt injection for guardrails
7. SOUL.md/MEMORY.md free of unexpected content
8. allow_url_actions: false in openclaw.yaml
9. Version 2026.5.5+ (all CVEs through April 2026 patched)
10. Non-localhost WebSocket rejected
11. Docker: non-root, --cap-drop=ALL, --read-only

Critical Attack Vectors

1. The “Lethal Trifecta”

System Access + Execution Power + Untrusted Ingestion. Most setups have all three. Never combine in a single agent.

2. Time-Shifted Memory Poisoning

Malicious SOUL.md/MEMORY.md inputs that “detonate” later. Treat memory files as code. File integrity monitoring.

3. Log Poisoning → Prompt Injection

Malicious content in logs read by the agent. Make logs write-only from agent perspective.

4. Container Escape via API

CVE-2026-25253 WebSocket hijacking works even inside Docker.

5. Localhost Trust (ClawJacked)

Gateway exempted localhost from rate limiting. Browser JS could brute-force at hundreds/second.

Docker Hardening

services:
  openclaw:
    image: ghcr.io/openclaw/openclaw:2026.5.5
    read_only: true
    cap_drop: [ALL]
    security_opt:
      - no-new-privileges:true
      - seccomp=openclaw-seccomp.json
    user: "1000:1000"
    ports: ["127.0.0.1:18789:18789"]
    volumes:
      - ./config:/app/config:ro
      - ./data:/app/data
    mem_limit: 2g
    cpus: 1.0
    networks: [openclaw-internal]

  egress-proxy:
    image: nginx:alpine
    networks: [openclaw-internal, external]

networks:
  openclaw-internal:
    internal: true
  external:
    driver: bridge

Never mount docker.sock. Never use --network=host.

Incident Response

1. Immediately: Disconnect from network
2. Within 1 hour: Rotate ALL credentials
3. Audit: Check logs for unexpected system.run
4. Review: SOUL.md/MEMORY.md for injected instructions
5. Scan: Check for backdoor skills
6. Report: GitHub Security Advisory

Scale of the problem: 135K+ exposed instances across 82 countries (April 2026 scan), 63% of which run without any authentication. ClawHavoc planted 1,467 malicious skills (one with 340K+ installs) before ClawHub added publisher verification. Meta banned OpenClaw from corporate devices. Palo Alto called it “the potential biggest insider threat of 2026.”

Deep Dives

Reference material linked from the main guide.

Hardware for Local Models

Local inference is memory-bandwidth-bound.

Mac Studio M4 Max (64GB) — ~$2,700

546 GB/s bandwidth, nearly 2x M5 Pro. The sweet spot. Skip 128GB unless running 70B+ models.

Used RTX 3090 Build — ~$900–1,200

Community “value king.” 24GB VRAM, ~50 tokens/sec on Qwen 3.5 27B. Noisy and power-hungry.

AMD Strix Halo — $1,499–2,700+

Up to 128GB unified memory. ~273 GB/s bandwidth (lower than M4 Max). Good non-Apple option.

Two-Machine Setup

Cheap machine as always-on server. Powerful machine runs Ollama. OpenClaw routes over home network.

Minimum Viable

16GB+ RAM can run Qwen 2.5 Coder 14B. Enough to experiment.

VRAM guide: 8GB = 7-8B models. 12-16GB = 14B. 20-24GB = 27-35B (sweet spot). 64-128GB unified = very large.

The Qwen Story

Qwen (“chwen”) by Alibaba Cloud. Timeline: April 2023 closed beta → Sept 2023 public → June 2024 Qwen 2 → April 2025 Qwen 3 (Apache 2.0, 36T tokens, 119 languages) → Feb 2026 Qwen 3.5 (27B matches GPT-5 Mini on SWE-bench, 600M+ downloads, 170K+ derivative models) → April 16, 2026 Qwen 3.6, with a dense 27B that hits 77.2% on SWE-bench (best dense coding model on the leaderboard) and a 35B-A3B MoE variant tuned for consumer GPUs. Ollama shipped native Qwen 3.6 support on launch day, including a qwen3.6 tag that handles quantization automatically.

Why so good: $53B Alibaba AI investment. Apache 2.0 as ecosystem strategy. Relentless iteration.

Pros: Free forever (Apache 2.0). Runs on consumer hardware (~20GB). Privacy by default. 90% of frontier. Massive ecosystem.

Cons: Ollama tool-calling bugs (set reasoning: false). Can overthink/loop. Weaker on complex multi-step reasoning. 128K context (vs 1M+ GPT-5.4).

ollama pull qwen3.5:27b && ollama serve
export OLLAMA_FLASH_ATTENTION=1
export OLLAMA_CONTEXT_LENGTH=65536

Local Model Options

PinchBench Rankings

PinchBench: 23 real tasks, 75+ models (May 2026 snapshot).

What changed in May: Opus 4.7 (April 16) and Qwen 3.6 27B (also April 16) reshuffled the top of the list. Qwen 3.6 hit 77.2% SWE-bench as the best dense coding model and is the new community pick if you can spare ~20 GB VRAM — see the Qwen story above.

Model Routing Configuration

models:
  default: ollama/qwen3.5:27b

  routing:
    - match:
        categories: [health, finance, journal, personal]
      provider: ollama/qwen3.5:27b
      force_local: true

    - match:
        keywords: [complex, analyze, plan, research, compare]
        fallback_on_failure: true
      provider: openai/gpt-5.4

    - match:
        keywords: [critical, important, difficult]
        manual_escalation: true
      provider: anthropic/claude-opus-4-7

  providers:
    ollama:
      host: http://192.168.1.50:11434
    openai:
      api_key: ${OPENAI_API_KEY}
    anthropic:
      api_key: ${ANTHROPIC_API_KEY}

Routes to Qwen by default (free), forces sensitive data local, escalates hard tasks to GPT-5.4, reserves Opus for explicit request. ~$10–15/month.

Steinberger’s Perspective

Based on public statements — blog (Feb 15, 2026), Pragmatic Engineer podcast, Lex Fridman #491, Fortune/TechCrunch/CNBC interviews.

His Philosophy

“An AI that actually does things.” Vision: “an agent that even my mum can use.” He calls this “agentic engineering” and frames AI agents as a learned skill: “You pick up the guitar — you’re not going to be good at the guitar in the first day.”

Where He’d Push Back

1. Absolutist prohibitions: He favors graduated trust over blanket bans.
2. Model routing: A core design principle of OpenClaw.
3. Empowerment first: Excitement before caution. Fair — but this guide errs on safety.

Uncomfortable Truths

ClawHavoc response was slow. He joined OpenAI Feb 14, 2026 and transferred OpenClaw to an independent foundation with OpenAI backing. The foundation board still hasn’t published its governance documents as of mid-May 2026, and Steinberger himself hasn’t posted a new public update on OpenClaw’s direction since the February announcement — an unusual silence for a maintainer who used to write weekly. One maintainer’s warning still stands: “If you can’t run a command line, this is too dangerous.”

The Balanced Take

This guide favors security researchers (Microsoft, Palo Alto, Cisco) over the creator’s optimism. That’s right for safety. But Steinberger’s graduated-trust approach is valid for people who understand their risks. The Feb-to-May 2026 stretch — Google account bans, Anthropic’s metered-credit pivot, 13 new CVEs in a single month — vindicates the cautious framing more than the optimistic one.

Sources

• OpenClaw, OpenAI and the future — steipete.me
• “I ship code I don’t read” — Pragmatic Engineer
• OpenClaw creator joins OpenAI — TechCrunch
• Who is Peter Steinberger? — Fortune
• ClawHavoc Poisons ClawHub — CyberPress
• Lex Fridman #491 — Summify