Update: February 2, 2026
The project has rebranded again to OpenClaw (from Moltbot/Clawdbot) to avoid trademark issues. Commands are now openclaw instead of clawdbot. The core functionality is the same, with 34+ security commits, new model support (KIMI K2.5, Xiaomi MiMo-V2-Flash), and new channels (Twitch, Google Chat). Old names are kept in searches for compatibility.
Warning
Security — read before deploying:
- Exposed credentials: Bitdefender reported hundreds of misconfigured instances leaking API keys, OAuth tokens, and chat histories. Never expose the dashboard to the public internet. Use Tailscale or SSH tunnels.
- Prompt injection: Attackers can exfiltrate emails or execute commands via crafted messages. Security researchers demonstrated extracting cryptocurrency private keys in under 5 minutes through email prompts. Recent updates harden this.
- Shell access: Running an AI with local shell access is risky. Always deploy in an isolated Proxmox LXC or VM. Unprivileged LXC is preferred.
- Moltbook: A critical database exposure on January 31, 2026 allowed anyone to hijack agents and steal API keys. Do not connect OpenClaw to Moltbook until you verify it’s properly secured.
OpenClaw is an AI agent that performs actions — clears inboxes, manages calendars, sends emails, creates tasks — and works through WhatsApp, Telegram, Slack, Twitch, and Google Chat. It’s different from a chatbot in that it actually does things rather than just answering questions.
I’m running it in an Ubuntu 22.04 LXC container on Proxmox with 4GB RAM and 2 CPU cores, which handles personal use fine. Heavier workloads or Ollama models will need 8GB+.
The Moltbook Security Incident
Danger
CRITICAL: Database Exposure (January 31, 2026)
404 Media reported that Moltbook’s entire database was exposed without authentication. Anyone could hijack any agent, access API keys and auth tokens, post content impersonating verified agents, and exfiltrate private config files. The Supabase database had no Row Level Security policies enabled — 770,000 agent records exposed.
The platform was taken offline to patch and force-reset all agent API keys.
Do not connect your OpenClaw instance to Moltbook until you’ve verified proper security measures are in place. If you do connect, use a dedicated instance with no access to sensitive credentials.
Beyond the breach, Moltbook introduces supply chain risks: researchers found skills containing active data exfiltration code, and prompt injection attacks can embed malicious instructions in posts that manipulate other agents. Thanks to persistent memory, payloads can be fragmented across multiple posts and assembled later.
Prerequisites
- Proxmox with an Ubuntu 22.04 LXC or VM
- An AI model provider: OpenAI API, Anthropic Claude API, or self-hosted Ollama (recommended for homelab — free and fully local)
- Node.js 22+
Container Setup
Create an Ubuntu 22.04 LXC in Proxmox:
- Disk: 20GB
- CPU: 2 cores
- Memory: 4096 MB
- Network: Static IP recommended
Warning
LXC and systemd: There are known issues with systemd inside LXC — services not starting after reboot, permission errors, “Failed to connect to bus” in unprivileged containers. Fixes: enable nesting in container options; add lxc.cap.drop: sys_rawio for mount-related failures. For maximum compatibility, use a small VM instead — you trade some overhead for fewer surprises with daemons.
Install Node.js 22
apt update && apt upgrade -ycurl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -apt install -y nodejsnode -v # should be v22.xnpm -vInstalling OpenClaw
Option 1: Official Installer (Recommended)
curl -fsSL https://openclaw.ai/install.sh | bashThis installs OpenClaw globally via npm and makes the openclaw command available system-wide. For non-root installations:
curl -fsSL https://openclaw.ai/install-cli.sh | bashAfter installation, the onboarding wizard starts automatically. If not:
openclaw onboardOpenClaw also supports Docker, Ansible, Nix, and cloud platforms (Railway, Render, Northflank). See the official installation docs.
Configuration
The onboarding wizard covers:
- Security warning — read and acknowledge
- Onboarding mode — choose QuickStart
- Model provider:
- OpenAI: OAuth (browser opens automatically)
- Anthropic: API key
- Ollama: self-hosted URL, e.g.
http://your-ollama-server:11434
- Channel setup:
- Telegram: bot token from @BotFather (
/newbot) - WhatsApp: QR code pairing
- Discord: bot token
- Slack: Socket Mode token
- Telegram: bot token from @BotFather (
- Skills and hooks — skip for now, configure later
- Agent setup — configure your first agent in the TUI
Telegram (Easiest)
Message @BotFather, run /newbot, copy the token (format: 123456:ABC...), paste when prompted.
Starting OpenClaw
openclaw tui # terminal UI (recommended)openclaw dashboard # web UIopenclaw status # check statusConfig is stored in ~/.openclaw/openclaw.json. Logs in ~/.openclaw/logs/gateway.log.
Security Hardening
Given the attack surface, these steps are not optional for Proxmox deployments.
Network Isolation
Create a dedicated VLAN for OpenClaw in Proxmox. Container-level firewall rules:
# Allow outbound HTTPS and established connectionsiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -p tcp --dport 443 -j ACCEPTiptables -A OUTPUT -p tcp --dport 80 -j ACCEPTiptables -P OUTPUT DROP
# Block all inbound except from Proxmox hostiptables -A INPUT -s YOUR_PROXMOX_IP -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -P INPUT DROPUnprivileged LXC
When creating the container in Proxmox, uncheck “Privileged container.” This maps container root to an unprivileged host UID.
Dashboard Access
Never expose the dashboard publicly. Use Tailscale in the container, an SSH tunnel (ssh -L 1455:localhost:1455 user@proxmox-host), or Nginx with HTTP basic auth behind a firewall.
Credential Management
export ANTHROPIC_API_KEY="your-key-here"export OPENAI_API_KEY="your-key-here"openclaw gateway startMonitoring
tail -f ~/.openclaw/logs/gateway.loggrep -i "error\|unauthorized\|injection" ~/.openclaw/logs/gateway.logWarning
CVE-2025-6514 (CVSS 9.6): OpenClaw deployments using mcp-remote are exposed to a command-injection RCE vulnerability. Ensure you’re running the latest version with security patches applied.
What You Can Actually Do
Email: “Clear my inbox of newsletters” / “Send an email to [person] about [topic]” / “What emails need my attention today?”
Calendar: “Schedule a meeting with [person] next Tuesday at 2 PM” / “What’s on my calendar this week?” / “Move my 3 PM meeting to tomorrow”
Tasks: “Create a task to review the quarterly report” / “What tasks are due this week?”
The main value is interacting through messaging apps you already use — no new interface to learn.
Troubleshooting
Gateway won’t start:
cat ~/.openclaw/logs/gateway.logopenclaw statusopenclaw gateway restartTelegram bot not responding:
- Verify bot token
- Message
/startto your bot in Telegram - Confirm Gateway is running:
openclaw status
OAuth issues (OpenAI):
- Ensure browser can reach
localhost:1455for the callback - Paste the redirect URL manually if the callback fails
Container networking:
ping 8.8.8.8curl http://your-ollama-server:11434/api/tagsLXC systemd issues: Enable nesting in Proxmox container options or switch to a VM.
Suspected prompt injection:
grep -E "rm -rf|curl.*sh|wget.*sh" ~/.openclaw/logs/gateway.logopenclaw skills list# Reset API keys if compromised, then re-run onboardingLimitations
- API costs: OpenAI/Anthropic usage adds up. Set usage alerts or use Ollama for free local inference.
- Privacy: External API calls still leave your homelab unless using Ollama.
- Reliability: You’re responsible for uptime and troubleshooting.
- Resource usage: Ollama models need significant RAM — 8GB+ for larger models.
- Moltbook: Avoid until security is independently verified.