OpenClaw (formerly Clawdbot, briefly Moltbot) is a free, open-source AI agent with over 250,000 GitHub stars. It runs locally on your machine, connects to LLMs like Claude or GPT-4o, and executes tasks through messaging apps like Telegram, Signal, WhatsApp, or Discord. It has 13,700+ skills for everything from email automation to stock trading.

Why use a Mac Mini for OpenClaw?

OpenClaw needs to run 24/7 to be useful — morning briefings, monitoring, scheduled tasks. A Mac Mini M4 draws ~5W idle (~$1/month electricity), runs silently, auto-starts the daemon on boot, and provides hardware isolation from your personal machine. The base M4 16GB ($500) handles the workload easily.

Is OpenClaw safe to run?

With proper setup, yes. Key safeguards: run under a dedicated non-admin macOS user, bind the gateway to loopback only (127.0.0.1), use token authentication, set DM allowlists, and only install verified skills. In early 2026, 1,184 malicious skills were found on ClawHub — vetting skills is critical.

How much does OpenClaw cost to run?

OpenClaw itself is free. The only recurring cost is LLM API calls — roughly $30-90/month depending on usage. A Mac Mini M4 16GB is a one-time $500 investment, and electricity runs about $1/month. Total: under $100/month for a 24/7 AI agent.

What can OpenClaw actually do?

Common use cases: daily morning briefings (weather, calendar, email summary), email triage and draft responses, business monitoring (Shopify orders, analytics, GitHub notifications), stock research and automated investing, social media monitoring, workflow automation via n8n, meeting transcription, and scheduled tasks via cron.

Is OpenClaw vulnerable to prompt injection?

Yes, and it's actively exploited in 2026. Researchers demonstrated exfiltrating SSH keys via crafted emails sent to monitored inboxes. Mitigations: use a separate tool-disabled reader agent for untrusted content, keep secrets in environment variables not files, use the best available LLM model, and never give write access to channels that process untrusted input.

March 26, 2026

I BUILT THE ULTIMATE OPENCLAW SETUP GUIDE

Q: Do I need an HDMI dummy plug for a headless Mac Mini?

Yes. Without a display connected, macOS degrades in headless mode — Screen Recording permissions break, Screen Sharing defaults to low resolution, and GUI-dependent operations fail silently. A $10 HDMI dummy plug tricks macOS into thinking a monitor is connected, ensuring stable 24/7 operation.

OpenClaw (formerly Clawdbot, briefly Moltbot) is a free, open-source AI agent with over 250,000 GitHub stars. It runs locally, connects to LLMs like Claude or GPT-4o, and executes real tasks through messaging apps — Telegram, Signal, WhatsApp, Discord. Not a chatbot. An execution layer.

You message it "summarize my email and tell me what's on my calendar today" and it does it. You tell it "monitor my Shopify store and alert me when a new order comes in" and it runs that 24/7. You configure it to research stocks every morning and send you a briefing before the market opens — and it does the homework of five analysts before touching a dollar.

The problem: setting it up securely is non-trivial. Over a thousand malicious skills were found on ClawHub. A critical one-click RCE vulnerability was patched. Most guides skip the security model entirely. And if you get it wrong, anyone who can message your bot can read your email and run commands on your machine.

So I built a scripted, secure-by-default setup and open-sourced it. Nine scripts. Ten security layers. Drop the folder into Claude Code, say "set this up," and it handles everything — checking online for the latest versions as it goes so it never installs anything outdated.

Here's what's in it and why every decision was made.

WHY A MAC MINI

OpenClaw is only useful if it's always running. Morning briefings at 7am. Monitoring your stores while you sleep. Scheduled tasks that fire whether your laptop is open or not. You need a dedicated, always-on machine.

Factor	Why Mac Mini
Always-on	Runs as a macOS daemon — starts on boot, restarts on crash, no login required
Power	~5W idle. About $1/month in electricity
Silent	Fanless at agent workloads (99% of the time it's waiting for API responses)
Isolation	Separate machine, separate user account, separate keychain from your personal data
Price	M4 16GB is $500. That's the whole hardware investment.

One thing every guide buries in the comments: buy a $10 HDMI dummy plug. Without a display connected, macOS degrades — Screen Recording permissions break, Screen Sharing defaults to low resolution, and GUI-dependent operations fail silently. The dummy plug tricks macOS into thinking a monitor is connected. Plug it in, forget about it, and your headless Mini runs perfectly.

You don't need the Pro. The base M4 with 16GB handles one main agent plus two or three sub-agents. The agent spends almost all its time waiting for API responses — raw CPU barely matters.

Headless tip: If you're running the Mac Mini without a monitor, get an HDMI dummy plug ($8 on Amazon). Without one, macOS degrades GPU acceleration silently, which can cause issues with browser-based skills. Plug it in, forget about it.

Remote access: SSH into the Mac Mini from your main machine. For access outside your local network, Tailscale is the simplest option — no port forwarding, no firewall holes. Or use an SSH tunnel: ssh -L 18789:127.0.0.1:18789 [email protected]

A $500 machine drawing $1/month in electricity, running a 24/7 AI agent that costs $2-3/day in API calls. That's the whole stack.

Why not Docker on a VPS? You can. A $10-20/month cloud server works. But you're renting forever, you lose iMessage integration, you lose Apple Keychain, and if the VPS provider has an outage, your agent goes down. A Mac Mini is a one-time purchase that sits in your house, under your control, on your network. For personal and small business use, physical hardware wins. If you're running OpenClaw for a team or need geographic redundancy, use a VPS.

THE SECURITY MODEL

This is the part most guides skip. OpenClaw has full access to whatever you give it — email, files, shell commands, APIs. If configured wrong, anyone who can message your bot can read your email and run commands on your machine. Here's what the setup repo does to lock it down:

Layer	Protection
User isolation	Dedicated non-admin `openclaw` macOS user with its own home directory and keychain
Network	Gateway bound to `127.0.0.1` only — not reachable from the internet
Authentication	Token-based gateway auth with a unique 64-character hex token
Messaging	DM allowlist — only your Telegram ID can message the bot
Sessions	Per-channel-peer isolation — no context leakage between conversations
Filesystem	Workspace-only access — can't read outside its own directory
Commands	Ask-always mode — the agent prompts before executing any shell command
Discovery	mDNS/Bonjour broadcasting disabled
Logging	API keys and tokens auto-redacted from all log output
File permissions	`700` on directories, `600` on config files — owner-only access
Config immutability	`chflags uchg` locks the config so the agent can't weaken its own security settings

Why this matters (2026):

CVE-2026-25253 — One-click remote code execution via WebSocket hijacking. Over 40,000 OpenClaw instances were found exposed on the public internet without authentication. Patched in version 2026.1.29+. The setup scripts verify you're patched.

ClawHub supply chain compromise — Up to 20% of skills contained malicious payloads. 1,184 skills purged in February 2026. One fake trading bot exfiltrated credentials from 14,000 installs before it was caught.

Prompt injection in the wild — Researchers demonstrated exfiltrating SSH keys by sending a single crafted email to a monitored inbox. The agent read it and followed the injected instructions. This is not theoretical.

THE SETUP

GET THE SETUP REPO

9 scripts. 10 security layers. Checks for the latest versions and patches automatically. The only OpenClaw setup designed for Claude Code — one command and it handles everything.

git clone https://github.com/MeriaApp/openclaw-setup.git
cd openclaw-setup

Then tell Claude Code:

Set up OpenClaw on this machine using the CLAUDE.md guide.

Claude reads the instructions, runs each script in order, asks for your API keys, and runs a 15-point security verification at the end. Takes about 10 minutes.

View on GitHub →

The repo contains 9 scripts that run in sequence:

Step	Script	What It Does
1	`prerequisites.sh`	Installs Node.js and OpenClaw, verifies the version is patched
2	`create-user.sh`	Creates a dedicated non-admin `openclaw` macOS user
3	`harden.sh`	Loopback networking, token auth, file permissions, mDNS off
4	`setup-keys.sh`	Securely stores API keys in a `chmod 600` env file
5	`setup-telegram.sh`	Configures Telegram bot with DM allowlist
6	`install-daemon.sh`	launchd daemon — auto-start on boot, auto-restart on crash
7	`install-skills.sh`	Installs 4 verified safe skills (security scanner, search, Google, Reminders)
8	`verify.sh`	15-point security verification — checks everything
9	`setup-briefing.sh`	Optional daily morning briefing via Telegram

The CLAUDE.md file instructs Claude Code to search online before each major step for the latest versions and security advisories. So even if you run this six months from now, Claude will verify you're installing the latest stable release with all known patches applied.

Managing It Remotely

The Mac Mini is headless. You'll manage it from your laptop. Two ways to do this:

SSH tunnel — Enable Remote Login in System Settings > General > Sharing. Then from your laptop:

# Forward OpenClaw's gateway port to your laptop
ssh -N -L 18789:127.0.0.1:18789 openclaw@your-mac-mini-ip

Now localhost:18789 in your browser hits the OpenClaw control panel on the Mini. The gateway stays bound to loopback — never exposed to the network.

Tailscale (free for personal use) — install on both machines and they join an encrypted mesh network. Access the Mini from anywhere — coffee shop, phone, wherever — without opening ports or configuring your router. This is how I manage mine.

WHAT TO ACTUALLY USE IT FOR

The skills ecosystem has 13,700+ options on ClawHub. Most of them are noise. Here's what actually earns its keep:

Morning Briefing

Daily @ 7am via Telegram

Weather, calendar for the day, unread email summary, overnight notifications from GitHub or Shopify. One message, every morning, before you open your laptop. The cognitive benefit of starting your day organized is worth the entire setup.

Email Triage

Google Workspace (GOG skill)

Reads your inbox, prioritizes messages, drafts responses for your review. Handles the "read, think about it, decide if it matters" loop that burns 30 minutes every morning. You review and send — or ignore.

Business Monitoring

Shopify + Supabase + GitHub skills

Track orders, revenue, inventory. Monitor your database metrics. Get alerts when a GitHub issue is filed or a deploy fails. One agent watching everything, surfacing only what matters.

Automated Investing

Alpaca + StockClaw skills

Five AI sub-agents do independent fundamental, technical, and sentiment analysis before every trade. Connects to Alpaca's commission-free brokerage API. I wrote a deep dive on the trading architecture here.

Social Monitoring

X/Twitter skill

Track mentions of your brand, competitors, or keywords. Get a daily digest or real-time alerts when something needs attention.

Workflow Automation

n8n skill

Connect your existing tools through natural language. "When a new Shopify order comes in, log it to the spreadsheet and Slack me." OpenClaw becomes the natural language interface for your entire automation stack.

Start with read-only tasks — briefings, summaries, monitoring. Build trust in the system before enabling anything that sends messages, moves money, or modifies data.

THE COST

Item	Cost	Frequency
Mac Mini M4 16GB	$500	One-time
Electricity	~$1	Monthly
LLM API calls (Claude/GPT-4o)	$30–90	Monthly
Tavily search (free tier)	$0	Monthly
OpenClaw + all skills	$0	Free forever

Under $100/month for a 24/7 AI agent that handles your briefings, monitors your business, triages your email, and runs scheduled tasks while you sleep. The Mac Mini pays for itself in the first month if you value your morning time at more than $16/day.

WHAT TO WATCH OUT FOR

Malicious Skills

In February 2026, up to 20% of ClawHub skills were found to contain malicious payloads — credential theft, data exfiltration, backdoor installation. One fake trading bot was downloaded 14,000 times before it was pulled. Treat every ClawHub skill like untrusted code.

Before installing any skill: run npx clawhub inspect <skill-name>. Check for curl | bash patterns, base64-encoded payloads, and exfiltration to unknown domains. Run openclaw security audit --deep after every skill install — not just once. The ClawSec skill suite adds config drift detection, automated audits, and skill integrity verification on top of the built-in scanner. Install it.

Prompt Injection

This is the real threat in 2026 — not theoretical, actively exploited. Security researchers have demonstrated exfiltrating SSH keys and API tokens by sending a single crafted email to an inbox that OpenClaw monitors. The agent reads the email, follows the injected instructions, and hands over your secrets. Telegram and Discord link previews have been used as exfiltration channels — the agent generates an attacker-controlled URL that leaks data when the preview loads.

Mitigations that actually work:

Use a reader agent. Run a separate, tool-disabled agent that summarizes untrusted content (email, web pages). Pass the summary — not the raw content — to your main agent. This breaks the injection chain.
Keep secrets out of the filesystem. Pass API keys via environment variables, not files the agent can read. The setup repo does this by default.
Use the best model available. Larger, newer models are significantly more resistant to prompt injection. Don't run a tool-enabled agent on a cheap tier.
Never give write access to untrusted channels. If the agent reads your email, it shouldn't also be able to send email — at least not until you've watched it operate for weeks.

Updates and Backups

Most OpenClaw failures happen during or immediately after an update. Before any update:

# Backup everything — config, secrets, skills, session history
openclaw backup create

# Note your current version so you can roll back
openclaw version

# Check gateway health before touching anything
openclaw status

If the update breaks something, restore from backup. If you didn't back up, you're re-doing the entire setup. Run openclaw backup create weekly regardless — it captures your workspace, credentials, skills, and agent history into a single archive.

Overconfidence

The most dangerous failure mode is trusting the agent too much, too fast. Start read-only. Watch what it does. Read the logs. Understand its decisions. Then gradually enable more capabilities. The agent should earn your trust — not receive it on day one.

THE SETUP IS THE PRODUCT

OpenClaw is powerful out of the box but dangerous without guardrails. The difference between "useful AI agent" and "security liability" is configuration.

The open-source setup repo handles all of it — dedicated user, loopback networking, token auth, DM allowlists, verified skills, and a 15-point verification check. Drop it into Claude Code and it does the rest.

$500 for the hardware. $100/month to run. A 24/7 AI agent that watches your business, manages your morning, and runs the tasks you never get to.

For the deep dive on automated investing with OpenClaw, see What Happens When You Give an AI $1,000 a Day to Trade Stocks. For how I automate software development, see the Claude Code setup I open-sourced.