OpenClaw is a powerful always-on AI assistant that connects to your messaging channels, executes tools, accesses the filesystem, and makes network requests on your behalf. That power comes with real security implications. This guide walks through installing OpenClaw on Ubuntu with security as the primary concern — not an afterthought.
Table of Contents
Open Table of Contents
- What Is OpenClaw?
- ⚠️ Security Considerations — Read This First
- Prerequisites
- Secure Installation Methods
- Post-Install Security Hardening
- Running OpenClaw Safely
- Verification and Testing
- Troubleshooting
- OpenClaw vs NemoClaw — Security Comparison
What Is OpenClaw?
OpenClaw is an open-source, local-first personal AI assistant. It runs a Gateway process on your machine and connects to channels you already use — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, and more. It can execute code, browse the web, manage files, and interact with external APIs through a skill and tool system.
Official page: https://openclaw.ai
GitHub: https://github.com/openclaw/openclaw
Docs: https://docs.openclaw.ai
Key Capabilities
| Capability | Description |
|---|---|
| Multi-channel inbox | WhatsApp, Telegram, Slack, Discord, Signal, IRC, Microsoft Teams, Matrix, and more |
| Agent runtime | Executes tools, skills, and code on your behalf |
| Voice support | Wake words and continuous voice on macOS/iOS/Android |
| Live Canvas | Agent-driven visual workspace |
| Local-first | Gateway runs on your device — your data stays with you |
| Multi-model | Works with OpenAI, Anthropic, Google Gemini, local models via Ollama, and more |
⚠️ Security Considerations — Read This First
OpenClaw is not a passive chatbot. It is an autonomous agent that can:
- Execute arbitrary code on your machine through skills and tools
- Access your filesystem — read, write, and delete files
- Make network requests to any endpoint
- Send messages on your behalf through connected channels
- Run continuously as a system daemon
Before installing, understand these risks:
- Inbound messages are untrusted input. Anyone who can DM your connected accounts can potentially trigger agent actions.
- Skills can execute shell commands. A misconfigured or malicious skill can compromise your system.
- API keys stored on disk can be exfiltrated if the system is compromised.
- The Gateway listens on a network port (default
18789), which must be protected.
⚠️ Never run OpenClaw on a machine with sensitive production credentials unless you have properly isolated it.
Prerequisites
Hardware Requirements
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 vCPU | 4+ vCPU |
| RAM | 4 GB | 8 GB |
| Disk | 5 GB free | 10 GB free |
Software Requirements
| Dependency | Version | Notes |
|---|---|---|
| Ubuntu | 22.04 LTS or later | Other Debian-based distros should work |
| Node.js | 22.16+ (24 recommended) | Use nvm for isolation |
| npm | 10+ | Comes with Node.js |
| Git | 2.x | For source builds (optional) |
Verify Your Ubuntu Version
lsb_release -aExpected output should show Ubuntu 22.04, 24.04, or later.
Secure Installation Methods
Method 1: Verified npm Install (Recommended)
This is the safest standard installation path. We use nvm (Node Version Manager) to avoid polluting the system Node.js and to run without sudo.
Step 1 — Install nvm (Node Version Manager)
Using nvm isolates the Node.js installation to your user account. No root privileges required.
# Download the nvm install script first — inspect before running
curl -o /tmp/nvm-install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh
# Review the script (always inspect remote scripts before execution)
less /tmp/nvm-install.sh
# Run the verified script
bash /tmp/nvm-install.sh
# Load nvm into the current shell
source ~/.bashrc⚠️ Why not
curl | bash? Piping a remote script directly into bash means you execute whatever the server sends — including potentially malicious code. Always download, inspect, then run.
Step 2 — Install Node.js 24 via nvm
nvm install 24
nvm use 24
# Verify
node --version # Should show v24.x.x
npm --version # Should show 10.x or laterStep 3 — Create a Dedicated User (Optional but Recommended)
Running OpenClaw as a dedicated system user limits the blast radius if the agent is compromised.
# Create a system user with no login shell
sudo useradd --system --create-home --shell /usr/sbin/nologin openclaw
# Switch to that user for installation
sudo -u openclaw -s /bin/bash
cd ~
# Install nvm for this user (repeat Step 1-2 above)Step 4 — Install OpenClaw
npm install -g openclaw@latestStep 5 — Run Onboarding
The onboarding wizard guides you through Gateway setup, workspace configuration, channel connections, and model selection.
openclaw onboard --install-daemonThis installs the Gateway as a systemd user service so it persists across reboots. The wizard will prompt you to:
- Select an inference provider (OpenAI, Anthropic, Google Gemini, etc.)
- Configure messaging channels
- Set up the workspace directory
Step 6 — Verify the Installation
# Check OpenClaw version
openclaw --version
# Run the built-in diagnostics
openclaw doctor
# Test the agent with a simple message
openclaw agent --message "Hello, what is 2+2?" --session-id testMethod 2: Docker Installation (Stronger Isolation)
Running OpenClaw in Docker provides filesystem isolation, network namespacing, and resource limits that a bare-metal install cannot match. This is the recommended approach for security-conscious deployments.
Step 1 — Install Docker
# Install Docker using the official convenience script
# Download first, then inspect
curl -fsSL https://get.docker.com -o /tmp/get-docker.sh
less /tmp/get-docker.sh
sudo sh /tmp/get-docker.sh
# Add your user to the docker group (avoids running Docker as root)
sudo usermod -aG docker $USER
newgrp docker
# Verify
docker --versionStep 2 — Run OpenClaw in Docker
OpenClaw provides an official Docker setup. Refer to the documentation at https://docs.openclaw.ai/install/docker for the latest image and configuration options.
# Pull the official image
docker pull openclaw/openclaw:latest
# Run with restricted capabilities
docker run -d \
--name openclaw \
--restart unless-stopped \
--cap-drop ALL \
--security-opt no-new-privileges:true \
--memory 2g \
--cpus 2 \
-p 127.0.0.1:18789:18789 \
-v openclaw-data:/home/openclaw/.openclaw \
openclaw/openclaw:latestKey security flags explained:
| Flag | Purpose |
|---|---|
--cap-drop ALL | Drops all Linux capabilities — only keeps what is explicitly needed |
--security-opt no-new-privileges:true | Prevents privilege escalation inside the container |
--memory 2g | Limits memory usage to prevent resource exhaustion |
--cpus 2 | Limits CPU to prevent denial-of-service |
-p 127.0.0.1:18789:18789 | Binds the port only to localhost — not exposed externally |
Step 3 — Enter the Container for Onboarding
docker exec -it openclaw bash
# Inside the container
openclaw onboardMethod 3: Build from Source (Full Audit)
If you need to audit every line of code before running it:
git clone https://github.com/openclaw/openclaw.git
cd openclaw
# Verify the commit signature (if available)
git log --show-signature -1
# Review the code
# ...
# Install dependencies and build
pnpm install
pnpm ui:build
pnpm build
# Run onboarding
pnpm openclaw onboard --install-daemonPost-Install Security Hardening
1. Firewall Rules (UFW)
The OpenClaw Gateway listens on port 18789 by default. Lock it down:
# Allow SSH (so you don't lock yourself out)
sudo ufw allow ssh
# Block the Gateway port from external access
# (Only allow localhost connections)
sudo ufw deny 18789
# Enable the firewall
sudo ufw enable
# Verify
sudo ufw status verboseIf you need remote access to the Gateway (e.g., from a mobile app), use an SSH tunnel instead of exposing the port:
# From your local machine
ssh -L 18789:127.0.0.1:18789 user@your-server2. API Key Management
OpenClaw stores inference provider credentials on disk. Protect them:
# Restrict file permissions on the config directory
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/*.json
# Verify permissions
ls -la ~/.openclaw/Best practices for API keys:
- Use a dedicated API key for OpenClaw — never reuse keys from other services
- Set spending limits on your inference provider dashboard
- Rotate keys periodically
- Monitor usage for anomalies
3. DM Security (Channel Access Control)
OpenClaw defaults to dmPolicy="pairing" — unknown senders receive a pairing code and must be explicitly approved. Do not change this to "open" unless you understand the risks.
# List approved contacts
openclaw pairing list
# Approve a specific sender
openclaw pairing approve <channel> <code>
# Run the security diagnostics
openclaw doctor⚠️ Setting
dmPolicy="open"means anyone who can DM your connected accounts can interact with your agent — including executing tools.
4. Limit Skill Permissions
Review which skills are enabled and what they can do:
# List installed skills
openclaw skills list
# Disable risky skills you don't need
openclaw skills disable <skill-name>Only enable skills you actively use and have reviewed. Third-party skills should be treated as untrusted code.
5. Systemd Hardening (If Running as a Daemon)
If OpenClaw is running as a systemd service, add hardening directives:
# Edit the service file
systemctl --user edit openclaw
# Add these hardening options:
# [Service]
# NoNewPrivileges=true
# ProtectSystem=strict
# ProtectHome=read-only
# PrivateTmp=true
# ReadWritePaths=~/.openclawRunning OpenClaw Safely
Start the Gateway
# Start the daemon (if installed via onboarding)
systemctl --user start openclaw
# Or run manually with verbose logging
openclaw gateway --port 18789 --verboseMonitor Activity
# Follow the Gateway logs
journalctl --user -u openclaw -f
# Or if running manually
openclaw gateway --verbose 2>&1 | tee /tmp/openclaw.logHealth Check
# Built-in diagnostics
openclaw doctor
# Verify the Gateway is responding
curl -s http://127.0.0.1:18789/healthVerification and Testing
Run through this checklist after installation:
# 1. Version check
openclaw --version
# 2. Doctor diagnostics (checks config, channels, security)
openclaw doctor
# 3. Send a test message through the agent
openclaw agent --message "Summarize your capabilities" --session-id verify
# 4. Verify DM pairing is active
openclaw doctor | grep -i "dm"
# 5. Check the Gateway port is not externally accessible
# (Run from another machine or use an online port scanner)
sudo ss -tlnp | grep 18789Troubleshooting
openclaw Command Not Found After Install
If you use nvm or fnm, the installer may not update your current shell PATH.
# Reload your shell profile
source ~/.bashrc
# Or open a new terminal
# Verify nvm is active
nvm currentPermission Denied Errors
# Check file ownership
ls -la ~/.openclaw/
# Fix ownership if needed
sudo chown -R $USER:$USER ~/.openclaw/
chmod 700 ~/.openclawGateway Fails to Start
# Check if the port is already in use
sudo ss -tlnp | grep 18789
# Check systemd logs
journalctl --user -u openclaw --no-pager -n 50
# Try running manually for detailed output
openclaw gateway --port 18789 --verboseNode.js Version Too Old
# Check current version
node --version
# Update via nvm
nvm install 24
nvm use 24
nvm alias default 24Docker Container Fails to Start
# Check container logs
docker logs openclaw
# Verify Docker is running
docker info
# Check resource limits
docker stats openclawOpenClaw vs NemoClaw — Security Comparison
If security is your primary concern, consider running OpenClaw through NVIDIA NemoClaw instead of bare metal. NemoClaw wraps OpenClaw in the OpenShell sandbox runtime with defense-in-depth protections.
| Aspect | OpenClaw (Standalone) | OpenClaw via NemoClaw |
|---|---|---|
| Filesystem access | Full access to user home | Restricted to /sandbox and /tmp |
| Network egress | Unrestricted | Policy-controlled, blocked by default |
| Inference routing | Direct API calls with your keys | Routed through OpenShell gateway |
| Credential exposure | Keys stored in ~/.openclaw/ | Keys never enter the sandbox |
| Privilege escalation | Possible if agent exploited | Blocked by Landlock + seccomp |
| Process isolation | OS user-level only | Container + kernel namespace isolation |
| Operator approval | Not available | Real-time egress approval via TUI |
See the companion article: Installing NVIDIA NemoClaw Securely for the full NemoClaw setup guide.
Follow my blog for more guides on running AI agents safely in production environments.