OpenClaw hit 250,000 GitHub stars faster than any project in history. Most of what's been written about it is either pure hype or a security warning. This is neither. This is what a month of daily use actually looks like, what it costs, and how to set it up without making the mistakes most people make.
What it is in plain terms
OpenClaw is a Node.js gateway service that connects LLMs to your local machine and your messaging apps. You run it on your own hardware or a VPS. It binds to port 18789 by default and exposes a control UI and WebChat interface. You interact with it through WhatsApp, Telegram, Slack, Discord, or Signal.
The architecture: your message hits the gateway, the gateway passes it to whatever LLM you've configured, the model decides what tools to call, OpenClaw executes those tool calls using shell access, browser automation, file operations, or API integrations, and the result comes back to your chat.
The heartbeat system runs on a loop even when you're not talking to it. It checks scheduled tasks, monitors things you've configured it to watch, and messages you first when something needs attention. That proactive behavior is what makes it different from a chatbot.
Installation in under 30 minutes
You need Node.js 22 or higher. Check with node --version. If you're below 22 or missing it entirely, install from nodejs.org first.
bashnpm install -g openclaw@latest
openclaw onboard --install-daemon
The --install-daemon flag registers it as a system service that starts on reboot. Run the onboarding wizard, enter your API key, choose your default model (Sonnet, not Opus), connect Telegram via a BotFather bot token, and you're running.
The security config most guides skip
Default bind is 0.0.0.0:18789. On a VPS this exposes your gateway to the public internet. 30,000 instances were found this way in January 2026.
Fix it immediately:
json{
"gateway": {
"bind": "loopback",
"port": 18789
}
}
Access the dashboard securely via SSH tunnel:
bashssh -L 18789:localhost:18789 user@your-server-ip
Credentials are stored in plaintext under ~/.openclaw/ and are already being targeted by infostealers. Don't run this on a machine that holds SSH keys, API keys for other services, or anything sensitive. Dedicated hardware or an isolated VPS only.
CVE-2026-25253 (CVSS 8.8) was a now-patched one-click RCE that leaked the gateway auth token via WebSocket. Always run the latest version. npm update -g openclaw@latest regularly.
Model selection and cost control
This is where developers get burned. OpenClaw makes 5-10 API calls per task because each action step hits the API separately. Context accumulates across a session. A long session can burn 200K tokens just from re-sending stale context.
Start with Claude Sonnet 4.6 as your default. Switch to Haiku for heartbeat checks, simple monitoring tasks, and anything that doesn't need reasoning. Save Opus for genuinely complex tasks only, and switch to it manually rather than setting it as default.
Set a spending limit in the Anthropic console immediately. Settings → Limits → set a monthly cap. One user burned $70 in 24 hours running Opus for everything including routine status pings.
Tier your models like this in SOUL.md:
markdown## Model rules
Use the cheapest model that can handle the task.
For heartbeat checks and simple monitoring: use Haiku
For regular tasks and research: use Sonnet
For complex reasoning and multi-step tasks: ask me before using Opus
Skills security
The ClawHub marketplace had 341 malicious skills in January 2026, some with professional documentation and names like "solana-wallet-tracker." One attack used prompt injection via email signature — OpenClaw read an email, followed hidden instructions, and attempted to exfiltrate AWS credentials.
Safe starting points:
npx skills add anthropics/skills — official Anthropic document skills
npx skills add vercel-labs/agent-skills — Vercel's official skills
Before installing anything from an unfamiliar publisher: read the SKILL.md, check the GitHub repo age and star count, look at recent commits, and verify it doesn't request permissions inconsistent with what it claims to do.
What actually works in production
SOUL.md configuration matters more than anything else. Vague rules produce creative interpretations. Specific rules produce predictable behavior.
The Robin Delta principle from a month of community observation: the agents that actually work aren't smarter. They're more constrained. The less freedom you give it the better it performs. Write explicit rules. Never delete without asking. Always confirm before sending. Specific model tiers per task type.
HEARTBEAT.md is where the proactive behavior lives. Start with one or two automations. Don't configure ten things immediately. You won't know which one caused a problem.
Start a new session regularly to prevent context accumulation from driving up costs. Use USER.md, AGENTS.md, and state files for persistent memory so the agent doesn't re-learn the same things every session.
Variants worth knowing
If the 430,000-line codebase makes you uncomfortable from an auditability standpoint, NanoClaw is a 4,000-line Python alternative that runs on minimal hardware and is designed to be fully readable. ZeroClaw is a single Rust binary for edge and IoT deployments.
The honest verdict
OpenClaw is the most interesting open source project of 2026. The gap between the demo and daily use is real but it's closing fast. Set it up on an isolated machine, configure it specifically, tier your models, and give it one real workflow to own for a week. You'll know from there whether you want to go deeper.
Full guide with complete installation paths for Mac, Windows, Linux, VPS and Docker, hardware comparison, WhatsApp setup, cost tables, and the full Twitter review roundup: https://virtualuncle.com/openclaw-complete-guide-2026/
Top comments (0)