!!! This OpenClaw install guide was generated with Claude's help, with an emphasis on security and privacy. Substitute your own values for placeholders (user IDs, API keys, bot names, IP addresses, phone numbers, etc.) where appropriate. !!! # OpenClaw Install Guide **Mac Mini M4 (24GB) · Telegram · Anthropic API** macOS Tahoe 26.4.1 · OpenClaw 2026.4.15 · Admin: `clawadmin` · OpenClaw user: `clawuser` · Isolated Meraki VLAN --- ## Sources & References - **openclaw.ai** — Official OpenClaw website and installer - **docs.openclaw.ai/channels/telegram** — Official Telegram channel documentation - **docs.openclaw.ai/channels/signal** — Official Signal channel documentation (Appendix E) - **github.com/openclaw/openclaw/releases** — Release notes (latest: 2026.4.15) - **wayin.ai/blog/openclaw-setup-guide** — OpenClaw Setup Guide for Beginners 2026 - **dedicatedmac.io/blog/how-to-set-up-openclaw-on-mac-mini** — Mac Mini-specific setup guide (March 2026) - **crewclaw.com/blog/openclaw-gateway-daemon-guide** — Gateway daemon and headless mode reference - **shareuhack.com/en/posts/openclaw-setup-tutorial-2026** — Cost and rate limit analysis --- ## Overview OpenClaw is a self-hosted, open-source AI agent gateway that runs on your Mac Mini and lets you interact with an AI assistant through Telegram. Unlike Claude.ai, OpenClaw takes real actions: browse the web, run terminal commands, manage files, read email, check calendars, and more. **This setup:** - **Hardware:** Mac Mini M4 24GB — fresh macOS Tahoe 26.4.1 install, FileVault ON - **Network:** Isolated Meraki VLAN — outbound internet, no lateral access, port 22 inbound from main subnet - **Channel:** Telegram via your bot (e.g. `@your-bot-name`) - **Model:** `anthropic/claude-sonnet-4-6` (recommended for cost/performance) - **Admin user:** `clawadmin` — installs and system-level tasks only - **OpenClaw user:** `clawuser` — standard user, least privilege > **Security principle:** OpenClaw runs as `clawuser`. If compromised, it cannot modify system files or access other users' directories. Combined with an isolated VLAN, this creates two layers of containment. --- ## Anthropic API Cost Guide OpenClaw uses your Anthropic API key for every message — **separate** from any Claude.ai subscription. | Model | Per conversation | Typical monthly | Rate limits | |---|---|---|---| | `claude-sonnet-4-6` ✅ | ~$0.01–0.05 | $2–10/mo | High | | `claude-opus-4-7` ❌ | ~$0.05–0.30 | $150–300/mo | Low — will hit quickly | > ⚠️ **Real-world:** 10 casual Telegram messages with `claude-opus-4-7` cost $0.58 and triggered rate limits. Use `claude-sonnet-4-6` for daily use. **Cost controls:** - Set spending limit at console.anthropic.com ($20/mo covers Sonnet personal use) - Start new sessions regularly — long sessions re-send full context on every message - Disable memory search if unneeded: `openclaw config set agents.defaults.memorySearch.enabled false` **Switch model:** ```bash python3 -c " import json with open('/Users/clawuser/.openclaw/openclaw.json') as f: c = json.load(f) c['agents']['defaults']['model']['primary'] = 'anthropic/claude-sonnet-4-6' with open('/Users/clawuser/.openclaw/openclaw.json', 'w') as f: json.dump(c, f, indent=2) print('Done') " openclaw gateway restart ``` --- ## Pre-Install Checklist - [ ] **Anthropic API account:** Sign up at console.anthropic.com → add credit card → **purchase $20 in credits** (unlocks Tier 1 rate limits) → generate API key → set monthly spend limit to $20 → enable auto-reload ($10 when balance < $5) - [ ] **Telegram account** active on your phone - [ ] **Brave Search API** — see [Appendix B](#appendix-b--brave-search-api-setup) - [ ] **HDMI dummy plug** plugged into Mac Mini HDMI port - [ ] **SSH working** — can SSH into Mac Mini as `clawadmin` --- ## Phase 1 — macOS Headless Prep (as `clawadmin`) ### 1A — Power settings ```bash sudo systemsetup -setcomputersleep Never sudo systemsetup -setdisplaysleep Never sudo systemsetup -setharddisksleep Never sudo systemsetup -setrestartpowerfailure on sudo systemsetup -getcomputersleep # verify: should show Never ``` > ⚠️ **Expected on Tahoe 26.4.1:** Each command prints `Error:-99` — known cosmetic bug, safely ignored. Confirm via verify output showing `Computer Sleep: Never`. ### 1B — Headless reboots with FileVault macOS blocks Automatic Login when FileVault is on. Use authenticated restarts instead: ```bash sudo fdesetup authrestart # Enter clawadmin password. SSH available again in ~60 seconds. ``` > **Unexpected reboots:** Mac sits at FileVault screen and won't respond to SSH. Connect via Screen Sharing or attach keyboard briefly. ### 1C — HDMI dummy plug Plug into Mac Mini's HDMI port before going headless. Prevents screen capture issues with OpenClaw's browser tools. --- ## Phase 2 — Install Homebrew and Node.js 24 (as `clawadmin`) ```bash # Install Homebrew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Run the THREE commands Homebrew outputs at end of install: echo >> /Users/clawadmin/.zprofile echo 'eval "$(/opt/homebrew/bin/brew shellenv zsh)"' >> /Users/clawadmin/.zprofile eval "$(/opt/homebrew/bin/brew shellenv zsh)" brew --version # should show Homebrew 5.x.x # Install Node 24 brew install node@24 node --version # should show v24.15.0+ ``` > **Tahoe note:** Use exactly what Homebrew gives you (includes `zsh` and full path). `brew link node@24` not needed — links automatically. --- ## Phase 3 — Prepare clawuser's Environment (as `clawadmin`) ```bash sudo mkdir -p /Users/clawuser/.openclaw sudo chown -R clawuser:staff /Users/clawuser/.openclaw echo 'eval "$(/opt/homebrew/bin/brew shellenv zsh)"' >> /Users/clawuser/.zprofile echo 'export ANTHROPIC_API_KEY="sk-ant-YOUR-KEY"' >> /Users/clawuser/.zprofile ``` > OpenClaw picks up `ANTHROPIC_API_KEY` from environment automatically — more secure than storing in `openclaw.json`. --- ## Phase 4 — Install OpenClaw (as `clawadmin`, onboard as `clawuser`) ```bash curl -fsSL https://openclaw.ai/install.sh | bash su - clawuser source /Users/clawuser/.zprofile openclaw onboard --install-daemon ``` --- ## Phase 5 — Onboarding Wizard Answers 1. **Security warning:** Yes 2. **Setup mode:** Manual 3. **What to set up:** Local gateway (this machine) 4. **Workspace directory:** `/Users/clawuser/.openclaw/workspace` 5. **Model/auth provider:** Anthropic (Claude CLI + API key) 6. **Anthropic auth method:** Anthropic API key → paste `sk-ant-` key 7. **Default model:** Keep current 8. **Gateway port:** 18789 9. **Gateway bind:** Loopback (127.0.0.1) 10. **Gateway auth:** Token 11. **Tailscale exposure:** Off 12. **Gateway token provider:** Generate/store plaintext token 13. **Gateway token:** Leave blank → Enter (auto-generate) 14. **Configure channels:** Yes → Telegram (Bot API) → paste BotFather token 15. **Select channel:** Finished 16. **Configure DM policies:** Yes → Allowlist → enter numeric Telegram user ID from @userinfobot 17. **Search provider:** Brave Search → paste Brave API key 18. **Configure skills:** Yes → select only **clawhub** → npm 19. **clawhub EACCES error:** Expected — fix after wizard (see Troubleshooting) 20. **API key prompts (Google/Notion/OpenAI/ElevenLabs):** No to all 21. **Plugins/Hooks:** Skip for now 22. **Gateway runtime:** Node (recommended) > ⚠️ **Wizard will fail with "Bootstrap failed: 125"** — expected when running via SSH. Proceed to Phase 6. --- ## Phase 6 — Install Gateway Service (GUI session required) LaunchAgent requires a logged-in GUI session — SSH is not sufficient. 1. Connect via Screen Sharing: `vnc://192.168.x.x` 2. Log in as `clawuser` 3. Open Terminal: ```bash openclaw gateway install --force # Expected: Installed LaunchAgent: .../ai.openclaw.gateway.plist openclaw gateway status # Look for: Runtime: running | RPC probe: ok ``` --- ## Phase 7 — Fix Anthropic API Key in auth-profiles.json Verify the key stored in the agent auth store: ```bash python3 -c " import json with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json') as f: c = json.load(f) print(json.dumps(c, indent=2)) " ``` The `anthropic:default` profile's `key` field must be your `sk-ant-` key. If wrong: ```bash python3 -c " import json with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json') as f: c = json.load(f) c['profiles']['anthropic:default']['key'] = 'sk-ant-YOUR-KEY' with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json', 'w') as f: json.dump(c, f, indent=2) print('Done') " openclaw gateway restart ``` --- ## Phase 8 — Switch to Sonnet See model switch command in [Cost Guide](#anthropic-api-cost-guide) above. --- ## Phase 9 — Test 1. Open Telegram → search for your bot (e.g. `@your-bot-name`) 2. Send any message — bot prompts for name/preferences 3. **"What tools do you have access to?"** — lists tools 4. **"What time is it?"** — sanity check 5. **"Search the web for OpenClaw latest release"** — confirms Brave Search --- ## Quick Reference ```bash openclaw status # overall health openclaw gateway status # daemon running? openclaw models status # verify API key + model openclaw logs --follow # live logs openclaw doctor # diagnose issues openclaw doctor --fix # auto-repair openclaw channels status --probe # verify Telegram openclaw gateway restart # restart after config changes openclaw security audit --deep # full security check (run regularly) openclaw sessions # active sessions openclaw skills install # install a skill openclaw skills update --all # update all skills ``` --- ## Appendix A — Telegram Bot Setup 1. Open Telegram → **@BotFather** (blue checkmark) 2. Send `/newbot` 3. Enter display name (e.g. OpenClaw) 4. **Username rules (tested April 2026):** all lowercase, no leading numbers, letters/numbers/underscores only, must end in `bot` - ❌ Failed: `MyClawBot` (uppercase letters not allowed) - ❌ Failed: `3myclawbot` (cannot start with a number) - ❌ Failed: `my-claw-bot` (hyphens not allowed — letters/numbers/underscores only) - ❌ Failed: `myclawservice` (must end in `bot`) - ✅ Worked: `myclawbot` 5. Save bot token: `7xxxxxxxxx:AAFxxxxxxxxxxxxxxxx` 6. Get your numeric user ID: **@userinfobot** → send any message → note the number (e.g. `123456789`) 7. **Use numeric ID in allowFrom — @username does NOT work** --- ## Appendix B — Brave Search API Setup 1. Go to `api-dashboard.search.brave.com` 2. **Available Plans** → Search → **Limit monthly spending** → **Free** ($5/mo credit) 3. Credit card required even for free tier — won't be charged under $5/mo 4. **API Keys** → Add new key → name it (e.g. `openclaw-brave-api`) → Monthly spend: Free → Add 5. Paste key into wizard when prompted --- ## Appendix C — Security Reminders - **Two-user model:** `clawadmin` for admin, `clawuser` for OpenClaw — never run gateway as admin - **VLAN isolation:** internet out, no lateral access - **allowFrom:** numeric Telegram ID only — never approve unknown pairing requests - **ClawHub skills:** VirusTotal scan + verified authors only (ClawHavoc: 1,467 malicious skills, early 2026) - **Run regularly:** `openclaw security audit --deep` - **Spending limit:** $20/mo on console.anthropic.com - **SSH only:** port 22 inbound, VNC closed - **Never edit JSON with text editors** — use Python, restore from `.bak` if broken - **Keep secrets out of openclaw.json** — use `~/.zprofile` environment variables --- ## Appendix D — Troubleshooting *Real-world issues on macOS Tahoe 26.4.1, April 2026.* | Issue | Cause | Fix | |---|---|---| | `zsh: unknown file attribute: i` | Smart/curly quotes pasted from Word | Type quote characters manually | | `Error:-99` on systemsetup | Known Tahoe 26.4.1 cosmetic bug | Ignored — verify with `-getcomputersleep` | | EACCES on /Users/clawuser/.openclaw | Wizard run as `clawadmin` | `sudo mkdir -p` + `sudo chown -R clawuser:staff` | | `su - clawuser` says Sorry | Wrong password | Use `clawuser`'s password, not `clawadmin`'s | | Bootstrap failed: 125 | SSH has no GUI session | Use Screen Sharing, log in as `clawuser`, run `openclaw gateway install --force` | | JSON5 parse error after edit | Text editor introduced smart quotes | Restore `.bak`, use Python for all JSON edits | | HTTP 401 invalid x-api-key | Wrong key in auth-profiles.json | Check with `openclaw models status`, fix with Python — see Phase 7 | | `openclaw config set` Unrecognized key | Strict schema | Use Python json editing or env variables | | clawhub EACCES on /opt/homebrew | `clawuser` can't write to Homebrew | `npm config set prefix /Users/clawuser/.npm-global` + add to PATH in `~/.zprofile` | | Stray /Users/clawadmin/.openclaw | Partial wizard run as `clawadmin` | `sudo rm -rf /Users/clawadmin/.openclaw` | | API rate limit / high cost | Running `claude-opus-4-7` | Switch to `claude-sonnet-4-6` — see Phase 8 | --- ## Appendix E — Signal Channel (Alternative) Requires dedicated Google Voice number and Java. ```bash # Install (as clawadmin) brew install openjdk echo 'export PATH="/opt/homebrew/opt/openjdk/bin:$PATH"' >> ~/.zprofile source ~/.zprofile brew install signal-cli # Register (use --voice for Google Voice — SMS fails) # CRITICAL: solve captcha on Mac Mini browser via Screen Sharing (IP-locked) signal-cli -a +1XXXXXXXXXX register --voice --captcha 'signalcaptcha://YOUR_TOKEN' signal-cli -a +1XXXXXXXXXX verify YOUR_CODE signal-cli -a +1XXXXXXXXXX send -m 'test' +1YOURMOBILENUMBER ``` Config (as `clawuser`): ```json { "channels": { "signal": { "enabled": true, "account": "+1XXXXXXXXXX", "cliPath": "signal-cli", "dmPolicy": "pairing", "allowFrom": ["+1YOURMOBILENUMBER"] } } } ``` --- *OpenClaw (formerly Clawdbot/Molt) · openclaw.ai · docs.openclaw.ai · clawhub.ai · console.anthropic.com*