Erik Hanchett

Posted on May 11

5 Things to Do After Installing OpenClaw (Before You Break It)

#openclaw #aiagents #selfhosted #aws

I've been running OpenClaw for a while now and I think it's pretty awesome.

If you haven't heard of it, OpenClaw is a self-hosted AI agent that runs on your own hardware: a spare laptop, a Mac Mini, or a VPS. At AWS we have Amazon Lightsail which is a great option for running OpenClaw on a dedicated instance. (Full disclosure: I'm a Developer Advocate for AWS, so I'll be recommending AWS services where relevant. Feel free to use whatever VPS provider you'd like.) It's not a chatbot you open in a browser tab. It's always on. It connects to your messaging apps (Telegram, Discord, WhatsApp), reads your files, runs scheduled tasks, and takes action on your behalf. By default, a heartbeat runs every 30 minutes, it checks for instructions in HEARTBEAT.md and acts proactively. You can customize the interval or disable it entirely, but it's on out of the box.

The whole thing is built around plain-text markdown files. Your agent's personality lives in SOUL.md. Its long-term memory lives in MEMORY.md. Its knowledge of you lives in USER.md. These files are your agent.

The default install is not entirely production ready. Your gateway might be exposed to the public internet. Your default model might be eating your API budget. And without a few key configuration steps, your agent has no idea who you are or what it's allowed to do.

These are the five things that I would do after you install OpenClaw.

FYI: OpenClaw moves fast — updates ship 2–3 times a week and the UI changes regularly. The steps here are based on v2026.5.x. If something looks different in your version, check the official docs first. And as always, be careful giving any agent access to your files, accounts, and messaging apps. Start with read-only tasks and expand permissions as you build trust.

Opening the Dashboard
1. Lock Down Your Gateway
2. Switch to a Cheaper Model
3. Write Your SOUL.md With Boundaries
4. Seed Your Memory Files
5. Back Up Your Workspace and Use /new
Resources

Prerequisites

OpenClaw installed and running
Access to your API provider dashboard (Anthropic, OpenAI, or similar)

Opening the Dashboard

The dashboard runs at http://127.0.0.1:18789 by default. The easiest way to open it with your token already attached is to run this from the terminal on the machine where OpenClaw is installed:

openclaw dashboard

This opens the dashboard in your browser with a clean URL. If it asks for a token, run this to get it:

openclaw config get gateway.auth.token

Then paste it into the dashboard login prompt. See the dashboard docs for more detail.

If you've already logged in before, just go straight to http://127.0.0.1:18789. Your browser should have the session cached.

Steps

1. Lock Down Your Gateway

Good news: the default install gets this right. Bind mode is loopback and auth mode is token out of the box. If you installed via the quick-start script, verify this. Some install paths skip token setup during onboarding.

The reason this is still Step 1 is that it's easy to accidentally break, and most people never verify it.

Go to Settings → Infrastructure and confirm these two settings.

Gateway Bind Mode: should be loopback for a local setup. This controls who can reach the port at all — loopback means only 127.0.0.1, so nothing outside the machine can connect regardless of auth settings. lan binds to all network interfaces, which is fine on a home machine where your interfaces are private. On a VPS where the network interface has a public IP, lan puts the port on the internet. That's where the real exposure happens. If you need remote access, use tailnet (Tailscale) rather than lan — it keeps the port off the public internet.

Gateway Auth Mode: should be token. This controls what happens once someone reaches the port. If it's none, anyone who can reach the port connects with no credentials at all. On loopback that's low risk. On a public bind it's a disaster. There are thousands of OpenClaw instances exposed on the public internet right now, most of them are the result of changing bind mode without realizing what that exposes.

While you're here, check two more things:

Insecure Control UI Auth Toggle: may be enabled from your initial setup. Turn it off. When on (allowInsecureAuth: true), it lets localhost Control UI sessions bypass device identity checks in non-secure HTTP contexts, it's a compatibility workaround that shouldn't be left on in normal use. The security audit will flag it if it's enabled.
Control UI Allowed Origins: should list your specific origins (e.g., http://localhost:18789). Never set this to *.

To verify from the command line:

openclaw config get gateway.auth.mode
# should print: token

openclaw config get gateway.bind
# should print: loopback

If either prints something different, fix it in the dashboard before moving on.

Run the security audit. OpenClaw has a built-in security audit command. Run it now:

openclaw security audit

For a more thorough check that includes live probes:

openclaw security audit --deep

If it flags issues, --fix applies the safe defaults automatically:

openclaw security audit --fix

Then tell your agent to keep checking:

Read https://docs.openclaw.ai/gateway/security, run `openclaw security audit --deep`,
and send me a summary of any findings. Then schedule yourself to repeat this twice a day.

Pin your version. OpenClaw ships updates 2–3 times a week and some of them break things. The community built a tracker: isitstable.com/openclaw. Check it before you update, then install the recommended stable release:

openclaw update --tag <stable-version>

This handles the doctor check and gateway restart automatically. If you need to roll back to an older version, the manual fallback is npm i -g openclaw@<version> followed by openclaw doctor and openclaw gateway restart.

When you're ready to update, check the tracker, read the changelog, then update during a quiet period.

2. Switch to a Cheaper Model

Someone in the community went from $47/week to $6/week with two changes. It's one of the most upvoted posts in r/openclaw. That's the whole story for this step.

The default model on most OpenClaw installs is whatever was set during onboarding, often a top-tier model like GPT-5 or Opus. That's great for setup, you want the best reasoning when configuring your workspace files and personality. For daily use it works fine too, but it gets expensive fast. Your agent is checking calendars, drafting short replies, and running heartbeat tasks every 30 minutes. None of that needs frontier-model reasoning, and you're paying frontier-model prices for all of it.

Here's a breakdown of what the community recommends based on your budget and hardware:

If you want the best results and don't want to think about cost, Opus with Sonnet as fallback is the standard recommendation. Just be warned. It's expensive.

The cheapest option: use your ChatGPT Plus subscription. If you're already paying $20/month for ChatGPT Plus, you can connect OpenClaw to it via OpenAI Codex OAuth. That means you're using your existing subscription instead of paying separately per token. OpenAI explicitly supports this for third-party tools like OpenClaw. To set it up:

openclaw onboard --auth-choice openai-codex

Or if you're already past onboarding:

openclaw models auth login --provider openai-codex

This opens an OAuth flow to sign in with your ChatGPT account. Once connected, set your model to openai/gpt-5.5 and OpenClaw automatically uses the Codex subscription runtime. Usage limits apply. Check OpenAI's plan comparison for current details on what Plus vs Pro covers.

Note: Anthropic does allow Claude subscription auth (Claude Pro or Max) via Claude CLI reuse — run openclaw models auth login --provider anthropic --method cli --set-default. For production use, an API key is more reliable.

If you want to keep bills low without going local, Minimax M2.7 via API is worth knowing about. It's not as capable as Opus or Sonnet but it's significantly cheaper and the community rates it as surprisingly good for most daily tasks.

If your machine has 32GB+ RAM, local models become viable and can bring your API costs close to zero for routine work. A common setup: Opus or Sonnet for planning and complex reasoning, then a local model like Qwen Coder (8B parameter, free to run) for the actual code generation. On Apple Silicon (Mac Mini, MacBook Pro) the unified memory means RAM alone is enough for good performance on smaller models. On a PC or Linux box, a dedicated GPU makes a big difference, without one, local models run on CPU and can be slow enough to be frustrating for interactive use.

Where to change it: First, make sure your API key is set. The cleanest way is to add it to ~/.openclaw/.env:

# ~/.openclaw/.env
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...

OpenClaw picks this up automatically at startup. Make sure this file isn't committed to a public repo, it contains your credentials.

Then go to Settings → AI & Agents → Models tab and edit the Model JSON field directly:

{
  "primary": "anthropic/claude-sonnet-4-5",
  "fallback": "anthropic/claude-haiku-4-5"
}

The fallback kicks in if the primary is rate-limited or unavailable. Hit Save → Apply.

The SOUL.md trick: The second change that made the $47→$6 difference was adding one line to SOUL.md:

Only use a more powerful model when I explicitly ask for deep analysis.

This lets the agent self-route. Routine tasks stay cheap. You ask for "deep analysis" when you actually need it.

Check your costs: Go to Control → Usage in the sidebar. It shows total tokens, cost, and a breakdown by model. Check it daily in your first week until you understand your baseline. Keep an eye on the cache hit rate, a high rate means you're not paying full price for repeated context, since cached tokens cost significantly less than fresh input tokens.

3. Write Your SOUL.md With Boundaries

SOUL.md is the character sheet for your agent. It defines personality, voice, temperament, and what it's allowed to do. Most people fill it in during onboarding with vague answers and never touch it again. That's a mistake.

The file lives in your OpenClaw workspace alongside a handful of other markdown files: AGENTS.md, MEMORY.md, USER.md, IDENTITY.md. Together these plain-text files are your agent. If you ever migrate to new hardware, these files are what you bring with you.

Go to Agent in the sidebar and click the SOUL button, under Files. The default template is already there and it's actually pretty good. What it doesn't have is your specific boundaries. Add these at the bottom:

## Identity
You are [name]. You are a collaborator, not an assistant.
Push back when I'm wrong. Challenge ideas during brainstorms.
When I'm heads-down, keep it crisp.

## Defaults
Only use a more powerful model when I explicitly ask for deep analysis.
For routine tasks, use the cheapest capable model.

## Boundaries
Never delete files without explicit confirmation.
Never send messages on my behalf without showing me the draft first.
Never make purchases or API calls that cost money without asking.
If a task fails twice with the same error, stop and report. Do not retry.

That last section is easy to skip. Without explicit boundaries, your agent will make reasonable-sounding decisions that you didn't actually authorize.

The aggressive note-taker trick: Add this to both SOUL.md and AGENTS.md:

You are an aggressive note-taker. After every significant session,
write key decisions, preferences, and facts into your daily log.

SOUL.md gets it so the behavior is part of the agent's core identity. AGENTS.md gets it so it's enforced as an operating rule. Together they make it stick. Without both, the agent may follow the instruction in some sessions but not others. This is the single biggest thing you can do to prevent memory degradation over time.

4. Seed Your Memory Files

The biggest complaint from people who've been using OpenClaw for a few weeks is that it starts forgetting things. The experience gets less magical and more frustrating as you keep re-explaining context it should already know.

This is a known problem in the community and it's not fully solved. But it's manageable if you set things up right from the start.

Seed MEMORY.md before your first real session. Go to Agent in the sidebar, then click the MEMORY button. On a fresh install it shows as "MISSING". Clicking it opens an empty editor and saving creates the file.

MEMORY.md is for curated, distilled facts the agent needs to remember across every session: standing rules, key decisions, strong preferences. It gets injected into the context window on every turn, so keep it lean. This is not a journal or a log:

# Memory

## Preferences
- Communication style: direct and concise, skip filler phrases
- Response length: brief by default, thorough when I ask for detail
- Don't ask clarifying questions for simple tasks. Just do it.

## Standing Rules
- Always show me a draft before sending anything externally (email, messages, posts)
- Ask before making calendar changes or bookings
- If a task fails twice with the same error, stop and report. Don't keep retrying.
- Never modify config files without telling me what you're changing and why

## Key Context
- Main tools I use: [e.g. VS Code, GitHub, Notion, Slack]
- Current focus: [e.g. shipping a feature, writing content, job search]
- Things I'm working on this month: [1-3 active projects]

Keep MEMORY.md short. If it gets too long, OpenClaw truncates it when injecting into context, which means the stuff at the bottom silently disappears. Detailed notes belong in memory/YYYY-MM-DD.md daily logs, not here.

USER.md is different. Click the USER button on the same page. This is the agent's profile of you as a person: your background, role, working style, what you care about. The agent builds this over time, but seeding it upfront saves weeks of it figuring things out:

# User Profile

## Who I Am
- Name: [your name]
- Role: [what you do, e.g. "frontend engineer at a fintech startup"]
- Location / timezone: [city, UTC offset]
- Working hours: [e.g. 9am–6pm weekdays]

## How I Work
- I prefer [async / real-time] communication
- I get annoyed when: [e.g. things are over-explained, asked obvious questions]
- I work best when: [e.g. given context upfront, shown options not just answers]

## What I'm Trying to Do With OpenClaw
- [e.g. automate my morning briefing, manage email triage, track projects]
- My biggest time sink right now: [what you want help with most]

The short version: USER.md is who you are. MEMORY.md is what the agent must remember. AGENTS.md is the agent's operating procedure: how it behaves, what it does on startup, routing rules. All three get injected into every session, so they all matter.

Enable Dreaming. Go to your OpenClaw dashboard, find the Dreaming tab, and toggle it on. This is a beta feature with two phases: a shallow phase that writes session summaries to DREAMS.md, and a deep phase that promotes the strongest memories into MEMORY.md as permanent long-term storage. If you enable it and don't see things showing up in MEMORY.md right away, that's normal. Only the deep phase promotes to permanent memory, and it runs on its own schedule. Without Dreaming, session logs accumulate but never get distilled into anything the agent reliably recalls.

5. Back Up Your Workspace and Use /new

How sessions actually work. Every message you send in a session gets included in every future API call in that session. After a few hours of chatting, you're sending thousands of tokens of old conversation with every new message. It costs money, and it makes your agent slower and more confused as the context gets cluttered.

OpenClaw handles this in two ways.

Compaction happens automatically when the context window fills up. It summarizes older conversation history into a condensed entry to free up space. You can also trigger it manually with /compact before a long task, or guide what it focuses on:

/compact Focus on the deployment task

/new starts a completely fresh session. Your agent keeps everything: SOUL.md, MEMORY.md, USER.md, all your workspace files. You're just clearing the conversation buffer. Use it when you're switching topics or starting a new task. Many people in the community report meaningful cost savings just from using /new regularly. Most people don't know it exists.

Also learn /btw. It fires off a side question without touching your main session context. Great for quick lookups mid-task without opening a whole new session.

The key rule: anything important needs to be written to files, not just said in chat. Session memory dies on compaction. If you told your agent something three days ago in conversation, it may not remember it. If it's in MEMORY.md, it will.

Back up your workspace files. Your agent's entire state (personality, memory, projects, tools) lives in markdown files in the OpenClaw workspace directory. If something goes wrong (and eventually something will), you want to be able to roll back. Make sure to use a private repo. Just ask your agent:

Help me put my OpenClaw workspace files onto a private GitHub repo
and commit changes automatically after each session.

This takes about ten minutes and has saved people from complete resets when their agent went off the rails or a config change broke something.

Check Control → Usage daily in your first week. The usage panel shows total tokens, cost, and a breakdown by model. You're looking for two things: your baseline daily cost, and your cache hit rate. A high cache hit rate means you're not paying full price for repeated context. That's healthy. If costs are higher than expected, check whether your context profile is set too large under Settings → AI & Agents → Agent Defaults → Bootstrap Max Chars.

After the first week you'll have a sense of what normal looks like. Set a budget alert at 2x your daily baseline so you get notified if something starts running away. A misconfigured heartbeat task or a loop in an automation can burn through tokens fast without any visible output.

Resources

🚀 Try Amazon Lightsail — run OpenClaw on a dedicated VPS
OpenClaw docs
OpenClaw security audit docs
ClawHub skills marketplace
Is it stable? — check before you update
Tina's OpenClaw setup guide — the video that inspired a lot of this post

Conclusion

These five steps take a bit of time to do right. The config changes (gateway, model, SOUL.md) take about 30 minutes. Getting your memory files properly seeded and GitHub backup set up will take a bit longer, but it's worth doing before your first real session.

Let me know in the comments if I missed anything. I'm still learning this thing too.