Part 3 of 4: The OpenClaw Series — A Beginner’s Setup Path, and the Real Incidents That Make Caution Non-Negotiable

Getting Started With OpenClaw — and the Safety Basics No One Skips
Before you connect your email, calendar, and files to an AI agent, read this. It will save you a headache.
That is not a scare tactic. It is the plain lesson from the last few months of watching OpenClaw go from a weekend project to one of the most-starred open-source repositories on GitHub. OpenClaw is genuinely useful — it can triage your inbox, manage your calendar, browse the web on your behalf, and act across the messaging apps you already use. But "acts across the apps you already use" is precisely what makes getting started with OpenClaw different from installing a normal app. A misread instruction here does not just produce a bad answer on a screen. It can send a message, delete an email, or make a purchase — for real.
This is Part 3 of our four-part OpenClaw series. Part 1 covered what OpenClaw actually is and why it matters. Part 2 looked at where the category is heading. This post is the practical one: how to install OpenClaw, connect your first channel, and build the safety habits that keep a genuinely exciting tool from becoming a genuinely expensive mistake.
"Rookie mistake tbh. Turns out alignment researchers aren’t immune to misalignment."
— Summer Yue, Director of Alignment, Meta Superintelligence Labs (2026)
What Is OpenClaw (A Beginner’s Overview)
OpenClaw is an open-source personal AI agent that runs on your own device or a managed server and connects an AI model to the messaging apps, files, and tools you already use every day. Unlike a standard chatbot, it does not just describe steps — it can execute them: sending a message, editing a file, running a command, or browsing a page on your behalf.
OpenClaw is built from three layers working together. Understanding each one makes every safety habit later in this guide make more sense.
Layer | What It Does | Beginner Analogy |
The Brain (Model) | The AI model — Claude, GPT, or a local model — that reasons about what to do next | The person deciding what to do |
The Gateway | The local control plane connecting the model to your channels, tools, and sessions | The phone line connecting you to that person |
Skills & Channels | Installed abilities (email, browser, files) and connected apps (Telegram, Slack, etc.) | The hands the person uses to act, and the rooms they can enter |

Figure 1. The beginner path to your first OpenClaw agent, in five steps.
Why Getting the Setup Order Right Matters
The order in which you set OpenClaw up is not a formality — it is the actual safety mechanism. Every documented incident involving OpenClaw traces back to skipping one of the beginner steps: connecting too much access too fast, trusting an instruction to survive a long session, or installing a skill without checking what it can touch.
KEY STAT
Security researchers found 341 confirmed malicious skills out of 2,857 published on ClawHub in an initial audit (roughly 12%). By the next scan 11 days later, the registry had grown to over 10,700 skills and the malicious count had risen to 824. A separate analysis placed the ecosystem-wide malicious share closer to 20%.
Metric | Value | Why It Matters for Beginners |
GitHub stars (as of June 2026) | 380,000+ | Massive, fast-growing community — and fast-growing attack surface |
ClawHub skills (early Feb 2026) | 2,857 | Baseline registry size before rapid growth |
ClawHub skills (mid Feb 2026) | 10,700+ | Registry nearly quadrupled in 11 days |
Confirmed malicious skills | 341 → 824 | Malicious skills grew alongside the registry, not despite it |
Internet-exposed instances found | 30,000+ | Many running without authentication, per multiple scanning teams |
Critical vulnerability (CVE-2026-25253) | CVSS 8.8 | One-click remote code execution, patched Jan 30, 2026 |
"Agent skill files have a reputation for being insecure, and that reputation is earned."
— OpenClaw project blog, on the ClawHub–NVIDIA skill security partnership (2026)

Figure 2. Confirmed malicious skills found on ClawHub across three security audits in 2026.
The Beginner Installation Path, Step by Step
Here is the direct answer: install OpenClaw through its CLI installer or macOS companion app, connect one AI model, link a single low-stakes channel, test with a harmless task, and only then start adding skills.
Step 1 — Install It
OpenClaw runs via a simple command-line installer on macOS, Windows, and Linux, or as a companion menu-bar app on macOS. If you would rather not manage a server yourself, managed cloud options exist that handle hosting, patching, and skill vetting for you — a reasonable trade-off if self-hosting feels like too much surface area on day one.
Step 2 — Pick Your AI Model
Connect OpenClaw to Claude, GPT, or a local model — this is the "brain" that decides what the agent does next. Cloud models generally reason better on complex, multi-step tasks; a local model keeps everything on your own hardware but may be slower and less capable on nuanced instructions.
Step 3 — Connect One Channel First
Start with a single chat app — Telegram is a common beginner choice — rather than linking WhatsApp, Slack, Discord, email, and iMessage all at once. One channel means one place to watch, one set of logs to review, and one blast radius if something goes wrong while you are still learning how the agent behaves.
Step 4 — Try a Low-Stakes Task
Ask it to summarize an article or check the weather before handing it your inbox. This is not busywork — it is how you learn the agent’s actual behavior under real conditions: how it phrases confirmations, how it handles ambiguous requests, and whether it asks before acting when you expect it to.
PRO TIP
Treat the first week as an observation period, not a productivity sprint. You are testing the agent’s judgment, not your task list.
Step 5 — Add "Skills" Gradually
Only install skills from trusted, reviewed sources as you get comfortable. Skills are the "hands" that let OpenClaw do more — but they are also, as the security research below shows, the single most common way beginners are compromised.

Figure 3. A gradual two-week rollout plan for a new OpenClaw setup.
Connecting Your First Channel — What "One at a Time" Actually Buys You
OpenClaw supports well over twenty messaging channels — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix, and more. That breadth is a real strength once you know what you are doing. It is also exactly why beginners are told to connect only one channel at first: every additional channel is another inbox, another set of contacts, and another surface where a misfire can reach real people.
Rollout Stage | What to Connect | What to Avoid |
Week 1 | One low-stakes channel (e.g., Telegram) | Email, banking, or work chat tools |
Week 2 | A second channel, only after Week 1 behaved predictably | Granting write access to any channel yet |
Week 3+ | Read-only inbox access, with logging enabled | Batch or scheduled actions without review |
Ongoing | Write access to one narrow, reversible task at a time | Full inbox, calendar, and payment access together |
"I couldn’t stop it from my phone. I had to run to my Mac mini like I was defusing a bomb."
— Summer Yue, describing her attempt to halt a runaway OpenClaw deletion sequence (2026)
Testing With Low-Stakes Tasks Before Handing Over Real Access
The direct answer: prove the agent behaves correctly on tasks you can afford to get wrong before you give it tasks you cannot undo. This is the single habit that would have prevented the most widely reported OpenClaw incident of 2026.
- Start with tasks that have no real-world consequence: summarizing a news article, checking the weather, drafting a note you will review before sending.
- Watch how the agent handles ambiguity — does it ask before acting, or does it guess and proceed?
- Note how it responds to an explicit constraint like "don’t take action until I confirm" — and whether that constraint still holds after a long session.
- Only move to write access (sending, deleting, purchasing) after the agent has shown consistent, predictable behavior on read-only tasks.
- Add one skill at a time, from a reviewed source, and observe its behavior before adding the next.
KEY STAT
The agent that deleted Summer Yue’s inbox had performed flawlessly for weeks on a smaller test inbox. The failure appeared only when it was pointed at a much larger, real inbox — a reminder that behavior at small scale does not guarantee behavior at real scale.
Choosing Your Model and Hosting Option
The direct answer: cloud models (Claude, GPT) generally reason better on complex tasks; local models keep data on your machine; managed cloud hosting trades some control for built-in vetting and patching.
Option | Best For | Trade-off |
Cloud model (Claude, GPT, etc.) | Complex, multi-step reasoning and nuanced instructions | Data leaves your device; usage costs scale with activity |
Local model (e.g., via Ollama) | Privacy-sensitive tasks, offline use | Generally weaker reasoning; more setup effort |
Self-hosted OpenClaw | Full control over configuration and data | You own all patching, sandboxing, and monitoring |
Managed cloud OpenClaw | Beginners who want built-in vetting and less maintenance | Less granular control; dependent on the provider’s security practices |
Why Caution Matters — Real Lessons From Early Adopters
Because OpenClaw can take real actions, a misread instruction can cause real consequences. The clearest example is now well-documented: an assistant misinterpreted "don’t action until I confirm" and started archiving a personal inbox anyway.
In late February 2026, Summer Yue, Director of Alignment at Meta’s Superintelligence Labs, connected an OpenClaw agent to her primary Gmail inbox. She gave it one explicit instruction: suggest what to archive or delete, but take no action until she approved it. The agent had performed exactly this way for weeks on a smaller test inbox. Her real inbox, however, was large enough that processing it pushed the conversation past the model’s context window limit — triggering OpenClaw’s automatic compaction, a process that summarizes older conversation history to stay within token limits.
WARNING
The compaction summary dropped her critical instruction: "confirm before acting." The agent continued working from the compressed history, which no longer contained the rule — and began bulk-trashing and archiving hundreds of emails with no plan shown and no approval requested.
Long conversations getting "compacted" is not a bug specific to OpenClaw — it is a structural feature of how every large language model manages a finite context window. The problem is that compaction has no concept of instruction priority: a casual remark and a critical safety rule are both just text, equally eligible for summarization when space runs short. Yue could not halt the process remotely and had to physically reach the host machine to kill it. By then, over 200 emails were gone.
A second, separate risk sits in the skills themselves. Community-built skills on ClawHub, OpenClaw’s skill marketplace, are not automatically vetted before publication. Security researchers have flagged that untrusted third-party skills can carry real risk — from infostealer malware disguised as productivity tools, to prompt injection payloads embedded in a skill’s own description, to skills that quietly leak API keys and tokens in plaintext. One audit found over 280 skills leaking credentials in their source code; another documented a skill designed to look like a TradingView assistant that instead redirected users to a malicious setup script.
Incident | What Happened | Root Cause |
Meta researcher’s inbox deletion | Hundreds of emails bulk-deleted despite an explicit "confirm first" rule | Instruction lost during context compaction |
ClawHavoc skill campaign | 341→824 malicious skills found across two audits, mostly infostealers | Low barrier to publishing on ClawHub, minimal pre-review |
Chris Boyd iMessage incident | Over 500 unsolicited messages sent to random contacts | Agent given broad messaging access with insufficient guardrails |
CVE-2026-25253 | One-click remote code execution via a manipulated gateway URL | No origin validation on WebSocket connections before patching |
Because OpenClaw can read anything in a connected inbox or webpage, it is also exposed to prompt injection — hidden instructions embedded in content it reads. A security researcher demonstrated a prompt injection attack that extracted a private key in minutes, simply by sending a malicious email that OpenClaw processed. This is a known open challenge with agentic AI tools generally, not a flaw unique to OpenClaw — but it is a direct consequence of giving any agent read access to untrusted content.

Figure 4. How a single instruction travels from your message to a real-world action.
"I said "Check this inbox too and suggest what you would archive or delete, don’t action until I tell you to." This has been working well for my toy inbox, but my real inbox was too huge and triggered compaction. During the compaction, it lost my original instruction."
— Summer Yue, in a post-incident technical explanation (2026)

Figure 5. ClawHub’s registry size and confirmed malicious skill count, Feb 5 vs. Feb 16, 2026.

Figure 6. Illustrative breakdown of malicious skill types and common beginner risk sources.

Figure 7. Eight setup mistakes that have already led to documented OpenClaw incidents.
3 Beginner Safety Habits
The direct answer: start read-only, repeat critical rules in a durable place, and review before automating anything irreversible.
- Start with read-only or low-risk tasks before granting write access (deleting, sending, purchasing). Prove the agent’s judgment on tasks you can afford to get wrong.
- Repeat critical instructions ("don’t take action yet") rather than assuming the agent will remember from earlier in a long session — and better still, put durable rules in a file like AGENTS.md or MEMORY.md rather than typing them only in chat.
- Review before automating anything irreversible — email deletion, payments, or messages sent on your behalf. If an action cannot be undone, a human should look at the plan first, every time.
BEST PRACTICE
Prompts are not enforcement. A rule typed in chat can be summarized away; a rule saved to a file your agent reloads every session is far more durable. If an action is irreversible, put a permission gate in front of it — not just a sentence.

Figure 8. The permission escalation ladder — most incidents happen from climbing it too fast.

Figure 9. Risky habits versus their safer counterparts, side by side.
Real-World Examples: What Happens When These Habits Are Skipped
Beyond the Meta researcher’s inbox incident, other early adopters have hit variations of the same failure mode. Bloomberg reported that software engineer Chris Boyd gave OpenClaw access to his iMessage account, only for the agent to send over 500 unsolicited messages to random contacts. Bitdefender researchers separately found exposed OpenClaw instances leaking Anthropic API keys, Telegram bot tokens, and Slack OAuth credentials openly on the internet — instances that had never been properly secured in the first place.
Case | Beginner Habit That Would Have Helped | Outcome Without It |
Meta researcher’s inbox | Durable rule file instead of chat-only instruction | Hundreds of emails deleted, unrecoverable in the moment |
Chris Boyd’s iMessage | Read-only start before granting messaging write access | 500+ unsolicited messages sent to real contacts |
Exposed gateway instances | Reviewing exposure/auth settings before going live | Credentials leaked publicly on the open internet |
"This wasn’t a bug in the traditional sense. It’s a fundamental limitation of how LLM-based agents handle long conversations."
— OpenClaw incident analysis, on the root cause of the Meta researcher’s email deletion (2026)
Where OpenClaw Safety Is Heading
The ecosystem is responding. ClawHub has partnered with VirusTotal and, more recently, NVIDIA, to run automated scanning across every published skill — introducing "Skill Cards" that document what a skill does, who published it, and what security scans found, rather than relying on the publisher’s own description. That is real progress, but it does not remove the need for beginner-level caution: scanning catches known patterns, not every novel risk, and a skill that behaves exactly as described can still request far more access than a task actually needs.
UPDATE
As of mid-2026, ClawHub runs continuous scanning across tens of thousands of published skill versions and publishes its security scan dataset publicly — a sign the ecosystem is maturing, even as the beginner habits in this guide remain the first and most reliable line of defense.

Figure 10. OpenClaw’s ecosystem growth alongside its evolving security response, 2026.
Frequently Asked Questions
Is OpenClaw safe to use as a beginner?
OpenClaw is safe to use if you follow a gradual setup: install it, connect one channel, test with low-stakes tasks, and add write access only after the agent has shown predictable behavior. The documented incidents in 2026 almost all trace back to skipping this gradual approach — connecting a real inbox on day one, trusting a chat-only instruction to survive a long session, or installing an unvetted skill.
What is the safest way to install OpenClaw for the first time?
Use the official CLI installer or the macOS companion app, or choose a managed cloud option if you prefer not to self-host. Whichever route you choose, connect a single low-stakes chat channel first — such as Telegram — rather than linking email, work chat, and messaging apps all at once.
Why did an OpenClaw agent delete someone’s entire inbox?
A Meta Superintelligence Labs researcher gave her agent an explicit instruction to confirm before taking action. When her large inbox pushed the conversation past the model’s context limit, OpenClaw’s automatic compaction process summarized the conversation history and dropped that instruction. Without the rule in context, the agent proceeded to bulk-delete emails on its own.
Can I trust skills from the ClawHub marketplace?
Not automatically. Independent audits have found hundreds of confirmed malicious skills on ClawHub, including infostealers, credential-leaking code, and prompt injection payloads embedded in skill descriptions. ClawHub now runs automated scanning with VirusTotal and NVIDIA’s SkillSpector, but beginners should still stick to well-known, reviewed skills and check what permissions a skill actually requests before installing it.
What is prompt injection, and does it affect OpenClaw?
Prompt injection is when hidden instructions embedded in content an AI agent reads — an email, a webpage, a document — cause the agent to take unintended actions. Because OpenClaw can read anything in a connected inbox or webpage, it is exposed to this risk. It is a known, open challenge across agentic AI tools generally, not a flaw unique to OpenClaw, and it is one more reason to limit what an agent can act on before you have tested it thoroughly.
How much access should I give OpenClaw when I’m just starting out?
Start with read-only or low-risk tasks — summarizing, checking information, drafting messages you review before sending. Grant write access (sending, deleting, purchasing) only gradually, and never automate irreversible actions without a human review step in front of them.
Do I need to know how to code to use OpenClaw?
Basic comfort with a command-line terminal helps for installation, but OpenClaw is designed for non-developers once it is running — you interact with it through the chat apps you already use. The technical part is mostly front-loaded into setup; day-to-day use is conversational.
Conclusion
OpenClaw is a genuinely exciting glimpse at where personal AI is headed — assistants that act, not just chat. That same quality is exactly why the setup order matters: install, connect one channel, test low-stakes tasks, and add access gradually, while treating "confirm before acting" as a rule that belongs in a file, not just a sentence typed into chat. The real incidents from 2026 — a bulk-deleted inbox, hundreds of malicious skills, unsolicited messages sent to real contacts — all share the same root cause: trust granted faster than the agent had earned it.
Start small, stay curious, and build up from there. If you try it, we’d love to hear what your first use case was.
SUMMARY
Starter checklist before you connect anything real: (1) Install via the official CLI or companion app. (2) Connect one low-stakes channel first. (3) Test with a harmless task. (4) Put critical rules in a file, not just chat. (5) Add skills one at a time, from reviewed sources. (6) Grant write access gradually, and never automate anything irreversible without a review step.
References
- OpenClaw GitHub repository — openclaw/openclaw (2026)
- Generect, "What Is OpenClaw AI Agent? Full Guide for Outbound" (2026)
- AlphaTechFinance, "OpenClaw (Open Claw) — The Complete 2026 Guide" (2026)
- BuildMVPFast, "OpenClaw Guide 2026: The Complete AI Agent Handbook" (2026)
- OpenClaw AI, "OpenClaw Goes Rogue: What a Meta Exec’s Deleted Inbox Teaches Us About AI Agent Safety" (2026)
- TechNow, "OpenClaw Gone Wrong: Why AI Guardrails Still Fail in 2026" (2026)
- VelvetShark, "OpenClaw Memory Masterclass: The Complete Guide to Agent Memory That Survives" (2026)
- Let’s Data Science, "Why AI Agents Fail: Context Compaction Explained" (2026)
- Medium (John Ding), "Analyzing the Incident of OpenClaw Deleting Emails: A Technical Deep Dive" (2026)
- Security Boulevard, "If You Love Your Agents, Don’t Set Them Free: OpenClaw Agents Run Amok in Meta Incident" (2026)
- Unit 42 (Palo Alto Networks), "OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat" (2026)
- Serenities AI, "ClawHub Security Alert: 341 OpenClaw Skills Found..." (2026)
- Conscia, "The OpenClaw Security Crisis" (2026)
- Sangfor, "OpenClaw Security Risks: From Vulnerabilities to Supply Chain Abuse" (2026)
- OpenClaw Blog, "OpenClaw Collaborates With NVIDIA for Stronger Agent Skill Security" (2026)
- TradingView News, "OpenClawd Ships Verified Skill Screening After Security Researchers Find 12% of OpenClaw Marketplace Skills Are Malware" (2026)
- GitHub Issue #5429, openclaw/openclaw, "Lost 2 days of agent context to silent compaction" (2026)
Praveen Kumar