OpenClaw Setup Guide
Complete setup and configuration guide for OpenClaw — the agent with the fastest GitHub star growth in history. Skills & Tools model, NVIDIA NemoClaw, Pi SDK engine, security hardening.
OpenClaw
OpenClaw crossed 250,000 GitHub stars faster than any AI framework in history. NVIDIA built NemoClaw on top of it. JustPaid ran 7 OpenClaw agents 24/7 and shipped 10 features in a month. It's the most popular open-source agent framework by GitHub metrics.
Under the hood, OpenClaw uses Pi Coding Agent's SDK as its agent engine. Skills & Tools are the atomic units of capability — install from the marketplace, configure with YAML, and the agent discovers them at runtime.
For an introductory overview, see the OpenClaw Guide blog post. This page covers production setup and security hardening.
Note:
Security alert. OpenClaw has documented CVEs related to unauthenticated MCP tool access and malicious plugin injection. Zapier's enterprise guide calls it out specifically. For production deployments, follow the security hardening steps below. Consider Hermes Agent if security is your primary concern.
Installation
Clone and Install
git clone https://github.com/OpenClaw/OpenClaw.git
cd OpenClaw
npm install
Configure Environment
cp .env.example .env
At minimum: one LLM provider API key and one messaging platform.
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
TELEGRAM_BOT_TOKEN=...
Start
npm run start
Skills & Tools
Skills define what the agent can do. Tools are the atomic actions skills use. The marketplace has thousands of community skills. Install them declaratively.
# skills.yml
skills:
- name: web-search
tools: [brave-search, firecrawl]
instructions: "Search the web using Brave. Extract pages with Firecrawl."
- name: code-execution
tools: [run-python, run-bash, read-file, write-file]
instructions: "Execute code in a sandbox. Read and write files."
- name: github
tools: [github-issues, github-prs, github-search]
instructions: "Create issues, review PRs, search repositories."
# Install a community skill
openclaw skills install openclaw/skills/email-automation
# Enable it
openclaw skills enable email-automation
# List active skills
openclaw skills list
Essential Skills
Values: 95K installs
Values: 88K installs
Values: 80K installs
Values: 65K installs
Values: 52K installs
NVIDIA NemoClaw
NVIDIA built NemoClaw on top of OpenClaw for GPU-optimized agent inference. It adds:
- GPU-accelerated inference — Runs models directly on NVIDIA GPUs via TensorRT-LLM
- Microservice architecture — Each agent skill runs as an independent NIM (NVIDIA Inference Microservice)
- Multi-GPU scaling — Distribute agent workloads across GPU clusters
# NemoClaw uses the same skills as OpenClaw but with GPU acceleration
nemoclaw run --skill web-search --gpu a100-80gb
Note:
When to use NemoClaw. If you're self-hosting model inference on NVIDIA GPUs (not using cloud APIs), NemoClaw gives you 3-5x faster token generation compared to running the same model on CPU or through Ollama. For API-based workflows (Claude, GPT-4o via API), standard OpenClaw is sufficient.
Security Hardening
Restrict Tool Access
Never expose all tools to a single agent instance. Define tool allowlists per agent.
# harden.yml
tool_policy:
allowlist: [web-search, file-read, github-read]
blocklist: [file-delete, shell-exec, db-write]
Sandbox Execution
Run OpenClaw inside a container with minimal filesystem access.
docker run -v $(pwd)/workspace:/workspace:ro \
-v $(pwd)/skills:/skills:ro \
openclaw:latest
Mount the workspace as read-only. Only mount write access to a dedicated output directory.
Audit Plugin Sources
Skills from the marketplace are community-contributed. Audit before installing.
# Review a skill before enabling
openclaw skills inspect openclaw/skills/email-automation
# Pin to a specific version
openclaw skills install openclaw/skills/[email protected]
Enable MCP Authentication
If using MCP tools, require authentication.
mcp:
auth:
required: true
tokens:
- key: mcp-token-1
scopes: [read, search]
Note:
Do not run OpenClaw with --no-sandbox in production. The flag disables all tool restrictions and allows the agent to execute arbitrary commands on the host system. Only use it in isolated development environments.
Provider Configuration
Same providers as Hermes Agent. Configure in providers.yml:
providers:
anthropic:
api_key: ${ANTHROPIC_API_KEY}
default_model: claude-sonnet-4-20250514
openai:
api_key: ${OPENAI_API_KEY}
default_model: gpt-4o
ollama:
endpoint: http://localhost:11434
default_model: llama3.2:3b
Running Blueprints on OpenClaw
Package any blueprint as an OpenClaw skill:
# Create a skill from the research agent blueprint
mkdir -p ~/.openclaw/skills/research-agent
cp blueprints/research-agent/* ~/.openclaw/skills/research-agent/
# Register tools from the blueprint
openclaw tools register brave-search firecrawl fact-check cite-source
# Enable the skill
openclaw skills enable research-agent
Key Takeaway
OpenClaw is the right choice when you need the largest skill ecosystem and community support. Its marketplace has thousands of pre-built integrations. The tradeoff is security — you must harden it before production use. For teams prioritizing security over ecosystem size, Hermes Agent is the safer choice.
Related Articles
Hermes Agent Setup Guide
Complete setup and configuration guide for Hermes Agent by Nous Research — the #1 self-hosted AI agent on OpenRouter. Skills, security, messaging platforms, and LLM provider wiring.
Research Agent Blueprint
Complete research agent blueprint with web search, content extraction, fact-checking, and citation. Ready-to-run Python implementation with OpenAI function calling.
Content Writer Agent Blueprint
Multi-step content creation agent with outline, research, draft, edit, and finalization stages. Includes grammar checking, tone adjustment, and SEO optimization tools.