安装 OpenClaw
OpenClaw 本质上就是一个发布在 npm 上的 Node.js 包。
官方支持多种安装方式,这里为了便于控制,使用pnpm手动安装。
依赖说明
- 截止
2026.03.25官方推荐使用 Node 24(当时最新的TLS版)。 - 安装OpenClaw前,推荐先安装本地大模型管理器 ollama
- 进入飞书开放平台 获取应用ID和密钥
- 详情见 👉 创建飞书应用
创建用户
zsh
groupadd -g 6001 agent
useradd -c "agent related process user" \
-g agent -u 6001 -s /bin/nologin -m agent
cp -r /root/.zshrc /home/agent/
chown agent:agent -R /home/agent/.zshrc
ln -s /server/ohmyzsh /home/agent/.oh-my-zsh安装 Node.js 运行环境
为了更适应 OpenClaw,这里推荐在当前用户下安装 nvm ,再使用 nvm 管理 node.js 版本。
1. 安装 nvm
bash
# v0.40.4 换成你需要的标签(选择最新正式版)
git clone -b v0.40.4 --depth 1 https://github.com/nvm-sh/nvm.git ~/nvm
rm -rf ~/nvm/.git/
chmod 750 ~/nvm/
chown agent:agent -R ~/nvm/bash
cat >> ~/.zshrc << 'EOF'
# nvm config
export NVM_DIR="${HOME}/nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
# nvm taobao mirrors
export NVM_NODEJS_ORG_MIRROR=https://npmmirror.com/mirrors/node
export NVM_IOJS_ORG_MIRROR=https://npmmirror.com/mirrors/iojs
EOF
source ~/.zshrcbash
rm -rf /server/nvm/
# 移除环境变量配置2. 使用 nvm 管理 Node.js
bash
agent ➜ nvm install --lts --latest-npm --defaultbash
# 网络允许的情况下,建议用官方镜像
# config 存储在 ~/.npmrc 上,不同用户的配置不同,需要进入各自用户执行
# 查看当前源地址
npm config get registry
# 将源设为淘宝镜像
npm config set registry https://registry.npmmirror.com/
# 恢复默认
npm config set registry https://registry.npmjs.orgbash
agent ➜ npm i pnpm -g
agent ➜ pnpm setup
agent ➜ source /home/agent/.zshrc安装方法
1. 一键安装
不熟悉的,推荐使用 OpenClaw 提供的一键安装,能省去不少工作。
bash
curl -fsSL https://openclaw.ai/install.sh | bash2. 手动安装
bash
# 全局安装 openclaw 最新版的 node 包
agent ➜ ~ pnpm add openclaw@latest -g
# 选 <a> 全部选中,是 pnpm 的安全机制,你允许某些包编译/执行脚本
agent ➜ ~ pnpm approve-builds -g
# 选 <a>
✔ Choose which packages to build (Press <space> to select, <a> to toggle all, <i> to invert selection) · koffi, protobufjs, sharp
✔ The next packages will now be built: koffi, protobufjs, sharp.
# 选 <y>
Do you approve? (y/N) · true
.pnpm/koffi@2.15.2/node_modules/koffi: Running install script, done in 192ms
.pnpm/protobufjs@7.5.4/node_modules/protobufjs: Running postinstall script, done in 59ms
.pnpm/sharp@0.34.5/node_modules/sharp: Running install script, done in 121ms
agent ➜ ~bash
# 初始化前,需要将用户改成允许终端登录,否则无法创建用户级服务
root ➜ ~ usermod -s /bin/zsh agent
# 远程使用SSH隧道访问,需要密码或密钥配置
root ➜ ~ passwd agentbash
agent ➜ ~ openclaw onboard
🦞 OpenClaw 2026.3.24 (cff6dc9) — More integrations than your therapist's intake form.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██░▄▄▄░██░▄▄░██░▄▄▄██░▀██░██░▄▄▀██░████░▄▄▀██░███░██
██░███░██░▀▀░██░▄▄▄██░█░█░██░█████░████░▀▀░██░█░█░██
██░▀▀▀░██░█████░▀▀▀██░██▄░██░▀▀▄██░▀▀░█░██░██▄▀▄▀▄██
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
🦞 OPENCLAW 🦞
┌ OpenClaw setup
│
◇ Security ─────────────────────────────────────────────────────────────────────────────────╮
│ │
│ Security warning — please read. │
│ │
│ OpenClaw is a hobby project and still in beta. Expect sharp edges. │
│ By default, OpenClaw is a personal agent: one trusted operator boundary. │
│ This bot can read files and run actions if tools are enabled. │
│ A bad prompt can trick it into doing unsafe things. │
│ │
│ OpenClaw is not a hostile multi-tenant boundary by default. │
│ If multiple users can message one tool-enabled agent, they share that delegated tool │
│ authority. │
│ │
│ If you’re not comfortable with security hardening and access control, don’t run │
│ OpenClaw. │
│ Ask someone experienced to help before enabling tools or exposing it to the internet. │
│ │
│ Recommended baseline: │
│ - Pairing/allowlists + mention gating. │
│ - Multi-user/shared inbox: split trust boundaries (separate gateway/credentials, ideally │
│ separate OS users/hosts). │
│ - Sandbox + least-privilege tools. │
│ - Shared inboxes: isolate DM sessions (`session.dmScope: per-channel-peer`) and keep │
│ tool access minimal. │
│ - Keep secrets out of the agent’s reachable filesystem. │
│ - Use the strongest available model for any bot with tools or untrusted inboxes. │
│ │
│ Run regularly: │
│ openclaw security audit --deep │
│ openclaw security audit --fix │
│ │
│ Must read: https://docs.openclaw.ai/gateway/security │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ I understand this is personal-by-default and shared/multi-user use requires lock-down. Continue?
│ Yes
│
◇ Setup mode
│ Manual
│
◇ What do you want to set up?
│ Local gateway (this machine)
│
◇ Workspace directory
│ /home/agent/.openclaw/workspace
│
◇ Model/auth provider
│ Ollama
│
◇ Ollama base URL
│ http://127.0.0.1:11434
│
◇ Ollama mode
│ Local
│
◇ Default model
│ ollama/qwen3.5:0.8b
│
◇ Gateway port
│ 18789
│
◇ Gateway bind
│ Loopback (127.0.0.1)
│
◇ Gateway auth
│ Token
│
◇ Tailscale exposure
│ Off
│
◇ How do you want to provide the gateway token?
│ Generate/store plaintext token
│
◇ Gateway token (blank to generate)
│
│
◇ Channel status ───────────────────╮
│ │
│ Telegram: needs token │
│ Discord: needs token │
│ IRC: needs host + nick │
│ Slack: needs tokens │
│ Signal: needs setup │
│ signal-cli: missing (signal-cli) │
│ iMessage: needs setup │
│ imsg: missing (imsg) │
│ LINE: needs token + secret │
│ Accounts: 0 │
│ WhatsApp: not configured │
│ Google Chat: not configured │
│ Feishu: installed │
│ Google Chat: installed │
│ Nostr: installed │
│ Microsoft Teams: installed │
│ Mattermost: installed │
│ Nextcloud Talk: installed │
│ Matrix: installed │
│ BlueBubbles: installed │
│ Zalo: installed │
│ Zalo Personal: installed │
│ Synology Chat: installed │
│ Tlon: installed │
│ Twitch: installed │
│ WhatsApp: installed │
│ │
├────────────────────────────────────╯
│
◇ Configure chat channels now?
│ Yes
│
◇ How channels work ───────────────────────────────────────────────────────────────────────╮
│ │
│ DM security: default is pairing; unknown DMs get a pairing code. │
│ Approve with: openclaw pairing approve <channel> <code> │
│ Public DMs require dmPolicy="open" + allowFrom=["*"]. │
│ Multi-user DMs: run: openclaw config set session.dmScope "per-channel-peer" (or │
│ "per-account-channel-peer" for multi-account channels) to isolate sessions. │
│ Docs: channels/pairing │
│ │
│ Telegram: simplest way to get started — register a bot with @BotFather and get going. │
│ WhatsApp: works with your own number; recommend a separate phone + eSIM. │
│ Discord: very well supported right now. │
│ IRC: classic IRC networks with DM/channel routing and pairing controls. │
│ Google Chat: Google Workspace Chat app with HTTP webhook. │
│ Slack: supported (Socket Mode). │
│ Signal: signal-cli linked device; more setup (David Reagans: "Hop on Discord."). │
│ iMessage: this is still a work in progress. │
│ LINE: LINE Messaging API webhook bot. │
│ Feishu: 飞书/Lark enterprise messaging with doc/wiki/drive tools. │
│ Nostr: Decentralized protocol; encrypted DMs via NIP-04. │
│ Microsoft Teams: Teams SDK; enterprise support. │
│ Mattermost: self-hosted Slack-style chat; install the plugin to enable. │
│ Nextcloud Talk: Self-hosted chat via Nextcloud Talk webhook bots. │
│ Matrix: open protocol; install the plugin to enable. │
│ BlueBubbles: iMessage via the BlueBubbles mac app + REST API. │
│ Zalo: Vietnam-focused messaging platform with Bot API. │
│ Zalo Personal: Zalo personal account via QR code login. │
│ Synology Chat: Connect your Synology NAS Chat to OpenClaw with full agent capabilities. │
│ Tlon: decentralized messaging on Urbit; install the plugin to enable. │
│ Twitch: Twitch chat integration │
│ │
├───────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Select a channel
│ Feishu/Lark (飞书)
│
◇ Feishu credentials ──────────────────────────────────────────────────────────────╮
│ │
│ 1) Go to Feishu Open Platform (open.feishu.cn) │
│ 2) Create a self-built app │
│ 3) Get App ID and App Secret from Credentials page │
│ 4) Enable required permissions: im:message, im:chat, contact:user.base:readonly │
│ 5) Publish the app or add it to a test group │
│ Tip: you can also set FEISHU_APP_ID / FEISHU_APP_SECRET env vars. │
│ Docs: feishu │
│ │
├───────────────────────────────────────────────────────────────────────────────────╯
│
◇ How do you want to provide this App Secret?
│ Enter App Secret
│
◇ Enter Feishu App Secret
│ <飞书应用密钥>
│
◇ Enter Feishu App ID
│ <飞书应用ID>
[info]: [ 'client ready' ]
│
◇ Feishu connection test ───────────────────────────╮
│ │
│ Connected as ou_c7df8a22be858b1bd639703d26e8b709 │
│ │
├────────────────────────────────────────────────────╯
│
◇ Feishu connection mode
│ WebSocket (default)
│
◇ Which Feishu domain?
│ Feishu (feishu.cn) - China
│
◇ Group chat policy
│ Allowlist - only respond in specific groups
│
◇ Group chat allowlist (chat_ids)
│
│
◇ Select a channel
│ Finished
│
◇ Selected channels ──────────────────────────────────────────╮
│ │
│ Feishu — 飞书/Lark enterprise messaging. Docs: │
│ feishu │
│ │
├──────────────────────────────────────────────────────────────╯
│
◇ Configure DM access policies now? (default: pairing)
│ No
Updated ~/.openclaw/openclaw.json
Workspace OK: ~/.openclaw/workspace
Sessions OK: ~/.openclaw/agents/main/sessions
│
◇ Web search ─────────────────────────────────────────────────────────────────╮
│ │
│ Web search lets your agent look things up online. │
│ Choose a provider. Some providers need an API key, and some work key-free. │
│ Docs: https://docs.openclaw.ai/tools/web │
│ │
├──────────────────────────────────────────────────────────────────────────────╯
│
◇ Search provider
│ Skip for now
│
◇ Skills status ─────────────╮
│ │
│ Eligible: 4 │
│ Missing requirements: 39 │
│ Unsupported on this OS: 7 │
│ Blocked by allowlist: 0 │
│ │
├─────────────────────────────╯
│
◇ Configure skills now? (recommended)
│ No
│
◇ Hooks ──────────────────────────────────────────────────────────────────╮
│ │
│ Hooks let you automate actions when agent commands are issued. │
│ Example: Save session context to memory when you issue /new or /reset. │
│ │
│ Learn more: https://docs.openclaw.ai/automation/hooks │
│ │
├──────────────────────────────────────────────────────────────────────────╯
│
◇ No Hooks Available ─────────────────────────────────────────────────────╮
│ │
│ No eligible hooks found. You can configure hooks later in your config. │
│ │
├──────────────────────────────────────────────────────────────────────────╯
Config overwrite: /home/agent/.openclaw/openclaw.json (sha256 23d8d226dd2fafefe5cdee86f9553391aaa49e7ff79438682fe2b14d76a2a28e -> 9e4d2597e08605833cef34fb8edbf621a863e45514a79b440fb7dcfb28bd257b, backup=/home/agent/.openclaw/openclaw.json.bak)
│
◇ Systemd ────────────────────────────────────────────────────────────────────────────────╮
│ │
│ Linux installs use a systemd user service by default. Without lingering, systemd stops │
│ the user session on logout/idle and kills the Gateway. │
│ Enabling lingering now (may require sudo; writes /var/lib/systemd/linger). │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────╯
Failed to execute /usr/bin/pkttyagent: 没有那个文件或目录
Failed to enable lingering: spawn sudo ENOENT
│
◇ Systemd ─────────────────────────────────────────╮
│ │
│ Run manually: sudo loginctl enable-linger agent │
│ │
├───────────────────────────────────────────────────╯
│
◇ Install Gateway service (recommended)
│ Yes
│
◇ Gateway service runtime
│ Node (recommended)
│
◒ Installing Gateway service…
Installed systemd service: /home/agent/.config/systemd/user/openclaw-gateway.service
◇ Gateway service installed.
│
◇
Feishu: ok
Agents: main (default)
Heartbeat interval: 30m (main)
Session store (main): /home/agent/.openclaw/agents/main/sessions/sessions.json (0 entries)
│
◇ Optional apps ────────────────────────╮
│ │
│ Add nodes for extra features: │
│ - macOS app (system + notifications) │
│ - iOS app (camera/canvas) │
│ - Android app (camera/canvas) │
│ │
├────────────────────────────────────────╯
│
◇ Control UI ─────────────────────────────────────────────────────────────────────╮
│ │
│ Web UI: http://127.0.0.1:18789/ │
│ Web UI (with token): │
│ http://127.0.0.1:18789/#token=<登录token> │
│ Gateway WS: ws://127.0.0.1:18789 │
│ Gateway: reachable │
│ Docs: https://docs.openclaw.ai/web/control-ui │
│ │
├──────────────────────────────────────────────────────────────────────────────────╯
│
◇ Start TUI (best option!) ─────────────────────────────────╮
│ │
│ This is the defining action that makes your agent you. │
│ Please take your time. │
│ The more you tell it, the better the experience will be. │
│ We will send: "Wake up, my friend!" │
│ │
├────────────────────────────────────────────────────────────╯
│
◇ Token ────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ Gateway token: shared auth for the Gateway + Control UI. │
│ Stored in: ~/.openclaw/openclaw.json (gateway.auth.token) or OPENCLAW_GATEWAY_TOKEN. │
│ View token: openclaw config get gateway.auth.token │
│ Generate token: openclaw doctor --generate-gateway-token │
│ Web UI keeps dashboard URL tokens in memory for the current tab and strips them from the │
│ URL after load. │
│ Open the dashboard anytime: openclaw dashboard --no-open │
│ If prompted: paste the token into Control UI settings (or use the tokenized dashboard │
│ URL). │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ How do you want to hatch your bot?
│ Do this later
│
◇ Later ───────────────────────────────────────────╮
│ │
│ When you're ready: openclaw dashboard --no-open │
│ │
├───────────────────────────────────────────────────╯
│
◇ Workspace backup ────────────────────────────────────────╮
│ │
│ Back up your agent workspace. │
│ Docs: https://docs.openclaw.ai/concepts/agent-workspace │
│ │
├───────────────────────────────────────────────────────────╯
│
◇ Security ──────────────────────────────────────────────────────╮
│ │
│ Running agents on your computer is risky — harden your setup: │
│ https://docs.openclaw.ai/security │
│ │
├─────────────────────────────────────────────────────────────────╯
│
◇ Enable zsh shell completion for openclaw?
│ Yes
│
◇ Shell completion ───────────────────────────────────────────────────────╮
│ │
│ Shell completion installed. Restart your shell or run: source ~/.zshrc │
│ │
├──────────────────────────────────────────────────────────────────────────╯
│
◇ Web search ───────────────────────────────────────╮
│ │
│ Web search was skipped. You can enable it later: │
│ openclaw configure --section web │
│ │
│ Docs: https://docs.openclaw.ai/tools/web │
│ │
├────────────────────────────────────────────────────╯
│
◇ What now ─────────────────────────────────────────────────────────────╮
│ │
│ What now: https://openclaw.ai/showcase ("What People Are Building"). │
│ │
├────────────────────────────────────────────────────────────────────────╯
│
└ Onboarding complete. Use the dashboard link above to control OpenClaw.
agent ➜ ~ini
# 由 OpenClaw 自己生成,OpenClaw修复指令也支持生成
[Unit]
Description=OpenClaw Gateway (v2026.3.23-2)
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/home/agent/nvm/versions/node/v24.14.0/bin/node /home/agent/.local/share/pnpm/global/5/.pnpm/openclaw@2026.3.23-2_@napi-rs+canvas@0.1.97/node_modules/openclaw/dist/index.js gateway --port 18789
Restart=always
RestartSec=5
TimeoutStopSec=30
TimeoutStartSec=30
SuccessExitStatus=0 143
KillMode=control-group
Environment=HOME=/home/agent
Environment=TMPDIR=/tmp
Environment=NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
Environment=PATH=/home/agent/nvm/versions/node/v24.14.0/bin:/home/agent/.local/share/pnpm:/home/agent/nvm/current/bin:/home/agent/.local/bin:/home/agent/.npm-global/bin:/home/agent/bin:/home/agent/.volta/bin:/home/agent/.asdf/shims:/home/agent/.bun/bin:/home/agent/.nvm/current/bin:/home/agent/.fnm/current/bin:/usr/local/bin:/usr/bin:/bin
Environment=OPENCLAW_GATEWAY_PORT=18789
Environment=OPENCLAW_SYSTEMD_UNIT=openclaw-gateway.service
Environment="OPENCLAW_WINDOWS_TASK_NAME=OpenClaw Gateway"
Environment=OPENCLAW_SERVICE_MARKER=openclaw
Environment=OPENCLAW_SERVICE_KIND=gateway
Environment=OPENCLAW_SERVICE_VERSION=2026.3.23-2
[Install]
WantedBy=default.targetbash
# 鉴权打开网关内嵌 UI(不启服务)
# → 自动解析密钥、生成链接、自动弹出浏览器
# → SecretRef:只用无 token 链接,防泄露
# → 对安全苛求的企业级,才需要启用 SecretRef
# → 解析失败:给裸链接 + 修复提示
openclaw dashboard
# 同上逻辑完全一致,终端推荐
# → 区别:只输出/复制链接,不打开浏览器
# → 适合服务器、无头环境使用
openclaw dashboard --no-openbash
# 检查配置问题
# → 检查 + 修复配置问题
# → 扫描:配置、权限、端口、服务、密钥
# → 不直接打开 UI、不启动服务
openclaw doctor
# Gateway 网关状态
# → 显示:在线/离线、运行时、频道连接、会话
# → 不操作、不启动、不修复
openclaw status
# 检查服务状态
systemctl --user status openclaw-gateway.service用户级systemd单元安装失败修复
到此为止,测试环境agent用户使用的一直是 /bin/nologin,
所以 openclaw-gateway.service 文件虽然生成了,但是为安装成功。
bash
# 注意默认情况下,需要登录当前用户才能启动
agent ➜ ~ systemctl --user daemon-reload
agent ➜ ~ systemctl --user enable openclaw-gateway.service --nowbash
# 查看 agent 用户有没有开启 linger
root ➜ ~ loginctl show-user agent --property=Linger
Linger=no
# agent 用户开启 linger
root ➜ ~ loginctl enable-linger agent
# 查看出现yes就标示成功
root ➜ ~ loginctl show-user agent --property=Linger
Linger=yes远程访问
OpenClaw 的浏览器管理控制台默认绑定于本地回环地址(127.0.0.1),不接受来自外部的远程连接。
客户端可通过建立 SSH 本地端口转发隧道,将远程服务安全映射至本地,从而实现远程访问。
bash
# 想要建立 SSH 隧道,服务器系统账户必须允许登录,并设置密码
usermod -s /bin/zsh agent
passwd agentps1
# SSH 本地端口转发:远程服务器本机端口 → 本地
# `ssh` 建立加密连接
# `-N` 仅转发,不登录Shell
# `-L` 本地端口转发
# `18789:127.0.0.1:18789` 本地18789 → 远程自身18789
# `-F none` 禁用SSH配置文件,纯参数运行
# `agent@192.168.66.254` 远程身份与地址
# 运行后按提示输入远程用户密码
ssh -N -L 18789:127.0.0.1:18789 -F none agent@192.168.66.254bash
ssh -N -L 18789:127.0.0.1:18789 agent@192.168.66.254