Setting up OpenClaw on a Mac in 2026, the safer way

You will want four things in front of you before you run a single command. First, **Node.js 24** (recommended) or 22 LTS at version 22.14 or higher — the gateway will refuse to start on older Node and the error message is unhelpful. Run `node --version` in Terminal to check; if you do not have it, install via Homebrew (`brew install node@24`) or grab the official installer from nodejs.org. Second, **an API key** from at least one model provider. OpenAI, Anthropic, and Google are the supported defaults. You will paste this key into the wizard later. Third, **a free port on your machine** — OpenClaw's gateway listens on 4123 by default. If you have something else on 4123 (rare), the wizard will offer to pick another port. Fourth, **about ten minutes of uninterrupted time**. The wizard does some npm installs in the background and you do not want to interrupt them.

A gotcha worth flagging up front: do not run the install with `sudo`. OpenClaw is meant to run as your normal user, and the wizard will refuse `sudo` and tell you to retry without it. This is correct behavior; do not work around it.

Open Terminal and run a single command:

npx -y @openclaw/cli onboard --install-daemon

The wizard will walk you through five questions: a workspace path (just accept the default `~/openclaw` unless you have a reason not to), a model provider (pick whichever you have a key for), the API key itself (pasted, not typed), a default channel (Menubar is the easiest first answer), and whether to install the launchd daemon so OpenClaw starts when you log in (yes, install it). The whole sequence usually takes three to four minutes. When it finishes, the wizard prints two URLs: the local Control UI at `http://localhost:4123` and the menubar icon you should now see at the top of your screen.

If the menubar icon does not appear, the most common cause is that you skipped the daemon install — re-run the wizard with `--install-daemon` and answer yes this time. If the Control UI loads but the menubar icon never shows up, you are on a Mac with the menubar hidden in fullscreen apps; switch to a non-fullscreen window and the icon will appear.

Click the menubar icon and pick "Open Control UI" from the menu — or just visit `http://localhost:4123` in your browser. You should see the OpenClaw dashboard with your workspace path, your model provider, and an empty Skills tab. Type a quick "hello" into the chat at the top of the page. The agent should respond within a few seconds. If it does, the install is good and you can move on. If you see an authentication error, the API key is wrong; click the Settings cog and re-paste it.

A gotcha worth catching now: **upgrade to OpenClaw 2026.3.11 or later before installing any skills.** The wizard pulls the latest stable, but if you are reading this guide on a slow morning and Homebrew cached an older version, you may be on a release with CVE-2026-25253 still unpatched. Click the Settings → About panel; the version is listed there. If it starts with anything below 2026.3.11, run `npx -y @openclaw/cli update` and restart the daemon (`launchctl kickstart -k gui/$(id -u)/com.openclaw.gateway`). Then come back.

ClawHub had over 13,000 published skills as of late February. Roughly six percent of those were flagged malicious in the most recent audit; the rate is dropping but the absolute count is rising. You do not want to install skills the way you install npm packages — "oh this looks useful, npm install" is the install pattern that got 300,000 OpenClaw users phished. Use these rules instead.

**Rule one: only install skills from verified publishers.** ClawHub shows a small green checkmark next to publisher names that have completed identity verification. The percentage is small — under twenty percent of published skills, last I counted — but those are the skills you can install with reasonable confidence. The unverified eighty percent is where ClawHavoc lived; treat them as adversarial input until you have audited the SKILL.md by hand.

**Rule two: never accept the wizard's offer to install skill pre-requisites automatically.** This is the AMOS vector. When you install a skill that declares a system-level dependency, OpenClaw asks if you want it to run the dependency's install script. The default is "yes" and it should be "never." Run `openclaw config set skills.autoinstallPrereqs false` once and never think about it again.

**Rule three: read the SKILL.md before installing.** Each ClawHub skill is a folder; the entry-point file is SKILL.md, and it is plain text. You can read the entire thing in under a minute. What you are looking for: outbound network calls to domains you do not recognize, instructions that tell the agent to read your environment or filesystem in ways the skill's description did not advertise, and prompt-injection patterns that attempt to override your system prompt. Repello and Koi both publish IoC lists with the canonical malicious patterns; cross-reference if you are unsure.

If you want a working agent today and do not have time to audit fifty skills by hand, install these five. They are all from verified publishers, all have been on ClawHub for over six months without incident, and they cover the operations a first-time OpenClaw user actually wants. **`openclaw-official/email-summary`** reads your inbox and summarizes the morning's mail; the IMAP credentials live only on your machine. **`openclaw-official/calendar-tldr`** does the same for Google Calendar. **`anthropic-official/claude-code-companion`** lets the agent ask Claude Code follow-up questions on your behalf. **`reef-tutorials/web-search-grounded`** is a small skill that wraps DuckDuckGo and stamps citations into responses; it is the safest of the available search skills because it never reads your filesystem. **`molty/menubar-quickfacts`** pulls weather, calendar peek, and unread counts for the menubar idle display.

Install each via `openclaw skills install <publisher>/<name>` from Terminal, or click Add Skill in the Control UI and paste the slug. After each install, click the new skill in the Skills tab and verify the SKILL.md preview matches what you expected. With these five installed and nothing else, you have an agent that does most of what people actually want and zero exposure to the unverified ClawHub long tail.

Three habits will save you from the next ClawHavoc-shaped incident. Adopt them now, before you forget.

**Audit weekly.** Once a week, run `openclaw skills audit`. The command checks your installed skills against the latest IoC feeds from Repello and Koi, lists anything that has been flagged since you installed it, and refuses to silently update a skill whose maintainer changed without re-verification. Pin this to a recurring calendar event; it takes thirty seconds.

**Pin versions.** By default OpenClaw will pull skill updates whenever the publisher pushes a new version. Turn this off with `openclaw config set skills.autoUpdate false`. Read the changelog when you do update, and update one skill at a time — the most common malicious-skill pattern in 2026 is a previously-clean skill whose publisher account got compromised and pushed a poisoned update.

**Watch the OpenClaw security blog.** Subscribe to the RSS feed at openclaw.ai/blog. The maintainers publish security advisories for both core CVEs and skill-side incidents within hours of confirmation. If something happens, you want to hear about it from the source rather than from a tweet six hours later.

The install is the easy part. The thing that makes OpenClaw worth running, instead of dangerous to run, is the maintenance loop you build around it. Set up these three habits the same week you set up the agent. Future you will be glad you did.