How to Set Up OpenClaw on a Dedicated Mac Mini (And Why You Should)
I'm not a security expert. I'm a technology-curious operator who spent a weekend setting up an open-source AI agent and tried to be thoughtful about it. This is the guide I wish I'd had.
Most guides for setting up AI agents start at “run the install command.” Nobody talks about the decisions you need to make before that. What machine do you run it on? What accounts do you use? How do you keep a powerful AI agent from having the keys to your entire digital life?
I spent a weekend setting up OpenClaw on a dedicated Mac Mini, trying to be thoughtful about what I gave it access to. I’m not a security professional. I’m someone who builds and scales operations for a living and applies the same thinking to technology: what’s the risk, what’s the blast radius, and what’s the simplest way to contain it?
This is what I learned.
What Is OpenClaw, and Why Should You Care?
OpenClaw is an open-source, self-hosted AI agent that lives in your messaging apps. You text it like you’d text a friend, and it texts back. Between conversations, it can search the web, manage email, draft content, run shell commands, and automate workflows on your behalf.
It connects to Telegram, WhatsApp, Discord, iMessage, Slack, and more. The agent runs locally on your machine, powered by LLMs like Claude via API. Everything stays on your hardware.
Think of it as a chief of staff that never sleeps. If you’ve typed a question into Claude or ChatGPT, you know what a conversation with an AI feels like. OpenClaw moves that conversation out of the browser and into your messaging apps. And instead of just answering questions, it can actually do things on your computer: search the web, send emails, manage files, run commands. That’s the leap from chatbot to agent.
The “runs locally” part is both the appeal and the risk. OpenClaw gets shell access to whatever machine it’s running on. That’s the feature. It’s also the reason I didn’t want it anywhere near my primary computer.
Why a Dedicated Machine Matters
You could run OpenClaw on your everyday laptop. I wouldn’t.
If the agent gets a bad instruction (from a chat message, from a website it’s browsing, from a misinterpreted command), you want the blast radius limited to a machine that doesn’t hold your personal files, passwords, and work data.
A Mac Mini is perfect for this. It’s small and quiet enough to leave plugged in 24/7. Apple Silicon is power-efficient for always-on operation. macOS gives you a clean user permission model to isolate the agent. And you can pick one up for $599+.
The rule I set for myself: never run OpenClaw on your primary work machine.
The Setup: Two Users, One Machine
Before installing anything, I created two user accounts on the Mac Mini.
The first is my admin account. It’s used only for installing system-level software like Homebrew and Node.js. OpenClaw never runs under this account.
The second is a standard Openclaw account. This is where OpenClaw lives. It has no admin privileges. I set it up with its own Gmail and its own Apple ID, completely separate from my personal accounts.
The key decision: The Openclaw account is a standard user, not an administrator. It can’t install system-level software, can’t modify other users’ files, and can’t escalate privileges without the admin password.
It’s the same principle you’d apply to a new hire: you wouldn’t hand them your personal email password and admin access to every system on day one.
One more thing before you install anything: lock down your admin account’s home directory. Run this from your admin account:
chmod 700 /Users/yourusernameThis ensures that the Openclaw user can’t read any files in your personal home folder. I didn’t do this until after I had OpenClaw running, and I discovered that macOS doesn’t always isolate user files the way you’d expect. Do it now, before anything else. It costs nothing and closes gaps you might not even know exist.
Installing the Dependencies
The admin account handles two things: Homebrew and Node.js. Log in, open Terminal, and run:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"Then add Homebrew to your PATH (Apple Silicon Macs):
echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv)"Install Node.js:
brew install nodeVerify the version before moving on. OpenClaw requires Node 22 or newer, and this is a hard requirement. If you see anything older, you’ll get confusing failures later.
node --versionYou should see v22.x.x or higher. That’s all the admin account needs to do. Log out.
Configuring the Agent’s Environment
Switch to the Openclaw account. Homebrew installed Node.js to /opt/homebrew/, which any user can run, but the Openclaw account shell doesn’t know where to find it yet:
echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
source ~/.zprofileNext, set up a local npm directory so Openclaw can install packages without ever needing admin access:
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zprofile
source ~/.zprofileThen install OpenClaw:
npm install -g openclaw@latest(The official docs recommend a one-liner: curl -fsSL https://openclaw.ai/install.sh | bash. That works fine on a single-user machine. I went the manual route because I wanted to control exactly what got installed where, especially across two user accounts.)
One more note: if you’re searching for help online, you’ll find tutorials referencing “Clawdbot” or “Moltbot.” That’s the same project. It was renamed to OpenClaw in late January 2026, but older guides and some config directories still use the old names.
The Onboarding Wizard
Run openclaw onboard and choose QuickStart mode. The wizard walks you through three decisions.
AI provider. I chose Anthropic (Claude) with an API key. You’ll need to create an account at console.anthropic.com, generate an API key, and add credits. Start small ($10 to $20) while you’re experimenting. Set usage limits to avoid surprises.
Here’s something I wish I’d known earlier: there’s also an option to authenticate with a token that connects to your existing Claude subscription. After I got the bot running on the API key, I switched to my Claude Max subscription and it worked. If you’re already paying for Claude Max, this saves you the per-token API costs.
Messaging channel. OpenClaw supports Telegram, WhatsApp, Discord, iMessage, Slack, Google Chat, Microsoft Teams, and more. You can add multiple channels later, so this isn’t a permanent decision. I started with Telegram because it’s the easiest to configure (about 60 seconds) and most tutorials use it, which makes troubleshooting simpler. Search for @BotFather on Telegram, send /newbot, choose a name and username, and paste the token into the wizard.
One step the wizard doesn’t explain well: after the bot is created, you need to pair it. Open Telegram, find the bot you just created, and send it any message. You’ll get back a pairing code. Go back to your terminal and approve it. Until you do this, the bot won’t respond.
Here’s what caught me initially: you message the bot from your personal Telegram account. The bot is OpenClaw’s side of the conversation. You’re the one texting the agent and getting responses back. The user isolation is already built into the architecture.
Skills and extras. Say yes to configuring skills (these are the tools OpenClaw uses for email, file access, web browsing). I also enabled session memory, which lets the agent remember context across conversations. This is what makes it feel like a persistent assistant rather than a chatbot that resets every time.
A word of caution on skills: OpenClaw has a community marketplace called ClawHub with thousands of third-party skills. Earlier this year, a campaign called “ClawHavoc” identified over 300 malicious skills that had been uploaded there. Stick to the built-in skills during initial setup. If you install anything from ClawHub later, check the author, the install count, and ideally skim the source code before you run it.
Verify It’s Working
Before moving on, confirm the gateway is actually running:
openclaw gateway statusYou should see a status of “running” or “active.” If not, check the logs. Most problems at this stage are a missing or invalid API key.
You can also open the Control UI, OpenClaw’s local web dashboard, by running openclaw dashboard or visiting http://127.0.0.1:18789/ in a browser. This gives you a visual overview of connected channels, active skills, and recent conversations. It’s useful for troubleshooting, but more importantly, it’s something you’ll want to lock down (more on that in the next section).
Hardening
With the agent running, a few more steps to tighten things up.
Enable consent mode so the agent asks before executing commands. In your OpenClaw config, set exec.ask: "on". This is the single most important safety setting. Without it, the agent will execute shell commands without asking you first.
Install the daemon to keep OpenClaw running after reboots:
openclaw --install-daemonRun a health check with openclaw doctor to catch any remaining misconfigurations.
And some general hygiene: treat ~/.openclaw like a password vault (it stores your API keys and config). Never commit it to GitHub, include it in screenshots, or share it. Keep the Control UI on localhost only; even though the agent connects outbound through Telegram, the local dashboard should never be exposed to the public internet. And start with low-risk integrations before connecting sensitive accounts.
What I’d Do Differently
If I were doing this again, three things.
First, I’d lock down my home directory permissions before installing OpenClaw, not after. I wrote a separate piece about the macOS file permission gap I discovered after my agent was already running. The short version: macOS doesn’t always isolate user files the way you’d assume. Run chmod 700 on your home directory before you start. (I’ve updated the setup instructions in this guide to reflect that.)
Second, I’d skip the API key route entirely and start with the Claude subscription token if you already have Claude Max. It works, and it simplifies the cost model significantly.
Third, I’d add Brave Search from the start. For $5/month (with $5 in monthly credit, so effectively free under 1,000 searches), it gives the agent the ability to look things up on the web in real time. That capability changes the agent from “helpful assistant” to something much closer to a real research partner.
The Bigger Picture
Setting up an AI agent isn’t hard. The technical steps are well-documented. What’s missing from most guides is the thinking that should happen before you type the first command.
What machine does it run on? What can it access? What happens if it gets a bad instruction? These aren’t paranoid questions. They’re the same questions you’d ask before giving any new team member access to your systems.
The tools are powerful. The defaults aren’t always safe. And figuring out the gap between “working” and “properly locked down” took me longer than I expected, even with a setup this simple. I’m sure I missed things. But I learned a lot by trying, and that’s worth sharing.
This is the first in a series about setting up AI tools as a non-technical person who’s trying to be careful about it. If you found this useful, subscribe for future guides on configuring skills, adding messaging channels, and building custom workflows.