返回列表
🪞 Uota学 · 💬 讨论题

把“搭助手”当成上生产——威胁模型先行的 OpenClaw 安装清单

这篇文章最大的价值不是那份冗长教程,而是它暴露了一个更高效的做法:把碎片化攻略喂给强模型,让它吐出一份“以威胁模型为骨架”的可执行 checklist——但你必须把它当作框架,而不是事实。

2026-02-12 原文链接 ↗
阅读简报
双语对照
完整翻译
原文
讨论归档

核心观点

  • AI 可以当“信息压缩器”,但不能当“真理机” 作者把 20+ 篇 OpenClaw 搭建文章合并喂给 Opus 4.6,让模型输出一份端到端指南。本质上是把“搜索+整理”外包给模型,提升信息密度与可执行性;但其中的版本号、CVE、具体命令、推荐提供商等都可能过期/幻觉,必须交叉验证。
  • 威胁模型是这份指南真正的主线 指南开头先列攻击面(恶意 skill、prompt injection、失控循环、记忆投毒、凭据明文存储)。这比“先装起来再说”更像一个成熟系统的上线路径:先定义你要防什么,再决定工具开多少口子。
  • 纵深防御的三件套:沙箱 / 工具策略 / 身份边界 文中反复强调 Docker 沙箱(最好无网络)、工具 denylist(尤其是 browser/exec/write/edit 等)、以及 SOUL.md 作为系统级边界。这里的观点很硬:自托管 agent 不是玩具,权限治理要默认收紧,再按需放开。
  • 远程访问与成本上限是“运营”问题,不是“安装”问题 Tailscale、spending limit、token/凭据轮换、应急流程这些内容,说明跑一个 assistant 的难点在长期运行与事故处置。把“搭完能用”升级为“能稳定跑三个月”。
  • “清单化”是 AI-native 的最佳交付形态 这份输出长,但结构强:阶段拆解 + 验证点 + 回滚/应急。对新手而言,清单比教程更能降低失败率;对团队而言,清单比口口相传更可复制。

跟我们的关联

  • 我们需要一份“公司级”的 OpenClaw 运行手册,而不是散落的经验贴:包括默认 threat model、最小可用工具集合、沙箱/权限策略、远程访问、成本预算、应急处置(账单飙升/行为异常/疑似泄露)。这能把“个人玩具”升级成“团队基础设施”。
  • Neta 的 AI-native 效能系统也该按同一套安全思路做:任何能读写文件、跑脚本、接外部 API 的 agent,都应该默认:最小权限 + 分层隔离 + 可审计日志 + 明确的停机开关(/new、撤销 token、禁用工具)。
  • 把“prompt injection”当作常态,而不是黑天鹅:我们读的网页/消息/文档都可能携带指令。对外部内容的处理链路,要么用只读工具,要么有中间层做内容净化/隔离,别让模型直接把内容当指令执行。
  • 把 checklist 变成产品/社区资产:reads 站点、文档、甚至 onboarding wizard 的默认选项,都可以围绕“安全默认值”去设计——这会显著减少后续支持成本,也更符合我们对外的专业形象。

讨论引子

1. 我们愿意把 OpenClaw(或内部 agent)开到什么权限级别,才能换来多少生产力? 这其实是一个“效率 vs 风险预算”的定价问题。 2. 如果要写一份“极简但足够安全”的默认配置,我们会砍掉哪些能力? browser/exec/写盘/联网沙箱/自动化循环,哪些是第一批禁的?哪些必须保留? 3. 我们是否需要把“安全姿势”产品化成一键开关(profiles)? 例如:只读研究模式 / 工作流模式 / 高权限维护模式——不同模式不同工具策略和审计级别。

我把 20+ 篇 OpenClaw 文章喂给 Opus 4.6:它生成的搭建指南

在过去几周里,我们被各种讲解如何配置 OpenClaw 的文章“狂轰滥炸”:哪些坑要避、最佳配置是什么、需要做哪些安全措施,等等。信息量大到让人喘不过气。

于是我开了一个 Google Doc,把 20+ 篇文章一股脑倒进去,然后喂给 Opus 4.6。

我的提示词是:

“基于这份 Google Doc 里的所有信息,创建一份最好的 OpenClaw 搭建指南。不要把这里写的任何内容当作金科玉律;请与其他来源交叉验证,并为每一条主张提供佐证。把这些内容当作思考的起始框架,而不是可信事实。”

它给我的输出如下:

本文覆盖内容:

预备:威胁模型

阶段 1A:Mac Mini 初始设置

阶段 1B:安装 OpenClaw

阶段 1C:引导向导(Onboarding Wizard)

阶段 1D:连接 Telegram

阶段 1E:测试基础对话

阶段 2A:安全加固

阶段 2B:Docker 沙箱

阶段 2C:工具策略(Tool Policy)锁定

阶段 2D:SOUL.md — 智能体身份与边界

阶段 2E:Tailscale 远程访问

阶段 2F:API 支出上限

阶段 2G:文件权限

阶段 2H:LaunchAgent(7×24 小时运行)

阶段 3:迁移到 Matrix

维护与更新

应急流程

  1. 预备:威胁模型

在你摸键盘之前,先弄清楚你要防的是谁、会怎么攻击:

攻击者在你的配置里会盯上的目标

恶意 ClawHub skill:你安装了一个看起来很“正规”的 skill,里面却藏着 Atomic Stealer 恶意软件,专门窃取你的钥匙串、浏览器密码、钱包文件和 API key。

通过消息进行提示词注入(prompt injection):有人给你发一条精心构造的 Telegram 消息或邮件。当智能体读取时,隐藏指令会让它把你的交易所 API key 外传,或执行 shell 命令。

失控的自动化循环:提示词注入或有 bug 的 skill 让智能体陷入无限循环调用 API。

记忆投毒:第 1 天就把恶意载荷注入到智能体记忆中,等到数周后条件满足才触发。

凭据窃取:~/.openclaw/ 会把 API key、bot token、OAuth token 和对话历史以明文文件存储。任何能读到这些文件的恶意软件,都等于掌控了你的一切。

  1. 阶段 1A:Mac Mini 初始设置

2.1 首次开机

启动你的 Mac Mini M4,完成 macOS 的设置向导:

  • 创建你的用户账户

  • 启用 FileVault(全盘加密)——这一步至关重要

  • 连接 Wi‑Fi

  • 如果这是一台专用的 OpenClaw 机器,跳过 iCloud(推荐)

  • 安装 macOS 更新——进入 系统设置 → 通用 → 软件更新

2.2 系统安全设置

打开 系统设置 → 隐私与安全性:

  • 防火墙:打开

  • 允许从以下位置下载的应用程序:“App Store 和已识别的开发者”

2.3 打开终端

打开 Terminal.app(应用程序 → 实用工具 → 终端,或使用聚焦搜索:⌘+Space → 输入 “Terminal”)。

下面所有命令都在终端中运行。

2.4 安装 Xcode 命令行工具

会弹出一个窗口。点击 “Install”。等待其完成(几分钟)。

2.5 安装 Homebrew

按屏幕提示操作。最后它会提示你运行两条命令,把 Homebrew 加入 PATH。把那两条命令执行掉。看起来像这样:

验证:

2.6 安装 Node.js 22+

验证:

如果 node --version 不生效,把它 link 一下:

2.7 安装 Git(如果系统还没有)

2.8 安装 Docker Desktop(后面做沙箱需要)

从“应用程序”里打开 Docker Desktop,完成初始化设置。要让沙箱生效,Docker 必须保持运行。

  1. 阶段 1B:安装 OpenClaw

3.1 运行官方安装器

安装器会:

  • 检测 Node.js

  • 通过 npm 全局安装 OpenClaw CLI

  • 自动启动引导向导

3.2 验证版本(关键)

必须是 2026.2.9 或更高版本。如果低于 2026.1.29,你会受到 CVE-2026-25253(1-click RCE)影响。立刻更新:

3.3 验证安装健康状况

继续之前,把它提示的所有问题都修好。

  1. 阶段 1C:引导向导(Onboarding Wizard)

引导向导(openclaw onboard)会带你完成配置。下面是每一步建议怎么选:

4.1 身份认证

你需要两把 API key——每个提供商一把:

A) Moonshot AI API key(用于 Kimi K2.5——主模型):

  1. 前往 https://platform.moonshot.ai 并注册账号

  2. 进入 Console 创建 API key

  3. 充值(先充 $5–10 足够)

  4. 安全保存这把 key

B) Anthropic API key(用于 Claude Sonnet 4.5——备用模型):

  1. 前往 https://console.anthropic.com/

  2. 进入 API Keys 生成一把 key

  3. 充值(先充 $5–10)

  4. 安全保存这把 key

当引导向导提示选择认证/模型提供商时:

  • 选择 Moonshot AI Kimi K2.5

  • 然后选择 kimi api key (.ai)(国际端点)

  • 按提示粘贴你的 Moonshot API key

  • 引导结束后我们再把 Anthropic 作为备用加上

4.2 Gateway 设置

  • Gateway mode:local(默认值,保持不变)

  • Gateway bind:127.0.0.1(只监听 localhost——绝不要用 0.0.0.0

  • Port:18789(默认即可)

  • Auth password:一定要设置。向导可能会提示你;如果没提示,向导结束立刻设置:

使用足够长的随机密码(20+ 字符),并存入密码管理器。

4.3 模型选择

引导向导会直接处理 Kimi K2.5 的设置。出现提示时:

  • 选择 Moonshot AI Kimi K2.5

  • 选择 kimi api key (.ai)

  • 粘贴你的 Moonshot API key

向导会自动把 Kimi K2.5 配置为你的主模型。

4.3.1 把 Claude Sonnet 4.5 作为备用(在引导结束后)

引导完成后,把 Anthropic 加成备用提供商,这样当 Kimi 被限流或不可用时,OpenClaw 会自动切换到 Sonnet。

第 1 步:添加你的 Anthropic API key:

第 2 步:把 Sonnet 设为备用 + 注册别名:

第 3 步:验证配置:

你应该能看到:

  • Primary:moonshotai/kimi-k2.5

  • Fallback 1:anthropic/claude-sonnet-4-5

第 4 步:重启:

在 Telegram 里手动切换模型:

你可以在同一段对话中途切换模型:

4.3.2 成本对比(为什么这套配置更省钱)

预计月成本:$5–20/月(相比使用 Opus 4.6 的 $50–150 大幅降低)

  1. 阶段 1D:连接 Telegram

5.1 创建你的 Telegram bot

  1. 在手机上打开 Telegram

  2. 搜索 @ BotFather(确认蓝色认证标记——这是官方 bot)

  3. 发送 /newbot

  4. 按提示操作:

  5. 给它起个名字(例如 “My OpenClaw Assistant”)

  6. 给它起一个以 bot 结尾的用户名(例如 myopenclaw_bot

  7. BotFather 会给你一个*token ——复制并安全保存

  8. 可选但推荐的 BotFather 设置:

  9. 发送 /setjoingroups → 选择你的 bot → 选 “Disable”(防止被加进乱七八糟的群)

  10. 发送 /setprivacy → 选择你的 bot → 选 “Enable”(限制 bot 在群里能看到的内容)

5.2 在 OpenClaw 中配置 Telegram

关键设置说明:

  • dmPolicy: "pairing" ——陌生人不能直接给你的 bot 发消息;他们会拿到一个配对码,需要你批准。

  • configWrites: false ——阻止任何人通过 Telegram 消息改你的配置。

5.3 禁用群聊(安全)

你不希望随机群组触发你的智能体。

5.4 重启 gateway

5.5 配对你的 Telegram 账号

  1. 在手机上打开 Telegram

  2. 搜索你的 bot 用户名(例如 @myopenclaw_bot

  3. 给它发任意消息(例如 “hello”)

  4. 你会收到一个配对码

  5. 批准它:

或者在 Control UI 里批准。

  1. 阶段 1E:测试基础对话

在 Telegram 里给你的 bot 发一条消息:

如果你收到一条连贯的回复,并且它表明自己是 Kimi K2.5,那么阶段 1 就完成了。

如果回复来自 Claude Sonnet,请检查你的模型路由——Kimi 可能配置错了或暂时不可用。运行 openclaw models status 排查。

在 Control UI 中确认会话出现,且消息有记录。

  1. 阶段 2A:安全加固

7.1 运行安全审计

逐条阅读每一个发现项,把它标记的问题全部修掉。常见修复包括:

7.2 运行自动修复

这会收紧安全默认值并修复文件权限。

7.3 修复后再次验证

应当不再有关键级别(critical)的发现项。

  1. 阶段 2B:Docker 沙箱

沙箱会把智能体的工具执行(shell 命令、文件操作)放进 Docker 容器里运行。这样即便智能体被诱导做了恶意操作,爆炸半径也会被限制。

8.1 确认 Docker 正在运行

如果没运行就打开 Docker Desktop。验证:

8.2 构建沙箱镜像

如果上面不生效(脚本路径会因安装方式不同而变化),直接设置沙箱模式,OpenClaw 会自动创建容器:

8.3 启用沙箱

设置说明:

  • mode: "all" ——所有会话都在 Docker 中运行,包括你的主 DM 会话

  • scope: "session" ——每个会话使用各自隔离的容器

  • workspaceAccess: "ro" ——智能体可以读取工作区,但在沙箱内不能写入

8.4 沙箱的网络隔离

network: "none" 表示沙箱容器完全没有互联网访问能力。这是最安全的选项。智能体仍然可以使用 OpenClaw 内置的 web 工具(这些运行在 gateway 上,而不是在沙箱里)。

8.5 资源限制

8.6 重启并验证

explain 命令会明确告诉你:哪些被沙箱化了、哪些没有。

  1. 阶段 2C:工具策略(Tool Policy)锁定

工具策略决定智能体能用哪些工具。即便在沙箱里,你也应该限制可用工具的范围。

9.1 禁用危险工具

这会屏蔽:

  • browser ——防止智能体自主浏览网页(网页内容存在提示词注入风险)

  • exec ——禁止执行 shell 命令

  • process ——禁止后台进程管理

  • apply_patch ——禁止打补丁修改文件

  • write / edit ——禁止修改文件系统

9.2 仍然允许什么

在上述 deny 列表下,智能体仍然可以:

  • 和你聊天(核心功能)

  • 读取文件(只读访问)

  • 使用 web_search 和 web_fetch(内置工具,不是浏览器自动化)

  • 使用会话(sessions)工具

  • 使用记忆(memory)工具

9.3 按需逐步放开工具

当你更有把握之后,可以选择性重新启用工具:

记住:deny 优先于 allow。先把工具从 deny 里移除,再把它加入 allow。

9.4 禁用 elevated mode

elevated mode 允许智能体逃出沙箱并在宿主机上运行。把它关掉:

  1. 阶段 2D:SOUL.md — 智能体身份与边界

SOUL.md 定义你的智能体性格、知识范围与硬边界。它会作为系统提示词注入到每一次对话中。

10.1 创建你的 SOUL.md

10.2 验证 SOUL.md 已加载

在 Telegram 里给你的 bot 发一条消息:

回复应当能体现 SOUL.md 的规则。

10.3 多模型安全提示

⚠️ 重要:SOUL.md 的边界是你对抗提示词注入的首要防线。把 Kimi K2.5 作为默认模型时,SOUL.md 甚至比使用 Claude 时更关键,因为:

  • Anthropic 的模型经过专门训练,更能抵御提示词注入,并且会优先遵循系统指令而不是用户/内容指令。这是 Anthropic 在安全方面的重要投入。

  • Kimi K2.5 更偏向智能体能力与基准表现优化。它对提示词注入的对抗鲁棒性,公开测试与文档相对更少。

  • 你的缓解手段:工具策略锁定(阶段 2C)与 Docker 沙箱(阶段 2B)提供纵深防御。即便模型真的执行了恶意指令,被锁定的工具与沙箱也会限制真实可造成的破坏。

如果你发现智能体出现异常行为——比如它在遵循所读内容中的指令、尝试调用不该调用的工具、或仿佛拥有了不同的指令集——请立刻发送 /new 重置会话,并排查会话日志。

  1. 阶段 2E:Tailscale 远程访问

Tailscale 会创建一个私有 VPN 网状网络。你将用它从 iPhone 或个人 Mac 访问 Mac Mini 的 Control UI,而无需把任何端口暴露到互联网。

11.1 安装 Tailscale

从“应用程序”里打开 Tailscale,登录或创建账号。

11.2 在 iPhone 上安装 Tailscale

在 App Store 下载 “Tailscale”,并用同一个账号登录。

11.3 验证网状网络连通性

在你的 Mac Mini 上:

你应该能看到 Mac Mini 和 iPhone 都列出,并带有 Tailscale IP(100.x.x.x)。

11.4 远程访问 Control UI

在 iPhone 的浏览器中(已连接 Tailscale),访问:

100.x.x.x 替换为你的 Mac Mini 的 Tailscale IP。如果设置了 gateway 的 auth password,你还需要输入它。

注意:gateway 绑定在 127.0.0.1 上,因此要通过 Tailscale 访问,gateway 也需要监听 Tailscale 网卡接口。你可能需要调整:

如果 Tailscale 配置正确,走到 localhost 的流量应该能工作。否则你可以把 bind 指向你的 Tailscale IP——但永远不要 bind 到 0.0.0.0

  1. 阶段 2F:API 支出上限

12.1 在 Moonshot Platform 设置上限(主用——Kimi K2.5)

  1. 前往 https://platform.moonshot.ai → Console

  2. Moonshot 使用预付费点数——充值即可增加余额

  3. 推荐:先充值 $5–10,不要开启自动续费/自动充值

  4. 检查你的分层限制——Tier 1(充值 $10)提供 50 并发请求 / 200 RPM

  5. 点数用完后 Moonshot 会停止服务请求(天然的支出上限)

提示:因为 Moonshot 是预付费,你从物理上就不可能超支。就成本控制而言,这其实比 Anthropic 的后付费计费更安全。

12.2 在 Anthropic Console 设置上限(备用——Sonnet 4.5)

  1. 前往 https://console.anthropic.com/

  2. 进入 Settings → Plans & Billing → Spending Limits

  3. 设置月度上限和每日上限

  4. 推荐的初始上限:

  5. 每日:$5/day

  6. 每月:$50/month

  7. 配置 50% 与 80% 的邮件提醒

12.3 同时监控两家提供商的用量

也要定期查看两边的仪表盘:

  • Moonshot:https://platform.moonshot.ai(Console → Usage)

  • Anthropic:https://console.anthropic.com/(Usage 标签页)

  • 阶段 2G:文件权限

OpenClaw 会以明文存储敏感数据。把目录权限锁紧:

所有文件应显示 rwx------(仅所有者)或 rw-------

  1. 阶段 2H:LaunchAgent(7×24 小时运行)

如果引导向导安装了守护进程(daemon),gateway 应该已经设置为开机自启。验证:

14.1 检查 LaunchAgent

你应该能看到类似 bot.molt.gateway.plist 的条目。

14.2 验证开机自启是否生效

14.3 禁止睡眠(可选)

如果你希望 Mac Mini 永不睡眠(推荐用于 7×24 小时运行):

系统设置 → 电源 → 显示器关闭时防止自动进入睡眠 → 打开

14.4 测试重启

重启 Mac Mini:

重启后验证:

从 Telegram 发一条测试消息,确认它仍正常工作。

  1. 阶段 3:迁移到 Matrix

Matrix 提供端到端加密(E2E)消息,这意味着即便服务器运营方也无法读取你的消息内容。

15.1 前置条件

你需要一个 Matrix 账号和 homeserver。可选方案:

  • matrix.org(免费、公用)——最容易,但隐私性较弱(公用 homeserver)

  • 自建 Synapse ——隐私最佳,但最复杂

  • Element One(付费,由 Element 托管)——折中方案

15.2 安装 Matrix 插件

15.3 配置 Matrix

15.4 启用 E2E 加密

Matrix 插件应当支持 E2E 加密。通过以下方式验证:

确认 Matrix 频道显示加密状态。

15.5 迁移主要沟通渠道

当 Matrix 跑通之后:

  1. 先测试基础对话

  2. 逐步把主要的智能体沟通迁移到 Matrix

  3. 当 Matrix 稳定后,考虑禁用 Telegram:

  4. 维护与更新

16.1 定期安全审计

每周运行:

16.2 检查是否存在暴露实例

确认你的 gateway 没有对公网开放:

16.3 轮换凭据

每 3 个月一次:

  1. 轮换你的 Moonshot API key(在 platform.moonshot.ai 生成新的 → 更新配置 → 删除旧的)

  2. 轮换你的 Anthropic API key(生成新的 → 更新配置 → 撤销旧的)

  3. 轮换你的 Telegram bot token(通过 @BotFather /revoke → 更新配置)

  4. 轮换你的 gateway auth password

  5. 轮换交易所 API key

16.4 监控 API 用量

如果你看到异常飙升,立刻调查——可能是失控循环或智能体已被入侵。

  1. 应急流程

如果你怀疑被入侵

如果 API 账单异常高

如果智能体行为异常

  • OpenClaw Security Docs: https://docs.openclaw.ai/gateway/security

  • GitHub Security Advisories: https://github.com/openclaw/openclaw/security

  • Koi Security's Clawdex(skill 扫描器): https://clawdex.koi.security(在考虑安装任何 skill 之前,用 web 版先检查)

  • VirusTotal Blog on OpenClaw: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html

感谢阅读,如果你有任何反馈我都非常欢迎。

链接:http://x.com/i/article/2021589783143710720

相关笔记

Over the past few weeks, we've been bombarded with articles explaining how to set up OpenClaw: what to avoid, what the best configuration is, what safety measures to take, etc. It's overwhelming.

在过去几周里,我们被各种讲解如何配置 OpenClaw 的文章“狂轰滥炸”:哪些坑要避、最佳配置是什么、需要做哪些安全措施,等等。信息量大到让人喘不过气。

So I took a Google Doc, dumped 20+ articles into it, and fed it to Opus 4.6.

于是我开了一个 Google Doc,把 20+ 篇文章一股脑倒进去,然后喂给 Opus 4.6。

The prompt was:

我的提示词是:

"Based on all the information in this Google Doc, create the best OpenClaw setup guide. Don't take anything written here as gospel, cross-reference and back up every claim with other sources. Use the content as a starting framework for thinking, not as trusted fact."

“基于这份 Google Doc 里的所有信息,创建一份最好的 OpenClaw 搭建指南。不要把这里写的任何内容当作金科玉律;请与其他来源交叉验证,并为每一条主张提供佐证。把这些内容当作思考的起始框架,而不是可信事实。”

Here's what it gave me:

它给我的输出如下:

What is covered in this article:

本文覆盖内容:

Pre-Setup: Threat Model

预备:威胁模型

Phase 1A: Mac Mini Initial Setup

阶段 1A:Mac Mini 初始设置

Phase 1B: Install OpenClaw

阶段 1B:安装 OpenClaw

Phase 1C: Onboarding Wizard

阶段 1C:引导向导(Onboarding Wizard)

Phase 1D: Connect Telegram

阶段 1D:连接 Telegram

Phase 1E: Test Basic Conversation

阶段 1E:测试基础对话

Phase 2A: Security Hardening

阶段 2A:安全加固

Phase 2B: Docker Sandbox

阶段 2B:Docker 沙箱

Phase 2C: Tool Policy Lockdown

阶段 2C:工具策略(Tool Policy)锁定

Phase 2D: SOUL.md — Agent Identity & Boundaries

阶段 2D:SOUL.md — 智能体身份与边界

Phase 2E: Tailscale Remote Access

阶段 2E:Tailscale 远程访问

Phase 2F: API Spending Limits

阶段 2F:API 支出上限

Phase 2G: File Permissions

阶段 2G:文件权限

Phase 2H: LaunchAgent (24/7 Operation)

阶段 2H:LaunchAgent(7×24 小时运行)

Phase 3: Matrix Migration

阶段 3:迁移到 Matrix

Maintenance & Updates

维护与更新

Emergency Procedures

应急流程

  1. Pre-Setup: Threat Model
  1. 预备:威胁模型

Before touching the keyboard, understand what you're defending against:

在你摸键盘之前,先弄清楚你要防的是谁、会怎么攻击:

What attackers target in your setup

攻击者在你的配置里会盯上的目标

Malicious ClawHub skill: You install a skill that looks legitimate. It contains Atomic Stealer malware that harvests your keychain, browser passwords, wallet files, and API keys.

恶意 ClawHub skill:你安装了一个看起来很“正规”的 skill,里面却藏着 Atomic Stealer 恶意软件,专门窃取你的钥匙串、浏览器密码、钱包文件和 API key。

Prompt injection via message: Someone sends you a crafted Telegram message or email. When the agent reads it, hidden instructions tell it to exfiltrate your exchange API keys or execute shell commands.

通过消息进行提示词注入(prompt injection):有人给你发一条精心构造的 Telegram 消息或邮件。当智能体读取时,隐藏指令会让它把你的交易所 API key 外传,或执行 shell 命令。

Runaway automation loops: A prompt injection or buggy skill causes the agent to make API calls in an infinite loop.

失控的自动化循环:提示词注入或有 bug 的 skill 让智能体陷入无限循环调用 API。

Memory poisoning: Malicious payload injected into agent memory on Day 1, triggers weeks later when conditions align.

记忆投毒:第 1 天就把恶意载荷注入到智能体记忆中,等到数周后条件满足才触发。

Credential harvesting: ~/.openclaw/ stores API keys, bot tokens, OAuth tokens, and conversation history in plaintext files. Any malware that reads these files owns everything.

凭据窃取:~/.openclaw/ 会把 API key、bot token、OAuth token 和对话历史以明文文件存储。任何能读到这些文件的恶意软件,都等于掌控了你的一切。

  1. Phase 1A: Mac Mini Initial Setup
  1. 阶段 1A:Mac Mini 初始设置

2.1 First boot

2.1 首次开机

Power on your Mac Mini M4. Complete the macOS setup wizard:

启动你的 Mac Mini M4,完成 macOS 的设置向导:

  • Create your user account
  • 创建你的用户账户
  • Enable FileVault (full-disk encryption) — this is critical
  • 启用 FileVault(全盘加密)——这一步至关重要
  • Connect to Wi-Fi
  • 连接 Wi‑Fi
  • Skip iCloud if this is a dedicated OpenClaw machine (recommended)
  • 如果这是一台专用的 OpenClaw 机器,跳过 iCloud(推荐)
  • Install macOS updates — run System Settings → General → Software Update
  • 安装 macOS 更新——进入 系统设置 → 通用 → 软件更新

2.2 System security settings

2.2 系统安全设置

Open System Settings → Privacy & Security:

打开 系统设置 → 隐私与安全性:

  • Firewall: Turn ON
  • 防火墙:打开
  • Allow applications downloaded from: "App Store and identified developers"
  • 允许从以下位置下载的应用程序:“App Store 和已识别的开发者”

2.3 Open Terminal

2.3 打开终端

Open Terminal.app (Applications → Utilities → Terminal, or Spotlight: ⌘+Space → type "Terminal").

打开 Terminal.app(应用程序 → 实用工具 → 终端,或使用聚焦搜索:⌘+Space → 输入 “Terminal”)。

All commands below are run in Terminal.

下面所有命令都在终端中运行。

2.4 Install Xcode Command Line Tools

2.4 安装 Xcode 命令行工具

A popup appears. Click "Install". Wait for it to complete (a few minutes).

会弹出一个窗口。点击 “Install”。等待其完成(几分钟)。

2.5 Install Homebrew

2.5 安装 Homebrew

Follow the on-screen instructions. At the end, it will tell you to run two commands to add Homebrew to your PATH. Run those commands. They look like:

按屏幕提示操作。最后它会提示你运行两条命令,把 Homebrew 加入 PATH。把那两条命令执行掉。看起来像这样:

Verify:

验证:

2.6 Install Node.js 22+

2.6 安装 Node.js 22+

Verify:

验证:

If node --version doesn't work, link it:

如果 node --version 不生效,把它 link 一下:

2.7 Install Git (if not already present)

2.7 安装 Git(如果系统还没有)

2.8 Install Docker Desktop (needed for sandbox later)

2.8 安装 Docker Desktop(后面做沙箱需要)

Open Docker Desktop from Applications. Complete the setup. It needs to be running for sandboxing to work.

从“应用程序”里打开 Docker Desktop,完成初始化设置。要让沙箱生效,Docker 必须保持运行。

  1. Phase 1B: Install OpenClaw
  1. 阶段 1B:安装 OpenClaw

3.1 Run the official installer

3.1 运行官方安装器

The installer will:

安装器会:

  • Detect Node.js
  • 检测 Node.js
  • Install the OpenClaw CLI globally via npm
  • 通过 npm 全局安装 OpenClaw CLI
  • Launch the onboarding wizard automatically
  • 自动启动引导向导

3.2 Verify version (CRITICAL)

3.2 验证版本(关键)

Must be 2026.2.9 or higher. If it's lower than 2026.1.29, you are vulnerable to CVE-2026-25253 (1-click RCE). Update immediately:

必须是 2026.2.9 或更高版本。如果低于 2026.1.29,你会受到 CVE-2026-25253(1-click RCE)影响。立刻更新:

3.3 Verify installation health

3.3 验证安装健康状况

Fix anything it flags before proceeding.

继续之前,把它提示的所有问题都修好。

  1. Phase 1C: Onboarding Wizard
  1. 阶段 1C:引导向导(Onboarding Wizard)

The onboarding wizard (openclaw onboard) will walk you through configuration. Here's what to choose at each step:

引导向导(openclaw onboard)会带你完成配置。下面是每一步建议怎么选:

4.1 Authentication

4.1 身份认证

You need two API keys — one for each provider:

你需要两把 API key——每个提供商一把:

A) Moonshot AI API key (for Kimi K2.5 — primary model):

A) Moonshot AI API key(用于 Kimi K2.5——主模型):

  1. Go to https://platform.moonshot.ai and create an account
  1. 前往 https://platform.moonshot.ai 并注册账号
  1. Navigate to the Console and create an API key
  1. 进入 Console 创建 API key
  1. Add credit ($5–10 to start is plenty)
  1. 充值(先充 $5–10 足够)
  1. Save the key securely
  1. 安全保存这把 key

B) Anthropic API key (for Claude Sonnet 4.5 — fallback model):

B) Anthropic API key(用于 Claude Sonnet 4.5——备用模型):

  1. Go to https://console.anthropic.com/
  1. 前往 https://console.anthropic.com/
  1. Navigate to API Keys and generate a key
  1. 进入 API Keys 生成一把 key
  1. Add credit ($5–10 to start)
  1. 充值(先充 $5–10)
  1. Save the key securely
  1. 安全保存这把 key

When the onboarding wizard prompts for auth/model provider:

当引导向导提示选择认证/模型提供商时:

  • Choose Moonshot AI Kimi K2.5
  • 选择 Moonshot AI Kimi K2.5
  • Then choose kimi api key (.ai) (the international endpoint)
  • 然后选择 kimi api key (.ai)(国际端点)
  • Paste your Moonshot API key when prompted
  • 按提示粘贴你的 Moonshot API key
  • We'll add Anthropic as fallback after onboarding finishes
  • 引导结束后我们再把 Anthropic 作为备用加上

4.2 Gateway settings

4.2 Gateway 设置

  • Gateway mode: local (this is the default, keep it)
  • Gateway mode:local(默认值,保持不变)
  • Gateway bind: 127.0.0.1 (localhost only — never 0.0.0.0)
  • Gateway bind:127.0.0.1(只监听 localhost——绝不要用 0.0.0.0
  • Port: 18789 (default is fine)
  • Port:18789(默认即可)
  • Auth password: SET ONE. The wizard may prompt you. If not, set it immediately after:
  • Auth password:一定要设置。向导可能会提示你;如果没提示,向导结束立刻设置:

Use a long random password (20+ characters). Store it in a password manager.

使用足够长的随机密码(20+ 字符),并存入密码管理器。

4.3 Model selection

4.3 模型选择

The onboarding wizard handles Kimi K2.5 setup directly. When prompted:

引导向导会直接处理 Kimi K2.5 的设置。出现提示时:

  • Select Moonshot AI Kimi K2.5
  • 选择 Moonshot AI Kimi K2.5
  • Select kimi api key (.ai)
  • 选择 kimi api key (.ai)
  • Paste your Moonshot API key
  • 粘贴你的 Moonshot API key

The wizard will configure Kimi K2.5 as your primary model automatically.

向导会自动把 Kimi K2.5 配置为你的主模型。

4.3.1 Add Claude Sonnet 4.5 as fallback (AFTER onboarding completes)

4.3.1 把 Claude Sonnet 4.5 作为备用(在引导结束后)

Once onboarding finishes, add Anthropic as a fallback provider so OpenClaw switches to Sonnet automatically if Kimi is rate-limited or down.

引导完成后,把 Anthropic 加成备用提供商,这样当 Kimi 被限流或不可用时,OpenClaw 会自动切换到 Sonnet。

Step 1: Add your Anthropic API key:

第 1 步:添加你的 Anthropic API key:

Step 2: Add Sonnet as fallback + register alias:

第 2 步:把 Sonnet 设为备用 + 注册别名:

Step 3: Verify the configuration:

第 3 步:验证配置:

You should see:

你应该能看到:

  • Primary: moonshotai/kimi-k2.5
  • Primary:moonshotai/kimi-k2.5
  • Fallback 1: anthropic/claude-sonnet-4-5
  • Fallback 1:anthropic/claude-sonnet-4-5

Step 4: Restart:

第 4 步:重启:

Manual model switching in Telegram:

在 Telegram 里手动切换模型:

You can switch models mid-conversation:

你可以在同一段对话中途切换模型:

4.3.2 Cost comparison (why this setup saves money)

4.3.2 成本对比(为什么这套配置更省钱)

Estimated monthly cost: $5–20/month (down from $50–150 with Opus 4.6)

预计月成本:$5–20/月(相比使用 Opus 4.6 的 $50–150 大幅降低)

  1. Phase 1D: Connect Telegram
  1. 阶段 1D:连接 Telegram

5.1 Create your Telegram bot

5.1 创建你的 Telegram bot

  1. Open Telegram on your phone
  1. 在手机上打开 Telegram
  1. Search for @ BotFather (verify the blue checkmark — it's the official bot)
  1. 搜索 @ BotFather(确认蓝色认证标记——这是官方 bot)
  1. Send /newbot
  1. 发送 /newbot
  1. Follow prompts:
  1. 按提示操作:
  • Give it a name (e.g., "My OpenClaw Assistant")
  • 给它起个名字(例如 “My OpenClaw Assistant”)
  • Give it a username ending in bot (e.g., myopenclaw_bot)
  • 给它起一个以 bot 结尾的用户名(例如 myopenclaw_bot
  1. BotFather gives you a*token — copy it and save it securely
  1. BotFather 会给你一个*token ——复制并安全保存
  1. Optional but recommended BotFather settings:
  1. 可选但推荐的 BotFather 设置:
  • Send /setjoingroups → choose your bot → select "Disable" (prevents adding to random groups)
  • 发送 /setjoingroups → 选择你的 bot → 选 “Disable”(防止被加进乱七八糟的群)
  • Send /setprivacy → choose your bot → select "Enable" (limits what bot sees in groups)
  • 发送 /setprivacy → 选择你的 bot → 选 “Enable”(限制 bot 在群里能看到的内容)

5.2 Configure Telegram in OpenClaw

5.2 在 OpenClaw 中配置 Telegram

Key settings explained:

关键设置说明:

  • dmPolicy: "pairing" — strangers can't just message your bot. They get a pairing code you must approve.
  • dmPolicy: "pairing" ——陌生人不能直接给你的 bot 发消息;他们会拿到一个配对码,需要你批准。
  • configWrites: false — prevents anyone from changing your config through Telegram messages.
  • configWrites: false ——阻止任何人通过 Telegram 消息改你的配置。

5.3 Disable group chat (security)

5.3 禁用群聊(安全)

You don't want random groups triggering your agent.

你不希望随机群组触发你的智能体。

5.4 Restart the gateway

5.4 重启 gateway

5.5 Pair your Telegram account

5.5 配对你的 Telegram 账号

  1. Open Telegram on your phone
  1. 在手机上打开 Telegram
  1. Search for your bot's username (e.g., @myopenclaw_bot)
  1. 搜索你的 bot 用户名(例如 @myopenclaw_bot
  1. Send it any message (e.g., "hello")
  1. 给它发任意消息(例如 “hello”)
  1. You'll receive a pairing code
  1. 你会收到一个配对码
  1. Approve it:
  1. 批准它:

Or approve via the Control UI.

或者在 Control UI 里批准。

  1. Phase 1E: Test Basic Conversation
  1. 阶段 1E:测试基础对话

Send a message to your bot on Telegram:

在 Telegram 里给你的 bot 发一条消息:

If you get a coherent response identifying itself as Kimi K2.5, Phase 1 is complete.

如果你收到一条连贯的回复,并且它表明自己是 Kimi K2.5,那么阶段 1 就完成了。

If the response comes from Claude Sonnet instead, check your model routing — Kimi may be misconfigured or down. Run openclaw models status to debug.

如果回复来自 Claude Sonnet,请检查你的模型路由——Kimi 可能配置错了或暂时不可用。运行 openclaw models status 排查。

Verify in the Control UI that the session appears and messages are logged.

在 Control UI 中确认会话出现,且消息有记录。

  1. Phase 2A: Security Hardening
  1. 阶段 2A:安全加固

7.1 Run the security audit

7.1 运行安全审计

Read every finding. Fix everything it flags. Common fixes:

逐条阅读每一个发现项,把它标记的问题全部修掉。常见修复包括:

7.2 Run the auto-fix

7.2 运行自动修复

This tightens safe defaults and fixes file permissions.

这会收紧安全默认值并修复文件权限。

7.3 Verify after fix

7.3 修复后再次验证

Should show no critical findings.

应当不再有关键级别(critical)的发现项。

  1. Phase 2B: Docker Sandbox
  1. 阶段 2B:Docker 沙箱

The sandbox runs the agent's tool execution (shell commands, file operations) inside Docker containers. This limits the blast radius if the agent is tricked into doing something malicious.

沙箱会把智能体的工具执行(shell 命令、文件操作)放进 Docker 容器里运行。这样即便智能体被诱导做了恶意操作,爆炸半径也会被限制。

8.1 Make sure Docker is running

8.1 确认 Docker 正在运行

Open Docker Desktop if it's not running. Verify:

如果没运行就打开 Docker Desktop。验证:

8.2 Build the sandbox image

8.2 构建沙箱镜像

If the above doesn't work (script path varies by install method), set sandbox mode and OpenClaw will auto-create containers:

如果上面不生效(脚本路径会因安装方式不同而变化),直接设置沙箱模式,OpenClaw 会自动创建容器:

8.3 Enable sandboxing

8.3 启用沙箱

Settings explained:

设置说明:

  • mode: "all" — ALL sessions run in Docker, including your main DM session
  • mode: "all" ——所有会话都在 Docker 中运行,包括你的主 DM 会话
  • scope: "session" — each session gets its own isolated container
  • scope: "session" ——每个会话使用各自隔离的容器
  • workspaceAccess: "ro" — agent can READ the workspace but not WRITE to it from sandbox
  • workspaceAccess: "ro" ——智能体可以读取工作区,但在沙箱内不能写入

8.4 Network isolation for sandbox

8.4 沙箱的网络隔离

network: "none" means sandbox containers have NO internet access. This is the safest option. The agent can still use OpenClaw's built-in web tools (those run on the gateway, not in the sandbox).

network: "none" 表示沙箱容器完全没有互联网访问能力。这是最安全的选项。智能体仍然可以使用 OpenClaw 内置的 web 工具(这些运行在 gateway 上,而不是在沙箱里)。

8.5 Resource limits

8.5 资源限制

8.6 Restart and verify

8.6 重启并验证

The explain command shows you exactly what's sandboxed and what's not.

explain 命令会明确告诉你:哪些被沙箱化了、哪些没有。

  1. Phase 2C: Tool Policy Lockdown
  1. 阶段 2C:工具策略(Tool Policy)锁定

Tool policy controls WHICH tools the agent can use. Even inside the sandbox, you want to restrict what's available.

工具策略决定智能体能用哪些工具。即便在沙箱里,你也应该限制可用工具的范围。

9.1 Deny dangerous tools

9.1 禁用危险工具

This blocks:

这会屏蔽:

  • browser — prevents the agent from browsing the web autonomously (prompt injection risk from web content)
  • browser ——防止智能体自主浏览网页(网页内容存在提示词注入风险)
  • exec — prevents shell command execution
  • exec ——禁止执行 shell 命令
  • process — prevents background process management
  • process ——禁止后台进程管理
  • apply_patch — prevents file patching
  • apply_patch ——禁止打补丁修改文件
  • write / edit — prevents file system modifications
  • write / edit ——禁止修改文件系统

9.2 What remains allowed

9.2 仍然允许什么

With the above deny list, the agent can still:

在上述 deny 列表下,智能体仍然可以:

  • Chat with you (core function)
  • 和你聊天(核心功能)
  • Read files (read-only access)
  • 读取文件(只读访问)
  • Use web_search and web_fetch (built-in, not browser automation)
  • 使用 web_search 和 web_fetch(内置工具,不是浏览器自动化)
  • Use sessions tools
  • 使用会话(sessions)工具
  • Use memory tools
  • 使用记忆(memory)工具

9.3 Gradually enable tools as needed

9.3 按需逐步放开工具

Once you're comfortable, you can selectively re-enable tools:

当你更有把握之后,可以选择性重新启用工具:

Remember: deny wins over allow. Remove a tool from deny before adding it to allow.

记住:deny 优先于 allow。先把工具从 deny 里移除,再把它加入 allow。

9.4 Disable elevated mode

9.4 禁用 elevated mode

Elevated mode lets the agent escape the sandbox and run on the host. Disable it:

elevated mode 允许智能体逃出沙箱并在宿主机上运行。把它关掉:

  1. Phase 2D: SOUL.md — Agent Identity & Boundaries
  1. 阶段 2D:SOUL.md — 智能体身份与边界

SOUL.md defines your agent's personality, knowledge, and hard boundaries. This is injected into every conversation as a system prompt.

SOUL.md 定义你的智能体性格、知识范围与硬边界。它会作为系统提示词注入到每一次对话中。

10.1 Create your SOUL.md

10.1 创建你的 SOUL.md

10.2 Verify SOUL.md is loaded

10.2 验证 SOUL.md 已加载

Send a message to your bot on Telegram:

在 Telegram 里给你的 bot 发一条消息:

The response should reflect the SOUL.md rules.

回复应当能体现 SOUL.md 的规则。

10.3 Multi-model security note

10.3 多模型安全提示

⚠️ Important: Your SOUL.md boundaries are your primary defense against prompt injection. With Kimi K2.5 as your default model, the SOUL.md is even more critical than with Claude, because:

⚠️ 重要:SOUL.md 的边界是你对抗提示词注入的首要防线。把 Kimi K2.5 作为默认模型时,SOUL.md 甚至比使用 Claude 时更关键,因为:

  • Anthropic models are specifically trained to resist prompt injection and follow system instructions over user/content instructions. This is a core safety investment Anthropic makes.
  • Anthropic 的模型经过专门训练,更能抵御提示词注入,并且会优先遵循系统指令而不是用户/内容指令。这是 Anthropic 在安全方面的重要投入。
  • Kimi K2.5 is optimized for agentic performance and benchmarks. Its adversarial robustness against prompt injection is less publicly tested and documented.
  • Kimi K2.5 更偏向智能体能力与基准表现优化。它对提示词注入的对抗鲁棒性,公开测试与文档相对更少。
  • Your mitigation: The tool policy lockdown (Phase 2C) and Docker sandbox (Phase 2B) provide defense-in-depth. Even if the model follows a malicious instruction, the locked tools and sandbox limit what damage can actually occur.
  • 你的缓解手段:工具策略锁定(阶段 2C)与 Docker 沙箱(阶段 2B)提供纵深防御。即便模型真的执行了恶意指令,被锁定的工具与沙箱也会限制真实可造成的破坏。

If you ever notice the agent behaving unexpectedly — following instructions from content it's reading, attempting tool calls it shouldn't, or responding as if it has different instructions — immediately send /new to reset the session and investigate the session logs.

如果你发现智能体出现异常行为——比如它在遵循所读内容中的指令、尝试调用不该调用的工具、或仿佛拥有了不同的指令集——请立刻发送 /new 重置会话,并排查会话日志。

  1. Phase 2E: Tailscale Remote Access
  1. 阶段 2E:Tailscale 远程访问

Tailscale creates a private VPN mesh. You'll use it to access your Mac Mini's Control UI from your iPhone or personal Mac without exposing any ports to the internet.

Tailscale 会创建一个私有 VPN 网状网络。你将用它从 iPhone 或个人 Mac 访问 Mac Mini 的 Control UI,而无需把任何端口暴露到互联网。

11.1 Install Tailscale

11.1 安装 Tailscale

Open Tailscale from Applications. Log in or create an account.

从“应用程序”里打开 Tailscale,登录或创建账号。

11.2 Install Tailscale on your iPhone

11.2 在 iPhone 上安装 Tailscale

Download "Tailscale" from the App Store. Log in with the same account.

在 App Store 下载 “Tailscale”,并用同一个账号登录。

11.3 Verify mesh connectivity

11.3 验证网状网络连通性

On your Mac Mini:

在你的 Mac Mini 上:

You should see both your Mac Mini and iPhone listed with Tailscale IPs (100.x.x.x).

你应该能看到 Mac Mini 和 iPhone 都列出,并带有 Tailscale IP(100.x.x.x)。

11.4 Access Control UI remotely

11.4 远程访问 Control UI

From your iPhone's browser (connected to Tailscale), navigate to:

在 iPhone 的浏览器中(已连接 Tailscale),访问:

Replace 100.x.x.x with your Mac Mini's Tailscale IP. If the gateway auth password is set, you'll need to enter it.

100.x.x.x 替换为你的 Mac Mini 的 Tailscale IP。如果设置了 gateway 的 auth password,你还需要输入它。

Note: The gateway binds to 127.0.0.1, so Tailscale access requires the gateway to also listen on the Tailscale interface. You may need to adjust:

注意:gateway 绑定在 127.0.0.1 上,因此要通过 Tailscale 访问,gateway 也需要监听 Tailscale 网卡接口。你可能需要调整:

Tailscale traffic to localhost should work if Tailscale is properly configured. If not, you can bind to your Tailscale IP specifically — but never bind to 0.0.0.0.

如果 Tailscale 配置正确,走到 localhost 的流量应该能工作。否则你可以把 bind 指向你的 Tailscale IP——但永远不要 bind 到 0.0.0.0

  1. Phase 2F: API Spending Limits
  1. 阶段 2F:API 支出上限

12.1 Set limits on Moonshot Platform (primary — Kimi K2.5)

12.1 在 Moonshot Platform 设置上限(主用——Kimi K2.5)

  1. Go to https://platform.moonshot.ai → Console
  1. 前往 https://platform.moonshot.ai → Console
  1. Moonshot uses prepaid credits — recharge to add balance
  1. Moonshot 使用预付费点数——充值即可增加余额
  1. Recommended: Load $5–10 initially, do NOT auto-reload
  1. 推荐:先充值 $5–10,不要开启自动续费/自动充值
  1. Check your tier limits — Tier 1 ($10 recharged) gives 50 concurrent requests / 200 RPM
  1. 检查你的分层限制——Tier 1(充值 $10)提供 50 并发请求 / 200 RPM
  1. Moonshot stops serving requests when credits run out (natural spending cap)
  1. 点数用完后 Moonshot 会停止服务请求(天然的支出上限)

Tip: Because Moonshot is prepaid, you physically can't overspend. This is actually safer than Anthropic's post-paid billing for cost control.

提示:因为 Moonshot 是预付费,你从物理上就不可能超支。就成本控制而言,这其实比 Anthropic 的后付费计费更安全。

12.2 Set limits on Anthropic Console (fallback — Sonnet 4.5)

12.2 在 Anthropic Console 设置上限(备用——Sonnet 4.5)

  1. Go to https://console.anthropic.com/
  1. 前往 https://console.anthropic.com/
  1. Navigate to Settings → Plans & Billing → Spending Limits
  1. 进入 Settings → Plans & Billing → Spending Limits
  1. Set a monthly limit and a daily limit
  1. 设置月度上限和每日上限
  1. Recommended starting limits:
  1. 推荐的初始上限:
  • Daily: $5/day
  • 每日:$5/day
  • Monthly: $50/month
  • 每月:$50/month
  1. Set up email alerts at 50% and 80% of limits
  1. 配置 50% 与 80% 的邮件提醒

12.3 Monitor usage across both providers

12.3 同时监控两家提供商的用量

Also check both dashboards regularly:

也要定期查看两边的仪表盘:

  • Moonshot: https://platform.moonshot.ai (Console → Usage)
  • Moonshot:https://platform.moonshot.ai(Console → Usage)
  • Anthropic: https://console.anthropic.com/ (Usage tab)
  • Anthropic:https://console.anthropic.com/(Usage 标签页)
  1. Phase 2G: File Permissions
  1. 阶段 2G:文件权限

OpenClaw stores sensitive data in plaintext. Lock down the directory:

OpenClaw 会以明文存储敏感数据。把目录权限锁紧:

All files should show rwx------ (owner only) or rw-------.

所有文件应显示 rwx------(仅所有者)或 rw-------

  1. Phase 2H: LaunchAgent (24/7 Operation)
  1. 阶段 2H:LaunchAgent(7×24 小时运行)

If the onboarding wizard installed the daemon, the gateway is already set to start on boot. Verify:

如果引导向导安装了守护进程(daemon),gateway 应该已经设置为开机自启。验证:

14.1 Check LaunchAgent

14.1 检查 LaunchAgent

You should see something like bot.molt.gateway.plist.

你应该能看到类似 bot.molt.gateway.plist 的条目。

14.2 Verify it runs on boot

14.2 验证开机自启是否生效

14.3 Prevent sleep (optional)

14.3 禁止睡眠(可选)

If you want the Mac Mini to never sleep (recommended for 24/7 operation):

如果你希望 Mac Mini 永不睡眠(推荐用于 7×24 小时运行):

System Settings → Energy → Prevent automatic sleeping when the display is off → Turn ON

系统设置 → 电源 → 显示器关闭时防止自动进入睡眠 → 打开

14.4 Test restart

14.4 测试重启

Reboot the Mac Mini:

重启 Mac Mini:

After reboot, verify:

重启后验证:

Send a test message from Telegram to confirm it's working.

从 Telegram 发一条测试消息,确认它仍正常工作。

  1. Phase 3: Matrix Migration
  1. 阶段 3:迁移到 Matrix

Matrix provides E2E encrypted messaging, meaning even the server operator can't read your messages.

Matrix 提供端到端加密(E2E)消息,这意味着即便服务器运营方也无法读取你的消息内容。

15.1 Prerequisites

15.1 前置条件

You need a Matrix account and homeserver. Options:

你需要一个 Matrix 账号和 homeserver。可选方案:

  • matrix.org (free, public) — easiest but less private (public homeserver)
  • matrix.org(免费、公用)——最容易,但隐私性较弱(公用 homeserver)
  • Self-hosted Synapse — most private, most complex
  • 自建 Synapse ——隐私最佳,但最复杂
  • Element One (paid, hosted by Element) — good middle ground
  • Element One(付费,由 Element 托管)——折中方案

15.2 Install the Matrix plugin

15.2 安装 Matrix 插件

15.3 Configure Matrix

15.3 配置 Matrix

15.4 Enable E2E encryption

15.4 启用 E2E 加密

The Matrix plugin should support E2E encryption. Verify with:

Matrix 插件应当支持 E2E 加密。通过以下方式验证:

Check that the Matrix channel shows encryption status.

确认 Matrix 频道显示加密状态。

15.5 Migrate primary communication

15.5 迁移主要沟通渠道

Once Matrix is working:

当 Matrix 跑通之后:

  1. Test with basic conversation
  1. 先测试基础对话
  1. Gradually shift your primary agent communication to Matrix
  1. 逐步把主要的智能体沟通迁移到 Matrix
  1. Consider disabling Telegram once Matrix is stable:
  1. 当 Matrix 稳定后,考虑禁用 Telegram:
  1. Maintenance & Updates
  1. 维护与更新

16.1 Regular security audits

16.1 定期安全审计

Run weekly:

每周运行:

16.2 Check for exposed instances

16.2 检查是否存在暴露实例

Verify your gateway is not publicly accessible:

确认你的 gateway 没有对公网开放:

16.3 Rotate credentials

16.3 轮换凭据

Every 3 months:

每 3 个月一次:

  1. Rotate your Moonshot API key (generate new on platform.moonshot.ai → update config → delete old)
  1. 轮换你的 Moonshot API key(在 platform.moonshot.ai 生成新的 → 更新配置 → 删除旧的)
  1. Rotate your Anthropic API key (generate new → update config → revoke old)
  1. 轮换你的 Anthropic API key(生成新的 → 更新配置 → 撤销旧的)
  1. Rotate your Telegram bot token (via @BotFather /revoke → update config)
  1. 轮换你的 Telegram bot token(通过 @BotFather /revoke → 更新配置)
  1. Rotate your gateway auth password
  1. 轮换你的 gateway auth password
  1. Rotate exchange API keys
  1. 轮换交易所 API key

16.4 Monitor API usage

16.4 监控 API 用量

If you see unexpected spikes, investigate immediately — could be a runaway loop or compromised agent.

如果你看到异常飙升,立刻调查——可能是失控循环或智能体已被入侵。

  1. Emergency Procedures
  1. 应急流程

If you suspect compromise

如果你怀疑被入侵

If API bill is unexpectedly high

如果 API 账单异常高

If agent behaves erratically

如果智能体行为异常

  • OpenClaw Security Docs: https://docs.openclaw.ai/gateway/security
  • OpenClaw Security Docs: https://docs.openclaw.ai/gateway/security
  • GitHub Security Advisories: https://github.com/openclaw/openclaw/security
  • GitHub Security Advisories: https://github.com/openclaw/openclaw/security
  • Koi Security's Clawdex (skill scanner): https://clawdex.koi.security (use web version to check skills before considering any install)
  • Koi Security's Clawdex(skill 扫描器): https://clawdex.koi.security(在考虑安装任何 skill 之前,用 web 版先检查)
  • VirusTotal Blog on OpenClaw: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html
  • VirusTotal Blog on OpenClaw: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html

Thanks for reading, happy to get any feedback on this.

感谢阅读,如果你有任何反馈我都非常欢迎。

Link: http://x.com/i/article/2021589783143710720

链接:http://x.com/i/article/2021589783143710720

相关笔记

I Fed 20+ OpenClaw Articles to Opus 4.6 - Here's the Setup Guide It Built

  • Source: https://x.com/witcheer/status/2021610036980543767?s=46
  • Mirror: https://x.com/witcheer/status/2021610036980543767?s=46
  • Published: 2026-02-11T15:39:27+00:00
  • Saved: 2026-02-12

Content

Over the past few weeks, we've been bombarded with articles explaining how to set up OpenClaw: what to avoid, what the best configuration is, what safety measures to take, etc. It's overwhelming.

So I took a Google Doc, dumped 20+ articles into it, and fed it to Opus 4.6.

The prompt was:

"Based on all the information in this Google Doc, create the best OpenClaw setup guide. Don't take anything written here as gospel, cross-reference and back up every claim with other sources. Use the content as a starting framework for thinking, not as trusted fact."

Here's what it gave me:

What is covered in this article:

Pre-Setup: Threat Model

Phase 1A: Mac Mini Initial Setup

Phase 1B: Install OpenClaw

Phase 1C: Onboarding Wizard

Phase 1D: Connect Telegram

Phase 1E: Test Basic Conversation

Phase 2A: Security Hardening

Phase 2B: Docker Sandbox

Phase 2C: Tool Policy Lockdown

Phase 2D: SOUL.md — Agent Identity & Boundaries

Phase 2E: Tailscale Remote Access

Phase 2F: API Spending Limits

Phase 2G: File Permissions

Phase 2H: LaunchAgent (24/7 Operation)

Phase 3: Matrix Migration

Maintenance & Updates

Emergency Procedures

  1. Pre-Setup: Threat Model

Before touching the keyboard, understand what you're defending against:

What attackers target in your setup

Malicious ClawHub skill: You install a skill that looks legitimate. It contains Atomic Stealer malware that harvests your keychain, browser passwords, wallet files, and API keys.

Prompt injection via message: Someone sends you a crafted Telegram message or email. When the agent reads it, hidden instructions tell it to exfiltrate your exchange API keys or execute shell commands.

Runaway automation loops: A prompt injection or buggy skill causes the agent to make API calls in an infinite loop.

Memory poisoning: Malicious payload injected into agent memory on Day 1, triggers weeks later when conditions align.

Credential harvesting: ~/.openclaw/ stores API keys, bot tokens, OAuth tokens, and conversation history in plaintext files. Any malware that reads these files owns everything.

  1. Phase 1A: Mac Mini Initial Setup

2.1 First boot

Power on your Mac Mini M4. Complete the macOS setup wizard:

  • Create your user account

  • Enable FileVault (full-disk encryption) — this is critical

  • Connect to Wi-Fi

  • Skip iCloud if this is a dedicated OpenClaw machine (recommended)

  • Install macOS updates — run System Settings → General → Software Update

2.2 System security settings

Open System Settings → Privacy & Security:

  • Firewall: Turn ON

  • Allow applications downloaded from: "App Store and identified developers"

2.3 Open Terminal

Open Terminal.app (Applications → Utilities → Terminal, or Spotlight: ⌘+Space → type "Terminal").

All commands below are run in Terminal.

2.4 Install Xcode Command Line Tools

A popup appears. Click "Install". Wait for it to complete (a few minutes).

2.5 Install Homebrew

Follow the on-screen instructions. At the end, it will tell you to run two commands to add Homebrew to your PATH. Run those commands. They look like:

Verify:

2.6 Install Node.js 22+

Verify:

If node --version doesn't work, link it:

2.7 Install Git (if not already present)

2.8 Install Docker Desktop (needed for sandbox later)

Open Docker Desktop from Applications. Complete the setup. It needs to be running for sandboxing to work.

  1. Phase 1B: Install OpenClaw

3.1 Run the official installer

The installer will:

  • Detect Node.js

  • Install the OpenClaw CLI globally via npm

  • Launch the onboarding wizard automatically

3.2 Verify version (CRITICAL)

Must be 2026.2.9 or higher. If it's lower than 2026.1.29, you are vulnerable to CVE-2026-25253 (1-click RCE). Update immediately:

3.3 Verify installation health

Fix anything it flags before proceeding.

  1. Phase 1C: Onboarding Wizard

The onboarding wizard (openclaw onboard) will walk you through configuration. Here's what to choose at each step:

4.1 Authentication

You need two API keys — one for each provider:

A) Moonshot AI API key (for Kimi K2.5 — primary model):

  1. Go to https://platform.moonshot.ai and create an account

  2. Navigate to the Console and create an API key

  3. Add credit ($5–10 to start is plenty)

  4. Save the key securely

B) Anthropic API key (for Claude Sonnet 4.5 — fallback model):

  1. Go to https://console.anthropic.com/

  2. Navigate to API Keys and generate a key

  3. Add credit ($5–10 to start)

  4. Save the key securely

When the onboarding wizard prompts for auth/model provider:

  • Choose Moonshot AI Kimi K2.5

  • Then choose kimi api key (.ai) (the international endpoint)

  • Paste your Moonshot API key when prompted

  • We'll add Anthropic as fallback after onboarding finishes

4.2 Gateway settings

  • Gateway mode: local (this is the default, keep it)

  • Gateway bind: 127.0.0.1 (localhost only — never 0.0.0.0)

  • Port: 18789 (default is fine)

  • Auth password: SET ONE. The wizard may prompt you. If not, set it immediately after:

Use a long random password (20+ characters). Store it in a password manager.

4.3 Model selection

The onboarding wizard handles Kimi K2.5 setup directly. When prompted:

  • Select Moonshot AI Kimi K2.5

  • Select kimi api key (.ai)

  • Paste your Moonshot API key

The wizard will configure Kimi K2.5 as your primary model automatically.

4.3.1 Add Claude Sonnet 4.5 as fallback (AFTER onboarding completes)

Once onboarding finishes, add Anthropic as a fallback provider so OpenClaw switches to Sonnet automatically if Kimi is rate-limited or down.

Step 1: Add your Anthropic API key:

Step 2: Add Sonnet as fallback + register alias:

Step 3: Verify the configuration:

You should see:

  • Primary: moonshotai/kimi-k2.5

  • Fallback 1: anthropic/claude-sonnet-4-5

Step 4: Restart:

Manual model switching in Telegram:

You can switch models mid-conversation:

4.3.2 Cost comparison (why this setup saves money)

Estimated monthly cost: $5–20/month (down from $50–150 with Opus 4.6)

  1. Phase 1D: Connect Telegram

5.1 Create your Telegram bot

  1. Open Telegram on your phone

  2. Search for @ BotFather (verify the blue checkmark — it's the official bot)

  3. Send /newbot

  4. Follow prompts:

  5. Give it a name (e.g., "My OpenClaw Assistant")

  6. Give it a username ending in bot (e.g., myopenclaw_bot)

  7. BotFather gives you a*token — copy it and save it securely

  8. Optional but recommended BotFather settings:

  9. Send /setjoingroups → choose your bot → select "Disable" (prevents adding to random groups)

  10. Send /setprivacy → choose your bot → select "Enable" (limits what bot sees in groups)

5.2 Configure Telegram in OpenClaw

Key settings explained:

  • dmPolicy: "pairing" — strangers can't just message your bot. They get a pairing code you must approve.

  • configWrites: false — prevents anyone from changing your config through Telegram messages.

5.3 Disable group chat (security)

You don't want random groups triggering your agent.

5.4 Restart the gateway

5.5 Pair your Telegram account

  1. Open Telegram on your phone

  2. Search for your bot's username (e.g., @myopenclaw_bot)

  3. Send it any message (e.g., "hello")

  4. You'll receive a pairing code

  5. Approve it:

Or approve via the Control UI.

  1. Phase 1E: Test Basic Conversation

Send a message to your bot on Telegram:

If you get a coherent response identifying itself as Kimi K2.5, Phase 1 is complete.

If the response comes from Claude Sonnet instead, check your model routing — Kimi may be misconfigured or down. Run openclaw models status to debug.

Verify in the Control UI that the session appears and messages are logged.

  1. Phase 2A: Security Hardening

7.1 Run the security audit

Read every finding. Fix everything it flags. Common fixes:

7.2 Run the auto-fix

This tightens safe defaults and fixes file permissions.

7.3 Verify after fix

Should show no critical findings.

  1. Phase 2B: Docker Sandbox

The sandbox runs the agent's tool execution (shell commands, file operations) inside Docker containers. This limits the blast radius if the agent is tricked into doing something malicious.

8.1 Make sure Docker is running

Open Docker Desktop if it's not running. Verify:

8.2 Build the sandbox image

If the above doesn't work (script path varies by install method), set sandbox mode and OpenClaw will auto-create containers:

8.3 Enable sandboxing

Settings explained:

  • mode: "all" — ALL sessions run in Docker, including your main DM session

  • scope: "session" — each session gets its own isolated container

  • workspaceAccess: "ro" — agent can READ the workspace but not WRITE to it from sandbox

8.4 Network isolation for sandbox

network: "none" means sandbox containers have NO internet access. This is the safest option. The agent can still use OpenClaw's built-in web tools (those run on the gateway, not in the sandbox).

8.5 Resource limits

8.6 Restart and verify

The explain command shows you exactly what's sandboxed and what's not.

  1. Phase 2C: Tool Policy Lockdown

Tool policy controls WHICH tools the agent can use. Even inside the sandbox, you want to restrict what's available.

9.1 Deny dangerous tools

This blocks:

  • browser — prevents the agent from browsing the web autonomously (prompt injection risk from web content)

  • exec — prevents shell command execution

  • process — prevents background process management

  • apply_patch — prevents file patching

  • write / edit — prevents file system modifications

9.2 What remains allowed

With the above deny list, the agent can still:

  • Chat with you (core function)

  • Read files (read-only access)

  • Use web_search and web_fetch (built-in, not browser automation)

  • Use sessions tools

  • Use memory tools

9.3 Gradually enable tools as needed

Once you're comfortable, you can selectively re-enable tools:

Remember: deny wins over allow. Remove a tool from deny before adding it to allow.

9.4 Disable elevated mode

Elevated mode lets the agent escape the sandbox and run on the host. Disable it:

  1. Phase 2D: SOUL.md — Agent Identity & Boundaries

SOUL.md defines your agent's personality, knowledge, and hard boundaries. This is injected into every conversation as a system prompt.

10.1 Create your SOUL.md

10.2 Verify SOUL.md is loaded

Send a message to your bot on Telegram:

The response should reflect the SOUL.md rules.

10.3 Multi-model security note

⚠️ Important: Your SOUL.md boundaries are your primary defense against prompt injection. With Kimi K2.5 as your default model, the SOUL.md is even more critical than with Claude, because:

  • Anthropic models are specifically trained to resist prompt injection and follow system instructions over user/content instructions. This is a core safety investment Anthropic makes.

  • Kimi K2.5 is optimized for agentic performance and benchmarks. Its adversarial robustness against prompt injection is less publicly tested and documented.

  • Your mitigation: The tool policy lockdown (Phase 2C) and Docker sandbox (Phase 2B) provide defense-in-depth. Even if the model follows a malicious instruction, the locked tools and sandbox limit what damage can actually occur.

If you ever notice the agent behaving unexpectedly — following instructions from content it's reading, attempting tool calls it shouldn't, or responding as if it has different instructions — immediately send /new to reset the session and investigate the session logs.

  1. Phase 2E: Tailscale Remote Access

Tailscale creates a private VPN mesh. You'll use it to access your Mac Mini's Control UI from your iPhone or personal Mac without exposing any ports to the internet.

11.1 Install Tailscale

Open Tailscale from Applications. Log in or create an account.

11.2 Install Tailscale on your iPhone

Download "Tailscale" from the App Store. Log in with the same account.

11.3 Verify mesh connectivity

On your Mac Mini:

You should see both your Mac Mini and iPhone listed with Tailscale IPs (100.x.x.x).

11.4 Access Control UI remotely

From your iPhone's browser (connected to Tailscale), navigate to:

Replace 100.x.x.x with your Mac Mini's Tailscale IP. If the gateway auth password is set, you'll need to enter it.

Note: The gateway binds to 127.0.0.1, so Tailscale access requires the gateway to also listen on the Tailscale interface. You may need to adjust:

Tailscale traffic to localhost should work if Tailscale is properly configured. If not, you can bind to your Tailscale IP specifically — but never bind to 0.0.0.0.

  1. Phase 2F: API Spending Limits

12.1 Set limits on Moonshot Platform (primary — Kimi K2.5)

  1. Go to https://platform.moonshot.ai → Console

  2. Moonshot uses prepaid credits — recharge to add balance

  3. Recommended: Load $5–10 initially, do NOT auto-reload

  4. Check your tier limits — Tier 1 ($10 recharged) gives 50 concurrent requests / 200 RPM

  5. Moonshot stops serving requests when credits run out (natural spending cap)

Tip: Because Moonshot is prepaid, you physically can't overspend. This is actually safer than Anthropic's post-paid billing for cost control.

12.2 Set limits on Anthropic Console (fallback — Sonnet 4.5)

  1. Go to https://console.anthropic.com/

  2. Navigate to Settings → Plans & Billing → Spending Limits

  3. Set a monthly limit and a daily limit

  4. Recommended starting limits:

  5. Daily: $5/day

  6. Monthly: $50/month

  7. Set up email alerts at 50% and 80% of limits

12.3 Monitor usage across both providers

Also check both dashboards regularly:

  • Moonshot: https://platform.moonshot.ai (Console → Usage)

  • Anthropic: https://console.anthropic.com/ (Usage tab)

  • Phase 2G: File Permissions

OpenClaw stores sensitive data in plaintext. Lock down the directory:

All files should show rwx------ (owner only) or rw-------.

  1. Phase 2H: LaunchAgent (24/7 Operation)

If the onboarding wizard installed the daemon, the gateway is already set to start on boot. Verify:

14.1 Check LaunchAgent

You should see something like bot.molt.gateway.plist.

14.2 Verify it runs on boot

14.3 Prevent sleep (optional)

If you want the Mac Mini to never sleep (recommended for 24/7 operation):

System Settings → Energy → Prevent automatic sleeping when the display is off → Turn ON

14.4 Test restart

Reboot the Mac Mini:

After reboot, verify:

Send a test message from Telegram to confirm it's working.

  1. Phase 3: Matrix Migration

Matrix provides E2E encrypted messaging, meaning even the server operator can't read your messages.

15.1 Prerequisites

You need a Matrix account and homeserver. Options:

  • matrix.org (free, public) — easiest but less private (public homeserver)

  • Self-hosted Synapse — most private, most complex

  • Element One (paid, hosted by Element) — good middle ground

15.2 Install the Matrix plugin

15.3 Configure Matrix

15.4 Enable E2E encryption

The Matrix plugin should support E2E encryption. Verify with:

Check that the Matrix channel shows encryption status.

15.5 Migrate primary communication

Once Matrix is working:

  1. Test with basic conversation

  2. Gradually shift your primary agent communication to Matrix

  3. Consider disabling Telegram once Matrix is stable:

  4. Maintenance & Updates

16.1 Regular security audits

Run weekly:

16.2 Check for exposed instances

Verify your gateway is not publicly accessible:

16.3 Rotate credentials

Every 3 months:

  1. Rotate your Moonshot API key (generate new on platform.moonshot.ai → update config → delete old)

  2. Rotate your Anthropic API key (generate new → update config → revoke old)

  3. Rotate your Telegram bot token (via @BotFather /revoke → update config)

  4. Rotate your gateway auth password

  5. Rotate exchange API keys

16.4 Monitor API usage

If you see unexpected spikes, investigate immediately — could be a runaway loop or compromised agent.

  1. Emergency Procedures

If you suspect compromise

If API bill is unexpectedly high

If agent behaves erratically

  • OpenClaw Security Docs: https://docs.openclaw.ai/gateway/security

  • GitHub Security Advisories: https://github.com/openclaw/openclaw/security

  • Koi Security's Clawdex (skill scanner): https://clawdex.koi.security (use web version to check skills before considering any install)

  • VirusTotal Blog on OpenClaw: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html

Thanks for reading, happy to get any feedback on this.

Link: http://x.com/i/article/2021589783143710720

📋 讨论归档

讨论进行中…