OpenClaw Install Guide

By

Brian Johnson

Mac Mini M4 (24GB) · Telegram · Anthropic API
macOS Tahoe 26.4.1 · OpenClaw 2026.4.15 · Admin: clawadmin · OpenClaw user: clawuser · Isolated Meraki VLAN

Sources & References

• openclaw.ai — Official OpenClaw website and installer
• docs.openclaw.ai/channels/telegram — Official Telegram channel documentation
• docs.openclaw.ai/channels/signal — Official Signal channel documentation (Appendix E)
• github.com/openclaw/openclaw/releases — Release notes (latest: 2026.4.15)
• wayin.ai/blog/openclaw-setup-guide — OpenClaw Setup Guide for Beginners 2026
• dedicatedmac.io/blog/how-to-set-up-openclaw-on-mac-mini — Mac Mini-specific setup guide (March 2026)
• crewclaw.com/blog/openclaw-gateway-daemon-guide — Gateway daemon and headless mode reference
• shareuhack.com/en/posts/openclaw-setup-tutorial-2026 — Cost and rate limit analysis

Overview

OpenClaw is a self-hosted, open-source AI agent gateway that runs on your Mac Mini and lets you interact with an AI assistant through Telegram. Unlike Claude.ai, OpenClaw takes real actions: browse the web, run terminal commands, manage files, read email, check calendars, and more.

This setup:

• Hardware: Mac Mini M4 24GB — fresh macOS Tahoe 26.4.1 install, FileVault ON
• Network: Isolated Meraki VLAN — outbound internet, no lateral access, port 22 inbound from main subnet
• Channel: Telegram via your bot (e.g. @your-bot-name)
• Model: anthropic/claude-sonnet-4-6 (recommended for cost/performance)
• Admin user: clawadmin — installs and system-level tasks only
• OpenClaw user: clawuser — standard user, least privilege

Security principle: OpenClaw runs as clawuser. If compromised, it cannot modify system files or access other users' directories. Combined with an isolated VLAN, this creates two layers of containment.

Anthropic API Cost Guide

OpenClaw uses your Anthropic API key for every message — separate from any Claude.ai subscription.

⚠️ Real-world: 10 casual Telegram messages with claude-opus-4-7 cost $0.58 and triggered rate limits. Use claude-sonnet-4-6 for daily use.

Cost controls:

• Set spending limit at console.anthropic.com ($20/mo covers Sonnet personal use)
• Start new sessions regularly — long sessions re-send full context on every message
• Disable memory search if unneeded: openclaw config set agents.defaults.memorySearch.enabled false

Switch model:

python3 -c "
import json
with open('/Users/clawuser/.openclaw/openclaw.json') as f:
    c = json.load(f)
c['agents']['defaults']['model']['primary'] = 'anthropic/claude-sonnet-4-6'
with open('/Users/clawuser/.openclaw/openclaw.json', 'w') as f:
    json.dump(c, f, indent=2)
print('Done')
"
openclaw gateway restart

Pre-Install Checklist

• Anthropic API account: Sign up at console.anthropic.com → add credit card → purchase $20 in credits (unlocks Tier 1 rate limits) → generate API key → set monthly spend limit to $20 → enable auto-reload ($10 when balance < $5)
• Telegram account active on your phone
• Brave Search API — see Appendix B
• HDMI dummy plug plugged into Mac Mini HDMI port
• SSH working — can SSH into Mac Mini as clawadmin

Phase 1 — macOS Headless Prep (as clawadmin)

1A — Power settings

sudo systemsetup -setcomputersleep Never
sudo systemsetup -setdisplaysleep Never
sudo systemsetup -setharddisksleep Never
sudo systemsetup -setrestartpowerfailure on
sudo systemsetup -getcomputersleep   # verify: should show Never

⚠️ Expected on Tahoe 26.4.1: Each command prints Error:-99 — known cosmetic bug, safely ignored. Confirm via verify output showing Computer Sleep: Never.

1B — Headless reboots with FileVault

macOS blocks Automatic Login when FileVault is on. Use authenticated restarts instead:

sudo fdesetup authrestart
# Enter clawadmin password. SSH available again in ~60 seconds.

Unexpected reboots: Mac sits at FileVault screen and won't respond to SSH. Connect via Screen Sharing or attach keyboard briefly.

1C — HDMI dummy plug

Plug into Mac Mini's HDMI port before going headless. Prevents screen capture issues with OpenClaw's browser tools.

Phase 2 — Install Homebrew and Node.js 24 (as clawadmin)

# Install Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Run the THREE commands Homebrew outputs at end of install:
echo >> /Users/clawadmin/.zprofile
echo 'eval "$(/opt/homebrew/bin/brew shellenv zsh)"' >> /Users/clawadmin/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv zsh)"

brew --version   # should show Homebrew 5.x.x

# Install Node 24
brew install node@24
node --version   # should show v24.15.0+

Tahoe note: Use exactly what Homebrew gives you (includes zsh and full path). brew link node@24 not needed — links automatically.

Phase 3 — Prepare clawuser's Environment (as clawadmin)

sudo mkdir -p /Users/clawuser/.openclaw
sudo chown -R clawuser:staff /Users/clawuser/.openclaw

echo 'eval "$(/opt/homebrew/bin/brew shellenv zsh)"' >> /Users/clawuser/.zprofile
echo 'export ANTHROPIC_API_KEY="sk-ant-YOUR-KEY"' >> /Users/clawuser/.zprofile

OpenClaw picks up ANTHROPIC_API_KEY from environment automatically — more secure than storing in openclaw.json.

Phase 4 — Install OpenClaw (as clawadmin, onboard as clawuser)

curl -fsSL https://openclaw.ai/install.sh | bash

su - clawuser
source /Users/clawuser/.zprofile
openclaw onboard --install-daemon

Phase 5 — Onboarding Wizard Answers

1. Security warning: Yes
2. Setup mode: Manual
3. What to set up: Local gateway (this machine)
4. Workspace directory: /Users/clawuser/.openclaw/workspace
5. Model/auth provider: Anthropic (Claude CLI + API key)
6. Anthropic auth method: Anthropic API key → paste sk-ant- key
7. Default model: Keep current
8. Gateway port: 18789
9. Gateway bind: Loopback (127.0.0.1)
10. Gateway auth: Token
11. Tailscale exposure: Off
12. Gateway token provider: Generate/store plaintext token
13. Gateway token: Leave blank → Enter (auto-generate)
14. Configure channels: Yes → Telegram (Bot API) → paste BotFather token
15. Select channel: Finished
16. Configure DM policies: Yes → Allowlist → enter numeric Telegram user ID from @userinfobot
17. Search provider: Brave Search → paste Brave API key
18. Configure skills: Yes → select only clawhub → npm
19. clawhub EACCES error: Expected — fix after wizard (see Troubleshooting)
20. API key prompts (Google/Notion/OpenAI/ElevenLabs): No to all
21. Plugins/Hooks: Skip for now
22. Gateway runtime: Node (recommended)

⚠️ Wizard will fail with "Bootstrap failed: 125" — expected when running via SSH. Proceed to Phase 6.

Phase 6 — Install Gateway Service (GUI session required)

LaunchAgent requires a logged-in GUI session — SSH is not sufficient.

1. Connect via Screen Sharing: vnc://192.168.x.x
2. Log in as clawuser
3. Open Terminal:

openclaw gateway install --force
# Expected: Installed LaunchAgent: .../ai.openclaw.gateway.plist

openclaw gateway status
# Look for: Runtime: running | RPC probe: ok

Phase 7 — Fix Anthropic API Key in auth-profiles.json

Verify the key stored in the agent auth store:

python3 -c "
import json
with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json') as f:
    c = json.load(f)
print(json.dumps(c, indent=2))
"

The anthropic:default profile's key field must be your sk-ant- key. If wrong:

python3 -c "
import json
with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json') as f:
    c = json.load(f)
c['profiles']['anthropic:default']['key'] = 'sk-ant-YOUR-KEY'
with open('/Users/clawuser/.openclaw/agents/main/agent/auth-profiles.json', 'w') as f:
    json.dump(c, f, indent=2)
print('Done')
"
openclaw gateway restart

Phase 8 — Switch to Sonnet

See model switch command in Cost Guide above.

Phase 9 — Test

1. Open Telegram → search for your bot (e.g. @your-bot-name)
2. Send any message — bot prompts for name/preferences
3. "What tools do you have access to?" — lists tools
4. "What time is it?" — sanity check
5. "Search the web for OpenClaw latest release" — confirms Brave Search

Quick Reference

openclaw status                   # overall health
openclaw gateway status           # daemon running?
openclaw models status            # verify API key + model
openclaw logs --follow            # live logs
openclaw doctor                   # diagnose issues
openclaw doctor --fix             # auto-repair
openclaw channels status --probe  # verify Telegram
openclaw gateway restart          # restart after config changes
openclaw security audit --deep    # full security check (run regularly)
openclaw sessions                 # active sessions
openclaw skills install <slug>    # install a skill
openclaw skills update --all      # update all skills

Appendix A — Telegram Bot Setup

1. Open Telegram → @BotFather (blue checkmark)
2. Send /newbot
3. Enter display name (e.g. OpenClaw)
4. Username rules (tested April 2026): all lowercase, no leading numbers, letters/numbers/underscores only, must end in bot
   • ❌ Failed: MyClawBot (uppercase letters not allowed)
   • ❌ Failed: 3myclawbot (cannot start with a number)
   • ❌ Failed: my-claw-bot (hyphens not allowed — letters/numbers/underscores only)
   • ❌ Failed: myclawservice (must end in bot)
   • ✅ Worked: myclawbot
5. Save bot token: 7xxxxxxxxx:AAFxxxxxxxxxxxxxxxx
6. Get your numeric user ID: @userinfobot → send any message → note the number (e.g. 123456789)
7. Use numeric ID in allowFrom — @username does NOT work

Appendix B — Brave Search API Setup

1. Go to api-dashboard.search.brave.com
2. Available Plans → Search → Limit monthly spending → Free ($5/mo credit)
3. Credit card required even for free tier — won't be charged under $5/mo
4. API Keys → Add new key → name it (e.g. openclaw-brave-api) → Monthly spend: Free → Add
5. Paste key into wizard when prompted

Appendix C — Security Reminders

• Two-user model: clawadmin for admin, clawuser for OpenClaw — never run gateway as admin
• VLAN isolation: internet out, no lateral access
• allowFrom: numeric Telegram ID only — never approve unknown pairing requests
• ClawHub skills: VirusTotal scan + verified authors only (ClawHavoc: 1,467 malicious skills, early 2026)
• Run regularly: openclaw security audit --deep
• Spending limit: $20/mo on console.anthropic.com
• SSH only: port 22 inbound, VNC closed
• Never edit JSON with text editors — use Python, restore from .bak if broken
• Keep secrets out of openclaw.json — use ~/.zprofile environment variables

Appendix D — Troubleshooting

Real-world issues on macOS Tahoe 26.4.1, April 2026.

Appendix E — Signal Channel (Alternative)

Requires dedicated Google Voice number and Java.

# Install (as clawadmin)
brew install openjdk
echo 'export PATH="/opt/homebrew/opt/openjdk/bin:$PATH"' >> ~/.zprofile
source ~/.zprofile
brew install signal-cli

# Register (use --voice for Google Voice — SMS fails)
# CRITICAL: solve captcha on Mac Mini browser via Screen Sharing (IP-locked)
signal-cli -a +1XXXXXXXXXX register --voice --captcha 'signalcaptcha://YOUR_TOKEN'
signal-cli -a +1XXXXXXXXXX verify YOUR_CODE
signal-cli -a +1XXXXXXXXXX send -m 'test' +1YOURMOBILENUMBER

Config (as clawuser):

{
  "channels": {
    "signal": {
      "enabled": true,
      "account": "+1XXXXXXXXXX",
      "cliPath": "signal-cli",
      "dmPolicy": "pairing",
      "allowFrom": ["+1YOURMOBILENUMBER"]
    }
  }
}

OpenClaw (formerly Clawdbot/Molt) · openclaw.ai · docs.openclaw.ai · clawhub.ai · console.anthropic.com