Before you install: the safe-setup checklist.

An old laptop or a Mac mini, wiped clean, with nothing on it but the OS and OpenClaw. No saved passwords, no synced cloud drives, no work anything. If the agent is ever fully compromised, the attacker gets… an empty machine with one API key you can revoke in 60 seconds.

A Pi 5 runs OpenClaw comfortably, costs ~$80, sips electricity, and has the same wonderful property: nothing else lives there. Slightly more fiddly to set up (it's Linux from scratch), but a great fit for the "always-on briefings and monitors" lifestyle.

A $5–10/month cloud server (Hetzner, DigitalOcean, etc.) keeps the agent off your home network entirely — the strongest network isolation you can get. The trade: your agent's data lives on rented hardware, and a VPS on the public internet makes the binding rules in section 02 absolutely non-negotiable.

If one machine is all you have: run OpenClaw inside a virtual machine or container, give it its own user account, and mount exactly one folder it's allowed to touch. This works, but understand what you lost — a VM escape or a sloppy folder grant and the fence is gone. And to say it once more for the record: never on a work machine. Not in a VM, not in a container, not at all.

During onboarding, OpenClaw asks where to "bind" its gateway — which network doors it answers on. Localhost (127.0.0.1) means only the machine itself can talk to it. 0.0.0.0 means the whole network — potentially the whole internet — can. Nearly every one of those 42,900 exposed instances got this wrong.

Need remote access? Use a private tunnel, not an open port

Install Tailscale (free for personal use) on the agent box and your phone. You get an encrypted private network between your own devices — remote access with nothing exposed to the public internet. This is the standard answer; port-forwarding your router to OpenClaw is how you end up in a scan report.

The agent gets a fresh email address, fresh API keys, and (if you connect chat) ideally its own phone number or bot account. Never your main Google login, never your personal API key shared across projects. Two reasons: revocation (kill the agent's key without killing your own) and attribution (you always know which actor did what).

Create a dedicated key in your model provider's console (Anthropic, OpenAI, or OpenRouter), name it openclaw, and set a monthly spend cap — $10–20 to start. The cap isn't just budgeting: a hijacked agent that burns tokens at 3am hits the ceiling instead of your card. Store the key only on the agent box, never in a chat message or a skill file.

Write down — actually write down — what the agent is allowed to see: which folder, which calendar, which inbox (its own!), which chats. Everything else is off the menu until it earns it. The failure pattern from Lesson 2 is capability creep on a giddy first night; the antidote is a written scope you set while sober.

Before you install, know your three emergency moves: stop the service (one command — you'll learn it in Lesson 4), revoke the API key (provider console, 60 seconds), and unplug the box (the one that always works). Write all three on a sticky note. Genuinely. The moment you need them is not the moment to research them.