How to Set Up OpenClaw Safely: A Personal AI Agent That Won't Wreck Your Machine

The Promise and the Risk

[OpenClaw](https://openclaw.ai/) is an open-source personal AI assistant that runs locally on your machine. You talk to it through WhatsApp, Telegram, Slack, or iMessage. It can read your files, run shell commands, browse the web, and automate multi-step tasks — all powered by Claude, GPT, or local models.

That's also why it's dangerous out of the box. An AI agent with shell access and no guardrails is one hallucination away from rm -rf ~/Documents or sending an email you didn't authorize. This guide covers how to install OpenClaw and configure it so you get the automation benefits without the "I let an AI destroy my filesystem" story.

Installation

OpenClaw runs on macOS, Linux, and Windows. The fastest path:

# One-liner install
curl -fsSL https://openclaw.ai/install.sh | bash

# Or via npm
npm i -g openclaw
openclaw onboard

The onboarding wizard walks you through model selection (Claude recommended for tool use) and API key configuration. You'll need an Anthropic or OpenAI API key.

Step 1: Sandbox Everything by Default

OpenClaw's most important safety feature is its sandboxing system. By default, it runs tools directly on your host machine. Change that immediately.

Edit your openclaw.json config:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "session",
        "backend": "docker",
        "workspaceAccess": "none"
      }
    }
  }
}

What this does:

If you want maximum safety (and don't mind slightly slower startup), set mode: "all" so even your main chat is sandboxed.

Step 2: Configure Exec Approvals

Even with sandboxing, you'll want the agent to occasionally run commands on your real machine — installing a package, running a script, moving files. Exec approvals are the safety interlock.

Create ~/.openclaw/exec-approvals.json:

{
  "defaults": {
    "security": "allowlist",
    "ask": "on-miss",
    "askFallback": "deny",
    "strictInlineEval": true
  },
  "allowlist": [
    "ls", "cat", "head", "tail", "wc",
    "rg", "fd", "jq",
    "git status", "git log", "git diff",
    "date", "cal", "whoami"
  ]
}

How it works:

The allowlist above covers read-only operations. The agent can look at anything but can't modify, delete, or install without your explicit approval.

Step 3: Secrets Management

Never paste API keys directly into your OpenClaw config. Use SecretRefs instead:

{
  "providers": {
    "anthropic": {
      "apiKey": { "source": "env", "id": "ANTHROPIC_API_KEY" }
    }
  }
}

For teams or multi-machine setups, OpenClaw supports 1Password CLI, HashiCorp Vault, and sops as secret providers. Run the audit to check your current exposure:

openclaw secrets audit --check
openclaw secrets configure

This ensures that even if the agent's config file is accidentally committed to git, no credentials leak.

Step 4: Set Up Access Groups for Messaging

If you connect OpenClaw to WhatsApp or Telegram group chats, anyone in that group can talk to your agent. That's probably not what you want.

Configure access groups to control who can interact:

{
  "channels": {
    "whatsapp": {
      "pairing": "invite-only",
      "accessGroups": ["family", "work"]
    }
  }
}

The pairing system ensures only devices you explicitly authorize can send commands to your agent. Random group members sending "delete all my files" won't work.

Step 5: Cost Controls

An AI agent running Claude with tool use can burn through API credits fast. A single complex task with multiple tool calls can cost $1-5. An agent in a loop hitting rate limits can cost much more.

Set budget limits in your gateway config:

{
  "gateway": {
    "limits": {
      "maxTokensPerMessage": 8000,
      "maxToolCallsPerTurn": 10,
      "maxTurnsPerSession": 25
    }
  }
}

These caps prevent runaway sessions. If the agent needs more than 25 turns to complete a task, it should ask you to break it into smaller pieces — not spiral autonomously.

Step 6: The "Day One" Test

Before giving OpenClaw access to anything important, test it with a throwaway task:

Watch the approval prompts. See what it tries to execute. If anything surprises you, tighten the allowlist.

Only after you're comfortable with its behavior should you:

What Can Go Wrong (and How to Recover)

The agent hallucinated a destructive command:

With askFallback: "deny", this is blocked automatically. If you accidentally approved something destructive, OpenClaw doesn't have undo — but Time Machine (macOS) or filesystem snapshots (Linux) do. Set those up before giving an AI agent any write access.

The agent got stuck in a loop:

The maxTurnsPerSession cap stops infinite loops. If a session is spiraling, kill it from the companion app or CLI: openclaw session kill <id>.

API costs spiked unexpectedly:

Check session history: openclaw sessions list --cost. Identify which task burned credits and add it to your "ask before executing" list.

Someone in a group chat triggered something:

Access groups + pairing prevent this. If you haven't configured them, the agent should still hit exec approvals for anything dangerous. Audit your channel settings.

The Bigger Picture

OpenClaw represents a shift: from AI as a chat window to AI as an operating system layer. But "runs on your machine with full access" is a fundamentally different trust model than "lives in a browser tab."

The safety configuration above isn't paranoia — it's the minimum responsible setup for an autonomous agent. As you build trust with the system, you can selectively loosen restrictions. Start locked down. Expand access based on observed behavior, not promised capabilities.

Learn to Build AI Agents Yourself

Understanding how to safely deploy personal AI agents is just the beginning. If you want to go deeper — building your own agent systems with tool use, approval workflows, guardrails, and observability — our [Production AI Agents](/enterprise/ai-agent-builder) course covers the full architecture.

Six modules, a live sandbox, and you walk away with working code. [Start building](/enterprise) — your first course is free.