OpenClaw Operations Guide

Create your first deployment safely and verify that gateway + agent are healthy before real traffic.

1. Open Setup and choose provider, region, server size, AI model, and primary channel.
2. Run Test Connection before deployment and confirm it returns success.
3. Submit deployment and wait until status becomes active.
4. Open Dashboard and confirm Agent = Online and Gateway Reachability = Online.
5. Open Gateway and verify the health endpoint responds with JSON status.
6. Run Diagnostics once and keep output for baseline comparison.

Define agent behavior clearly so responses stay consistent and aligned with your use case.

1. Set agent name, role, and interaction style in setup fields.
2. Open File Browser and review workspace files: identity.md, soul.md, memory.md, and AGENTS.md/agents.md.
3. Add hard constraints (allowed actions, prohibited actions, escalation rules).
4. Save changes, then run a short validation chat to confirm tone + boundaries.
5. Review weekly and refine based on real user conversations.

Enable only required skills and configure each with least-privilege access.

1. Turn on only the skills your workflow needs (start minimal).
2. Use Configure to set required env fields per skill.
3. Prefer OAuth over long-lived secrets whenever provider supports it.
4. Use folder/file allowlists for browser and drive integrations.
5. Test each skill with one safe command before production use.
6. Disable unused skills to reduce attack surface.

Connect Telegram securely and approve trusted peers before enabling broad access.

1. Create bot with BotFather and keep bot token private.
2. Apply Channel Security Baseline from dashboard.
3. Refresh Pairing Requests and approve only known owner/team IDs.
4. Keep mention-required enabled for group chats.
5. Use Refresh Channel Audit to confirm pairing and policy changes were recorded.

Use the file browser for controlled edits without SSH and validate changes immediately.

1. Open File Browser and select the target file from workspace tree.
2. For Markdown, switch between Raw and Markdown View to verify formatting.
3. Use Edit > Save for changes; backups are retained by Time Machine.
4. Use Fullscreen when editing long files to avoid UI overlap.
5. After sensitive changes, run diagnostics and verify channel behavior.

Recover common runtime problems directly from dashboard actions.

1. Open Server Management and start with Run Diagnostics to collect current health details.
2. If multiple services are failing, use Restart Services once and wait for statuses to refresh.
3. If gateway URLs fail, run Reconcile Tunnel Bindings to repair tunnel-to-service mapping.
4. Use Refresh Raw Logs immediately after each action and read newest errors first.
5. For single-service issues, use service-specific Start/Stop/Restart controls only for that service.
6. After recovery, run Maintenance to clean temporary state and stabilize runtime dependencies.
7. Confirm health from Dashboard: Agent = Online and Gateway Reachability = Online.
8. If issue persists, export logs/audit and share with support for deep triage.

Manage public SSH keys from dashboard and use the browser terminal end-to-end through VPC tunnel.

1. Deploy normally even if you do not have an SSH public key yet.
2. Open Dashboard → Server Management → SSH Access (User-managed key).
3. Paste a valid public key (ssh-ed25519 / ssh-rsa / ecdsa) and click Install Key.
4. Confirm status message shows key was saved (and installed immediately if deployment is active).
5. Use the Connect command shown by dashboard when you want native SSH from your local terminal.
6. Use Web SSH Terminal in the same panel for in-browser shell access (no local SSH client required).
7. If terminal disconnects, wait for auto-reconnect or click Reconnect.
8. If gateway/terminal path fails, run Reconcile Tunnel Bindings, then retry Web SSH.
9. Use Remove Key when rotating or revoking local machine access.

Use OAuth when available and verify session linkage to current deployment.

1. Select MiniMax provider during setup or update deployment configuration.
2. Use Start MiniMax OAuth and complete provider consent flow.
3. Run Refresh OAuth Status and verify connected for this deployment.
4. Run Test Connection and confirm model response.
5. Disconnect and re-link if token scope/account is incorrect.

Keep score high by closing critical findings first and enforcing strong channel controls.

1. Refresh Security Posture and review score, grade, and open findings.
2. Fix all critical/high findings before adding new integrations.
3. Rotate API keys regularly and revoke unused credentials.
4. Rotate SSH keys regularly: remove stale keys from dashboard and re-install only active workstation keys.
5. Use short Web SSH sessions and reconnect on demand instead of keeping long idle sessions open.
6. Run Hardening Assistant after major configuration updates.
7. Keep pairing + mention guard enabled for production channels.

Use advanced operations for scale, traceability, and controlled rollout.

1. Open Layout Studio and keep only sections needed for daily operations (remove visual noise).
2. Reorder critical panels first: Channels, Security, Logs, and Server Management.
3. Use panel width controls to give Logs/File Browser more space than low-frequency panels.
4. Before changing identity, policies, or skills, create/verify Time Machine backup availability.
5. Use Session Audit and Channel Audit after every security/policy update to validate changes.
6. Export JSON/CSV audit snapshots weekly for compliance and incident readiness.
7. Use Full Screen panel mode for long log reading, large file edits, and forensic reviews.
8. After advanced changes, run Diagnostics + Security Posture refresh and confirm score trend improves.

Follow a stable runbook to isolate auth, gateway, service, and model failures quickly.

1. Check Agent/Gateway status in dashboard summary first.
2. Run Diagnostics and record outputs before making changes.
3. If gateway is unreachable, run Reconcile Tunnel Bindings then retry.
4. Refresh logs and locate first error timestamp, then correlate with recent config edits.
5. Validate provider auth (OAuth session or API key), then test model connection.
6. If still failing, export audits/logs and share with support for deep triage.