How to Set Up OpenClaw on a Fresh Mac Mini

The Mac Mini has become the go-to hardware for running OpenClaw. It's quiet, always-on, energy-efficient, and powerful enough to handle everything the agent throws at it. The community has published dozens of setup guides over the past few months, and we've distilled the best advice into a single reference.

This guide takes you from a freshly unboxed Mac Mini to a fully configured, secured OpenClaw instance — with the daemon running, messaging connected, and the right guardrails in place.

Contents

• Prepare the Mac Mini
• Install the Prerequisites
• Install OpenClaw
• Run the Onboarding Wizard
• Harden Security
• Connect Messaging Channels
• Optimize Costs
• Tips from the Community
• Or Skip All of This

Prepare the Mac Mini

When you first boot the Mac Mini, walk through the macOS Setup Assistant with a dedicated email address — not your personal one. Create a local administrator account and keep things single-purpose.

During initial setup:

• Enable FileVault disk encryption. Full-disk encryption means that if someone physically takes the machine, the drive is unreadable without your password.
• Enable the macOS firewall. Go to System Settings > Network > Firewall and turn it on. For maximum protection, enable "Block all incoming connections."
• Disable non-essential services. Turn off Location Services, Siri, Apple Intelligence, and analytics sharing. This machine has one job.

Configure the Mac Mini to stay awake and recover from power outages:

1. Open System Settings > Energy
2. Enable "Prevent automatic sleeping when the display is off"
3. Enable "Wake for network access"
4. Enable "Start up automatically after a power failure"

Install the Prerequisites

Open Terminal and install the toolchain OpenClaw needs.

Xcode Command Line Tools:

xcode-select --install

Homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

After installation, add Homebrew to your shell path:

echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
eval "$(/opt/homebrew/bin/brew shellenv)"

Verify it's working:

brew --version

Node.js 22+:

brew install node@22
echo 'export PATH="/opt/homebrew/opt/node@22/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
node --version

You should see v22.x.x or higher.

Install OpenClaw

Run the official installer:

curl -fsSL https://openclaw.ai/install.sh | bash

The installer checks for Node.js, drops the OpenClaw CLI globally, and walks you through a risk acknowledgment prompt. Confirm with "Yes" to continue.

Verify the installation:

openclaw --version

Run the Onboarding Wizard

The onboarding wizard is where you configure your model provider, messaging channels, and daemon behavior. Run it with the --install-daemon flag so OpenClaw starts automatically on boot:

openclaw onboard --install-daemon

The wizard walks you through several choices:

Model provider. You'll be asked for your LLM provider and API key. Have your API key ready before you start. Anthropic's Claude models are the most commonly recommended — the project's creator explicitly recommends them for stronger prompt-injection resistance. OpenAI, Gemini, and local models are also supported.

Default model. Pick the model you want for day-to-day conversations. Claude Sonnet 4.5 is a good balance of capability and cost. Avoid defaulting to Opus for everything unless you've budgeted for it.

Messaging channels. Choose which platforms to connect — Telegram, WhatsApp, Discord, or others. You can skip this step and configure channels later.

Skills. The wizard offers to install community skills. Skip this on first setup. Every skill you install expands the agent's permissions surface. Start with zero skills and add them deliberately after you understand what each one does.

Node manager. Select your preferred Node package manager (npm or pnpm).

Once complete, the daemon starts running in the background. Verify everything is healthy:

openclaw gateway status
openclaw status
openclaw health

To open the dashboard in your browser:

openclaw dashboard

Harden Security

This is the step most guides gloss over, and it's the most important one. Stephen Lee's approach of treating security as priority one is the right call — especially since OpenClaw has shell access, file system operations, and browser control.

Create a Dedicated Standard User

Don't run OpenClaw under your admin account. Create a standard (non-admin) user specifically for the agent:

1. Go to System Settings > Users & Groups
2. Add a new user — select Standard, not Administrator
3. Install OpenClaw under this account

A standard user can't install system software, modify system files, or escalate privileges. If the agent is ever compromised, the blast radius is contained.

Lock Down File Permissions

Restrict access to the OpenClaw configuration directory:

chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod -R 600 ~/.openclaw/credentials/

This ensures only your user can read the configuration and credentials. API keys in ~/.openclaw/credentials/ are stored in plaintext — file permissions are the primary protection.

Run the Security Audit

OpenClaw has a built-in security scanner. Run it:

openclaw security audit --deep

The audit catches common misconfigurations like open DM policies and exposed gateways. Fix any issues it finds automatically:

openclaw security audit --fix

Verify Gateway Binding

Confirm your gateway is listening only on localhost:

openclaw gateway status

Look for bind=loopback (127.0.0.1) in the output. If it says bind=0.0.0.0, your gateway is exposed to the network. Fix it by editing ~/.openclaw/openclaw.json:

{
  "gateway": {
    "bind": "loopback"
  }
}

Stay Updated

CVE-2026-25253 was a critical token exfiltration bug patched in version 2026.1.29. Running anything older leaves you exposed. Check your version regularly:

openclaw --version

And update when new releases are available:

openclaw update

Connect Messaging Channels

With the agent running and secured, connect the platforms you want to use.

Telegram

Telegram is the most popular choice, and supports topic-based organization — you can create a private group with channels like #research, #code, and #content to keep conversations scoped by subject.

openclaw configure --section messaging

Follow the prompts to enter your Telegram bot token (from @BotFather).

Discord

For Discord, you'll need a bot token from the Discord Developer Portal. Create a new application, add a bot, and paste the token during configuration.

WhatsApp

WhatsApp connects via QR code scanning. During setup, a QR code appears in the terminal — scan it from WhatsApp > Linked Devices on your phone.

Optimize Costs

OpenClaw sends periodic heartbeat checks using your configured model, which can add up. Switch the heartbeat to a cheaper model by editing ~/.openclaw/openclaw.json:

{
  "agents": {
    "defaults": {
      "heartbeat": {
        "model": "anthropic/claude-haiku-4-5-20241022",
        "every": "1h"
      }
    }
  }
}

Using Haiku instead of Opus or Sonnet for hourly health checks drops the heartbeat cost to almost nothing.

Other cost tips:

• Set spending limits on every provider before starting. A $20–$50 initial cap on Anthropic or OpenAI prevents surprises.
• Monitor daily usage during your first week to understand your baseline.
• Start with the base Mac Mini. The $599 model is more than enough. Use it, learn it, and upgrade when you hit actual workflow demands.

Tips from the Community

After reading through dozens of community guides and setup threads, a few pieces of advice come up again and again:

• Start simpler than you think. Default settings are fine for most things. Add complexity when you hit an actual problem, not before.
• Skip skills on first setup. Each skill expands the agent's permissions. Audit every skill with a tool like Cisco Skill Scanner before installing it.
• Use a password manager for API keys. Sujeeth Shetty's approach of storing everything in Bitwarden and having OpenClaw pull secrets via the Bitwarden CLI keeps credentials out of config files and environment variables. Update a key once in the vault and the agent picks it up on the next access.
• Set up backups early. Push ~/.openclaw/workspace/ to a private GitHub repo for regular syncs. Keep a RESTORE.md file documenting your recovery procedure.
• Use Tailscale for remote access. If you need to reach your Mac Mini from outside your home network, Tailscale gives you a secure tunnel without exposing any ports to the internet.
• Review your SOUL.md. OpenClaw uses a SOUL.md file to define the agent's behavioral constraints. Review it and add rules like "Never execute commands with sudo" and "Never share API keys, tokens, or credentials in any message."

Or Skip All of This

If configuring a Mac Mini, managing updates, hardening security, and keeping the daemon alive sounds like more infrastructure than you signed up for — that's exactly why we built Coral.

Coral gives you a dedicated, isolated OpenClaw instance with managed API keys, automated encrypted backups, and security hardening handled out of the box. No terminal, no CLI, no firewall configuration. Just sign in and start chatting with your agent.

Get started with Coral and skip straight to the part where your AI assistant is actually useful.