I Fed 20+ OpenClaw Articles to Opus 4.6 - Here's the Setup Guide It Built

Over the past few weeks, we've been bombarded with articles explaining how to set up OpenClaw: what to avoid, what the best configuration is, what safety measures to take, etc. It's overwhelming. So I took a Google Doc, dumped 20+ articles into it, and fed it to Opus 4.6. The prompt was: "Based on all the information in this Google Doc, create the best OpenClaw setup guide. Don't take anything written here as gospel, cross-reference and back up every claim with other sources. Use the content as a starting framework for thinking, not as trusted fact." Here's what it gave me: What is covered in this article: Pre-Setup: Threat Model Phase 1A: Mac Mini Initial Setup Phase 1B: Install OpenClaw Phase 1C: Onboarding Wizard Phase 1D: Connect Telegram Phase 1E: Test Basic Conversation Phase 2A: Security Hardening Phase 2B: Docker Sandbox Phase 2C: Tool Policy Lockdown Phase 2D: SOUL.md — Agent Identity & Boundaries Phase 2E: Tailscale Remote Access Phase 2F: API Spending Limits Phase 2G: File Permissions Phase 2H: LaunchAgent (24/7 Operation) Phase 3: Matrix Migration Maintenance & Updates Emergency Procedures 1. Pre-Setup: Threat Model Before touching the keyboard, understand what you're defending against: What attackers target in your setup Malicious ClawHub skill: You install a skill that looks legitimate. It contains Atomic Stealer malware that harvests your keychain, browser passwords, wallet files, and API keys. Prompt injection via message: Someone sends you a crafted Telegram message or email. When the agent reads it, hidden instructions tell it to exfiltrate your exchange API keys or execute shell commands. Runaway automation loops: A prompt injection or buggy skill causes the agent to make API calls in an infinite loop. Memory poisoning: Malicious payload injected into agent memory on Day 1, triggers weeks later when conditions align. Credential harvesting: ~/.openclaw/ stores API keys, bot tokens, OAuth tokens, and conversation history in plaintext files. Any malware that reads these files owns everything. 2. Phase 1A: Mac Mini Initial Setup 2.1 First boot Power on your Mac Mini M4. Complete the macOS setup wizard: - Create your user account - Enable FileVault (full-disk encryption) — this is critical - Connect to Wi-Fi - Skip iCloud if this is a dedicated OpenClaw machine (recommended) - Install macOS updates — run System Settings → General → Software Update 2.2 System security settings Open System Settings → Privacy & Security: - Firewall: Turn ON - Allow applications downloaded from: "App Store and identified developers" 2.3 Open Terminal Open Terminal.app (Applications → Utilities → Terminal, or Spotlight: ⌘+Space → type "Terminal"). All commands below are run in Terminal. 2.4 Install Xcode Command Line Tools A popup appears. Click "Install". Wait for it to complete (a few minutes). 2.5 Install Homebrew Follow the on-screen instructions. At the end, it will tell you to run two commands to add Homebrew to your PATH. Run those commands. They look like: Verify: 2.6 Install Node.js 22+ Verify: If `node --version` doesn't work, link it: 2.7 Install Git (if not already present) 2.8 Install Docker Desktop (needed for sandbox later) Open Docker Desktop from Applications. Complete the setup. It needs to be running for sandboxing to work. 3. Phase 1B: Install OpenClaw 3.1 Run the official installer The installer will: - Detect Node.js - Install the OpenClaw CLI globally via npm - Launch the onboarding wizard automatically 3.2 Verify version (CRITICAL) Must be 2026.2.9 or higher. If it's lower than 2026.1.29, you are vulnerable to CVE-2026-25253 (1-click RCE). Update immediately: 3.3 Verify installation health Fix anything it flags before proceeding. 4. Phase 1C: Onboarding Wizard The onboarding wizard (`openclaw onboard`) will walk you through configuration. Here's what to choose at each step: 4.1 Authentication You need two API keys — one for each provider: A) Moonshot AI API key (for Kimi K2.5 — primary model): 1. Go to https://platform.moonshot.ai and create an account 2. Navigate to the Console and create an API key 3. Add credit ($5–10 to start is plenty) 4. Save the key securely B) Anthropic API key (for Claude Sonnet 4.5 — fallback model): 1. Go to https://console.anthropic.com/ 2. Navigate to API Keys and generate a key 3. Add credit ($5–10 to start) 4. Save the key securely When the onboarding wizard prompts for auth/model provider: - Choose Moonshot AI Kimi K2.5 - Then choose kimi api key (.ai) (the international endpoint) - Paste your Moonshot API key when prompted - We'll add Anthropic as fallback after onboarding finishes 4.2 Gateway settings - Gateway mode: `local` (this is the default, keep it) - Gateway bind: `127.0.0.1` (localhost only — never `0.0.0.0`) - Port: `18789` (default is fine) - Auth password: SET ONE. The wizard may prompt you. If not, set it immediately after: Use a long random password (20+ characters). Store it in a password manager. 4.3 Model selection The onboarding wizard handles Kimi K2.5 setup directly. When prompted: - Select Moonshot AI Kimi K2.5 - Select kimi api key (.ai) - Paste your Moonshot API key The wizard will configure Kimi K2.5 as your primary model automatically. 4.3.1 Add Claude Sonnet 4.5 as fallback (AFTER onboarding completes) Once onboarding finishes, add Anthropic as a fallback provider so OpenClaw switches to Sonnet automatically if Kimi is rate-limited or down. Step 1: Add your Anthropic API key: Step 2: Add Sonnet as fallback + register alias: Step 3: Verify the configuration: You should see: - Primary: `moonshotai/kimi-k2.5` - Fallback 1: `anthropic/claude-sonnet-4-5` Step 4: Restart: Manual model switching in Telegram: You can switch models mid-conversation: 4.3.2 Cost comparison (why this setup saves money) Estimated monthly cost: $5–20/month (down from $50–150 with Opus 4.6) 5. Phase 1D: Connect Telegram 5.1 Create your Telegram bot 1. Open Telegram on your phone 2. Search for @ BotFather (verify the blue checkmark — it's the official bot) 3. Send `/newbot` 4. Follow prompts: - Give it a name (e.g., "My OpenClaw Assistant") - Give it a username ending in `bot` (e.g., `myopenclaw_bot`) 5. BotFather gives you a*token — copy it and save it securely 6. Optional but recommended BotFather settings: - Send `/setjoingroups` → choose your bot → select "Disable" (prevents adding to random groups) - Send `/setprivacy` → choose your bot → select "Enable" (limits what bot sees in groups) 5.2 Configure Telegram in OpenClaw Key settings explained: - `dmPolicy: "pairing"` — strangers can't just message your bot. They get a pairing code you must approve. - `configWrites: false` — prevents anyone from changing your config through Telegram messages. 5.3 Disable group chat (security) You don't want random groups triggering your agent. 5.4 Restart the gateway 5.5 Pair your Telegram account 1. Open Telegram on your phone 2. Search for your bot's username (e.g., `@myopenclaw_bot`) 3. Send it any message (e.g., "hello") 4. You'll receive a pairing code 5. Approve it: Or approve via the Control UI. 6. Phase 1E: Test Basic Conversation Send a message to your bot on Telegram: If you get a coherent response identifying itself as Kimi K2.5, Phase 1 is complete. If the response comes from Claude Sonnet instead, check your model routing — Kimi may be misconfigured or down. Run `openclaw models status` to debug. Verify in the Control UI that the session appears and messages are logged. 7. Phase 2A: Security Hardening 7.1 Run the security audit Read every finding. Fix everything it flags. Common fixes: 7.2 Run the auto-fix This tightens safe defaults and fixes file permissions. 7.3 Verify after fix Should show no critical findings. 8. Phase 2B: Docker Sandbox The sandbox runs the agent's tool execution (shell commands, file operations) inside Docker containers. This limits the blast radius if the agent is tricked into doing something malicious. 8.1 Make sure Docker is running Open Docker Desktop if it's not running. Verify: 8.2 Build the sandbox image If the above doesn't work (script path varies by install method), set sandbox mode and OpenClaw will auto-create containers: 8.3 Enable sandboxing Settings explained: - `mode: "all"` — ALL sessions run in Docker, including your main DM session - `scope: "session"` — each session gets its own isolated container - `workspaceAccess: "ro"` — agent can READ the workspace but not WRITE to it from sandbox 8.4 Network isolation for sandbox `network: "none"` means sandbox containers have NO internet access. This is the safest option. The agent can still use OpenClaw's built-in web tools (those run on the gateway, not in the sandbox). 8.5 Resource limits 8.6 Restart and verify The explain command shows you exactly what's sandboxed and what's not. 9. Phase 2C: Tool Policy Lockdown Tool policy controls WHICH tools the agent can use. Even inside the sandbox, you want to restrict what's available. 9.1 Deny dangerous tools This blocks: - `browser` — prevents the agent from browsing the web autonomously (prompt injection risk from web content) - `exec` — prevents shell command execution - `process` — prevents background process management - `apply_patch` — prevents file patching - `write` / `edit` — prevents file system modifications 9.2 What remains allowed With the above deny list, the agent can still: - Chat with you (core function) - Read files (read-only access) - Use web_search and web_fetch (built-in, not browser automation) - Use sessions tools - Use memory tools 9.3 Gradually enable tools as needed Once you're comfortable, you can selectively re-enable tools: Remember: deny wins over allow. Remove a tool from deny before adding it to allow. 9.4 Disable elevated mode Elevated mode lets the agent escape the sandbox and run on the host. Disable it: 10. Phase 2D: SOUL.md — Agent Identity & Boundaries SOUL.md defines your agent's personality, knowledge, and hard boundaries. This is injected into every conversation as a system prompt. 10.1 Create your SOUL.md 10.2 Verify SOUL.md is loaded Send a message to your bot on Telegram: The response should reflect the SOUL.md rules. 10.3 Multi-model security note ⚠️ Important: Your SOUL.md boundaries are your primary defense against prompt injection. With Kimi K2.5 as your default model, the SOUL.md is even more critical than with Claude, because: - Anthropic models are specifically trained to resist prompt injection and follow system instructions over user/content instructions. This is a core safety investment Anthropic makes. - Kimi K2.5 is optimized for agentic performance and benchmarks. Its adversarial robustness against prompt injection is less publicly tested and documented. - Your mitigation: The tool policy lockdown (Phase 2C) and Docker sandbox (Phase 2B) provide defense-in-depth. Even if the model follows a malicious instruction, the locked tools and sandbox limit what damage can actually occur. If you ever notice the agent behaving unexpectedly — following instructions from content it's reading, attempting tool calls it shouldn't, or responding as if it has different instructions — immediately send `/new` to reset the session and investigate the session logs. 11. Phase 2E: Tailscale Remote Access Tailscale creates a private VPN mesh. You'll use it to access your Mac Mini's Control UI from your iPhone or personal Mac without exposing any ports to the internet. 11.1 Install Tailscale Open Tailscale from Applications. Log in or create an account. 11.2 Install Tailscale on your iPhone Download "Tailscale" from the App Store. Log in with the same account. 11.3 Verify mesh connectivity On your Mac Mini: You should see both your Mac Mini and iPhone listed with Tailscale IPs (100.x.x.x). 11.4 Access Control UI remotely From your iPhone's browser (connected to Tailscale), navigate to: Replace `100.x.x.x` with your Mac Mini's Tailscale IP. If the gateway auth password is set, you'll need to enter it. Note: The gateway binds to 127.0.0.1, so Tailscale access requires the gateway to also listen on the Tailscale interface. You may need to adjust: Tailscale traffic to localhost should work if Tailscale is properly configured. If not, you can bind to your Tailscale IP specifically — but never bind to `0.0.0.0`. 12. Phase 2F: API Spending Limits 12.1 Set limits on Moonshot Platform (primary — Kimi K2.5) 1. Go to https://platform.moonshot.ai → Console 2. Moonshot uses prepaid credits — recharge to add balance 3. Recommended: **Load $5–10 initially**, do NOT auto-reload 4. Check your tier limits — Tier 1 ($10 recharged) gives 50 concurrent requests / 200 RPM 5. Moonshot stops serving requests when credits run out (natural spending cap) > Tip: Because Moonshot is prepaid, you physically can't overspend. This is actually safer than Anthropic's post-paid billing for cost control. 12.2 Set limits on Anthropic Console (fallback — Sonnet 4.5) 1. Go to https://console.anthropic.com/ 2. Navigate to Settings → Plans & Billing → Spending Limits 3. Set a monthly limit and a daily limit 4. Recommended starting limits: - Daily: $5/day - Monthly: **$50/month** 5. Set up email alerts at 50% and 80% of limits 12.3 Monitor usage across both providers Also check both dashboards regularly: - Moonshot: https://platform.moonshot.ai (Console → Usage) - Anthropic: https://console.anthropic.com/ (Usage tab) 13. Phase 2G: File Permissions OpenClaw stores sensitive data in plaintext. Lock down the directory: All files should show `rwx------` (owner only) or `rw-------`. 14. Phase 2H: LaunchAgent (24/7 Operation) If the onboarding wizard installed the daemon, the gateway is already set to start on boot. Verify: ### 14.1 Check LaunchAgent You should see something like `bot.molt.gateway.plist`. 14.2 Verify it runs on boot 14.3 Prevent sleep (optional) If you want the Mac Mini to never sleep (recommended for 24/7 operation): System Settings → Energy → Prevent automatic sleeping when the display is off → Turn ON 14.4 Test restart Reboot the Mac Mini: After reboot, verify: Send a test message from Telegram to confirm it's working. 15. Phase 3: Matrix Migration Matrix provides E2E encrypted messaging, meaning even the server operator can't read your messages. 15.1 Prerequisites You need a Matrix account and homeserver. Options: - matrix.org (free, public) — easiest but less private (public homeserver) - Self-hosted Synapse — most private, most complex - Element One (paid, hosted by Element) — good middle ground 15.2 Install the Matrix plugin 15.3 Configure Matrix 15.4 Enable E2E encryption The Matrix plugin should support E2E encryption. Verify with: Check that the Matrix channel shows encryption status. 15.5 Migrate primary communication Once Matrix is working: 1. Test with basic conversation 2. Gradually shift your primary agent communication to Matrix 3. Consider disabling Telegram once Matrix is stable: 16. Maintenance & Updates 16.1 Regular security audits Run weekly: 16.2 Check for exposed instances Verify your gateway is not publicly accessible: 16.3 Rotate credentials Every 3 months: 1. Rotate your Moonshot API key (generate new on platform.moonshot.ai → update config → delete old) 2. Rotate your Anthropic API key (generate new → update config → revoke old) 3. Rotate your Telegram bot token (via @BotFather `/revoke` → update config) 4. Rotate your gateway auth password 5. Rotate exchange API keys 16.4 Monitor API usage If you see unexpected spikes, investigate immediately — could be a runaway loop or compromised agent. 17. Emergency Procedures If you suspect compromise If API bill is unexpectedly high If agent behaves erratically - OpenClaw Security Docs: https://docs.openclaw.ai/gateway/security - GitHub Security Advisories: https://github.com/openclaw/openclaw/security - Koi Security's Clawdex (skill scanner): https://clawdex.koi.security (use web version to check skills before considering any install) - VirusTotal Blog on OpenClaw: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html Thanks for reading, happy to get any feedback on this.