openclaw-setup

---
name: openclaw-setup
description: Set up a complete OpenClaw personal AI assistant from scratch using Claude Code. Walks through AWS provisioning, OpenClaw installation, Telegram bot creation, API configuration, Google Workspace integration, security hardening, and all power features. Give this to Claude Code and it handles the rest.
---

# OpenClaw Setup Skill

You are Claude Code. You are setting up a complete OpenClaw personal AI assistant for the user. Follow each phase in order. Do not skip steps. Ask the user for required information at each stage, then execute the commands yourself.

For a feature overview you can share with the user, see `references/openclaw-installation-human-guide.md`.

## How This Works

The user gave you this skill. Your job is to walk them through deploying their own 24/7 personal AI assistant on AWS. Collect what you need from them (API keys, preferences), then SSH into their server and run everything. Confirm before moving between phases.

**Estimated setup time:** 45-90 minutes
**Estimated monthly cost:** $15-50 depending on model choice and usage

## Phase 1: Gather Requirements

Ask the user for the following. Collect everything before starting infrastructure:

**Required:**
- [ ] AWS account access (existing account, or walk them through creating one at aws.amazon.com)
- [ ] Anthropic API key (from console.anthropic.com, needed for Claude)
- [ ] Telegram account (they'll create a bot via @BotFather)
- [ ] Preferred timezone and daily schedule (for heartbeat and cron setup)
- [ ] Their name and how they want to be addressed

**Optional but recommended:**
- [ ] Groq API key (free at console.groq.com, for voice transcription)
- [ ] OpenAI API key (for memory search embeddings, very low cost)
- [ ] Google Workspace account (for calendar/email/drive integration)
- [ ] Domain name (for SSL, not required)

**Model:** Always recommend **Opus** as the default. It delivers the best experience and is worth the cost for a personal AI assistant. Mention Sonnet as a fallback only if the user has strict budget constraints.

Once you have these, proceed to Phase 2.

## Phase 2: AWS Infrastructure

### 2.1 Launch EC2 Instance

Walk the user through the AWS Console (or use CLI if they have it configured):

- **Instance type:** m7i-flex.large (2 vCPUs, 8GB RAM) — **free tier eligible** for new AWS accounts (first 12 months). If the user's account is older than 12 months and no longer free tier eligible, use t3.small (2 vCPUs, 2GB RAM) as a budget alternative.
- **AMI:** Ubuntu 24.04 LTS (latest)
- **Storage:** 30GB gp3 EBS volume
- **Security groups:** Open ports 22 (SSH), 80 (HTTP), 443 (HTTPS)
- **Key pair:** Create new, have user save the .pem file securely
- **Elastic IP:** Allocate and associate with the instance

Tell the user: "Save the .pem key file somewhere safe. You'll need it to SSH into your server."

### 2.2 Connect and Prepare

Once the instance is running, SSH in:
```bash
ssh -i /path/to/key.pem ubuntu@<ELASTIC_IP>
```

Run initial setup:
```bash
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git build-essential

# Set up swap (prevents out-of-memory on smaller instances)
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
```

## Phase 3: Install OpenClaw

### 3.1 Install Node.js 22+
```bash
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
node -v  # should be 22+
```

### 3.2 Configure npm global directory
```bash
mkdir -p ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
```

### 3.3 Install OpenClaw
```bash
npm install -g openclaw
openclaw --version
```

### 3.4 Initialize workspace
```bash
mkdir -p ~/agent
cd ~/agent
openclaw init
```

This creates the workspace: AGENTS.md, SOUL.md, USER.md, MEMORY.md, and the config structure.

## Phase 4: Create Telegram Bot

Walk the user through this on their phone or Telegram desktop:

1. Open Telegram, search for **@BotFather**
2. Send `/newbot`
3. Choose a display name (e.g., "My AI Assistant")
4. Choose a username (must end in `bot`, e.g., `myai_assistant_bot`)
5. **Copy the bot token** (a long string like `7123456789:AAF...`)

Tell the user: "Send me the bot token. I'll configure it now."

## Phase 5: Configure OpenClaw

### 5.1 Core config

Use `openclaw config` or edit the config file directly. Set up:

```json
{
  "channels": {
    "telegram": {
      "accounts": {
        "main": {
          "token": "<TELEGRAM_BOT_TOKEN>"
        }
      }
    }
  },
  "llm": {
    "provider": "anthropic",
    "apiKey": "<ANTHROPIC_API_KEY>",
    "model": "<CHOSEN_MODEL>"
  }
}
```

Recommended model: `claude-opus-4-5-20250501` (Opus)
Fallback if budget-constrained: `claude-sonnet-4-20250514` (Sonnet)

### 5.2 Voice transcription (if Groq key provided)
```json
{
  "tools": {
    "media": {
      "audio": {
        "provider": "groq",
        "apiKey": "<GROQ_API_KEY>"
      }
    }
  }
}
```

### 5.3 Memory search (if OpenAI key provided)
```json
{
  "memory": {
    "search": {
      "provider": "openai",
      "apiKey": "<OPENAI_API_KEY>"
    }
  }
}
```

Uses text-embedding-3-small. Cost is negligible (~$0.02 per million tokens).

## Phase 6: Google Workspace Integration (if requested)

This is the most complex step. Only do it if the user wants calendar/email/drive access.

### 6.1 Google Cloud Console setup
Walk the user through console.cloud.google.com:
1. Create or select a project
2. Enable APIs: Gmail, Calendar, Drive, Contacts, Sheets, Docs
3. Configure OAuth consent screen (External, add user as test user)
4. Create OAuth client ID (Desktop app)
5. Download the `client_secret_*.json` file

### 6.2 Install gog CLI
```bash
# Install Go if not present
sudo snap install go --classic

# Build gog
git clone https://github.com/steipete/gogcli.git
cd gogcli && make build
sudo cp bin/gog /usr/local/bin/
cd ~/agent
```

### 6.3 Authenticate
```bash
gog auth credentials ~/Downloads/client_secret_*.json

# Choose a keyring password (user should remember this)
GOG_KEYRING_PASSWORD=<password> gog auth add <user-email> \
  --services gmail,calendar,drive,contacts,sheets,docs --manual
```

The manual flag gives a URL to paste in browser. User authorizes, copies the code back.

### 6.4 Add env vars to OpenClaw config
The workspace needs `GOG_KEYRING_PASSWORD` and `GOG_ACCOUNT` set as environment variables. Add them to the systemd service (Phase 8) or export in .bashrc.

### 6.5 Verify
```bash
GOG_KEYRING_PASSWORD=<password> GOG_ACCOUNT=<email> gog calendar list
GOG_KEYRING_PASSWORD=<password> GOG_ACCOUNT=<email> gog gmail search "is:unread" --max 5
```

## Phase 7: Security Hardening

### 7.1 Firewall
```bash
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
```

### 7.2 fail2ban
```bash
sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
```

### 7.3 SSH hardening
```bash
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
```

### 7.4 SSL (if domain provided)
```bash
sudo apt install -y certbot
sudo certbot certonly --standalone -d <domain>
```

## Phase 8: Personalize the Workspace

This is where the assistant becomes THEIRS.

### 8.1 SOUL.md
Ask the user: "How do you want your assistant to talk to you? Casual? Professional? Direct? Friendly?"

Write a SOUL.md that matches their preference. Include:
- Communication style and tone
- Whether to be proactive or wait for instructions
- Any boundaries (what NOT to do without asking)

### 8.2 USER.md
Ask the user about themselves:
- Name, timezone, location
- What they do (work, hobbies, projects)
- Family/people to know about (optional)
- Goals and priorities
- Communication preferences

### 8.3 HEARTBEAT.md
Set up periodic check-ins based on their needs. Common ones:
- Email scan (2-4x daily)
- Calendar alerts (upcoming events)
- Custom checks based on their workflow

### 8.4 Cron jobs (optional)
If they want scheduled briefings:
- Morning briefing (daily at their wake time)
- Evening debrief (daily before bed)
- Weekly review
- Custom reminders

## Phase 9: Launch and Auto-Restart

### 9.1 Create systemd service
```bash
sudo tee /etc/systemd/system/openclaw-gateway.service << 'EOF'
[Unit]
Description=OpenClaw Gateway
After=network.target

[Service]
Type=simple
User=ubuntu
WorkingDirectory=/home/ubuntu/agent
ExecStart=/home/ubuntu/.npm-global/bin/openclaw gateway start --foreground
Restart=always
RestartSec=10
Environment=PATH=/home/ubuntu/.npm-global/bin:/usr/local/bin:/usr/bin:/bin
# Add GOG env vars here if Google integration is set up:
# Environment=GOG_KEYRING_PASSWORD=<password>
# Environment=GOG_ACCOUNT=<email>

[Install]
WantedBy=multi-user.target
EOF
```

### 9.2 Start it
```bash
sudo systemctl daemon-reload
sudo systemctl enable openclaw-gateway
sudo systemctl start openclaw-gateway
```

### 9.3 Verify it's running
```bash
sudo systemctl status openclaw-gateway
```

## Phase 10: Test Everything

Run through this checklist with the user:

1. **Send a test message** to the Telegram bot. Verify response.
2. **Send a voice note** (if Groq configured). Verify transcription.
3. **Ask it to remember something.** Restart the service. Ask again. Verify persistence.
4. **Ask it to check calendar/email** (if Google configured). Verify access.
5. **Wait for a heartbeat.** Verify proactive check-in fires.
6. **Ask it "what's my name?"** Verify it reads USER.md correctly.

If any test fails, troubleshoot before moving on.

## Phase 11: User Training

Walk the user through:
- **Basic use:** Just message the bot. It remembers everything.
- **Voice notes:** Send voice messages for hands-free interaction.
- **Memory:** It learns over time. Correct it when it's wrong, it'll remember.
- **Commands:** `/status` shows system health.

... (truncated)