Skip to content

Enterprise Setup: OpenClaw for Teams & Companies

How to deploy, secure, and manage OpenClaw for company use. Includes security hardening, team architecture, and multi-agent orchestration.

Table of Contents

Full Stack Requirements

Minimum

Component Requirement
OS macOS (Apple Silicon), Linux, or Windows (WSL2)
Runtime Node.js >= 22
CPU/RAM 2 vCPU / 4 GB RAM minimum
Docker Recommended for isolation
LLM API Key Anthropic (recommended), OpenAI, or others
Network Internet access for LLM APIs

Enterprise Stack

Infrastructure Layer:
├── VPS / Cloud VM / On-Prem Mac
├── Docker + Docker Compose
├── Reverse proxy (Caddy, nginx, Traefik) for HTTPS
└── Tailscale (recommended for secure remote access)

OpenClaw Layer:
├── Gateway process (port 18789)
├── Canvas server (port 18793, optional)
├── Docker sandbox containers per agent session
│   ├── Memory limit: 512MB per container
│   ├── CPU cores: 1
│   └── Process limit: 100
└── Token usage dashboard (built-in, v2026.2.6+)

Per-Agent Configuration:
├── Separate profiles per team member/function
├── Isolated state, config, workspace, port
├── AGENTS.md (operational rules)
├── SOUL.md (persona)
└── skills/ directory

Monitoring:
├── Token usage dashboard (built-in)
├── Gateway logs
├── Health check endpoints
└── Mission Control (community -- real-time monitoring UI)

Installation

Quick Start

# Option A: One-liner
curl -fsSL https://openclaw.ai/install.sh | bash

# Option B: npm
npm install -g openclaw

# Option C: Docker
bash <(curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw/main/docker-setup.sh)

Onboarding

openclaw onboard
# Wizard guides you through:
# - Gateway setup
# - LLM provider config (API key or OAuth)
# - Workspace creation
# - Channel connection
# - First skill setup

Start

openclaw gateway                    # Start gateway
openclaw dashboard                  # Open web UI
openclaw chat                       # Terminal chat
openclaw agent --message "Hello"    # One-shot message

Add Skills

openclaw skill search github
openclaw skill install github

Set Up Automation

# Daily morning briefing at 7am
openclaw cron add --name "Morning brief" --cron "0 7 * * *" --message "Weather, calendar, top emails"

# One-shot reminder
openclaw cron add --name "Follow up" --at "2h" --session main --system-event "Call the client"

Enterprise Architecture

Single-Agent (Solo/Small Team)

Internet → Reverse Proxy (HTTPS) → Gateway (18789) → LLM API
                                    Docker Sandbox

Multi-Agent (Department-Level)

                     ┌─────────────────┐
                     │  Reverse Proxy   │
                     │  (Caddy/HTTPS)   │
                     └────────┬────────┘
              ┌───────────────┼───────────────┐
              │               │               │
    ┌─────────▼──────┐ ┌─────▼──────┐ ┌──────▼─────────┐
    │ Agent: Sales   │ │ Agent: Ops │ │ Agent: Support │
    │ Profile: sales │ │ Profile:ops│ │ Profile:support│
    │ Port: 18790    │ │ Port:18791 │ │ Port: 18792    │
    │ WhatsApp Biz   │ │ Slack      │ │ Telegram       │
    │ Claude Sonnet  │ │ Claude Opus│ │ GPT-4o         │
    └────────────────┘ └────────────┘ └────────────────┘

Orchestrator Pattern (Company-Level)

Orchestrator Agent (strategic decisions, routing)
    ├── Sales Agent → WhatsApp Business
    ├── Ops Agent → Slack + GitHub
    ├── Support Agent → Telegram + Email
    ├── Coding Agent → Claude Code / Codex CLI
    └── Analytics Agent → Internal dashboards

Security Hardening

Mandatory Steps (Do These First)

1. Update to Latest Version 

npm update -g openclaw  # Latest: v2026.2.12

2. Network Isolation - Bind OpenClaw to localhost only - Use reverse proxy (Caddy/nginx) for HTTPS - Use Tailscale for secure remote access - Block port 18789 from public internet - Firewall rules to restrict outbound connections

3. Authentication - Rotate ALL tokens and credentials if you ran a vulnerable version - Enable gateway token authentication - Use node pairing (approval + token) - Never browse untrusted pages while logged into Control UI - Use isolated browser profiles

4. Docker Isolation - Run in Docker containers with strict limits - Memory: 512MB, CPU: 1 core, Process: 100 - Use Docker secrets instead of environment variables - Separate containers per agent

5. Skill Vetting - Review source code before installing ANY skill - Check VirusTotal reports on ClawHub - Roll out new skills in small batches - Monitor logs after skill installation

6. Monitoring 

# Health check
curl http://localhost:18789/health

# View logs
docker logs openclaw-gateway

# Security audit
openclaw security audit --deep --fix

Enterprise Security Tools

Tool Purpose
ClawGuard Security middleware: permission manifests, sandboxing, audit logging
Clawctl Managed hosting with RBAC (admin/operator/auditor), SIEM integration
NanoClaw Security-hardened fork (~500 lines, fully auditable in 8 minutes)

Security History (Know the Risks)

CVEs: - CVE-2026-25253 (CVSS 8.8): Visit malicious webpage → WebSocket hijacking → auth token stolen → sandbox disabled → full RCE. Patched v2026.1.20. - CVE-2026-25593: Remote code execution. Patched v2026.1.20. - v2026.2.14: Shipped 50+ security fixes.

Supply Chain: - 341 malicious skills on ClawHub (Atomic Stealer payloads). Skill scanner added v2026.2.6. - 15% of 18,000 community-scanned skills contain malicious instructions (r/MachineLearning).

Exposure: - 135,000+ exposed instances: Credentials accessible on public internet. - $750/mo runaway API costs from compromised instances reported.

Structural Risks (Not Patchable): - Palo Alto Networks: "Lethal trifecta" -- access to private data + exposure to untrusted content + external communications. - Prompt injection: Emails, web pages, documents can contain hidden instructions that agents follow. Kaspersky demonstrated email → private key theft. - Memory amplification: Injected prompts persist in agent memory, affecting all future conversations. - eSecurity Planet: "Risk stems from agent design rather than a patchable vulnerability."

Security researchers reporting: ZDNET, Cisco, CrowdStrike, Kaspersky, Trend Micro, Palo Alto Networks, Jamf Threat Labs, The Hacker News.

Bottom line: OpenClaw is safe to deploy IF you follow hardening steps. Run in Docker, bind to localhost, no community skills, enable sandbox+pairing mode, keep updated. See Troubleshooting > Security Issues for full mitigation guide.

Team Management

Current State (Feb 2026)

OpenClaw does not have built-in RBAC, SSO, or enterprise team management. This is a known gap (GitHub #8081).

What Exists Natively

  • Multi-agent profiles (separate instances per team member/function)
  • Per-agent auth configuration
  • Per-agent session store (isolated conversations)
  • Channel routing (different channels to different agents)
  • Workspace isolation (separate directories per profile)

RBAC Workaround

Implement manually or via Clawctl:

Role Permissions
Admin Global config, user management, view all logs
Developer Use OpenClaw, view personal logs
Auditor Read-only access to all logs (compliance)

Managed Options for Teams

Service Features Target
Clawctl RBAC, SIEM integration, SOC2 Type I (Oct 2026 target) Enterprise
SetupClaw White-glove deployment for founders & execs Startups
DigitalOcean One-click deploy, security-hardened Small teams

Company Use Cases

Email Triage & Automation

  • Before: 2+ hours daily sorting 50-100 emails
  • After: OpenClaw scans inbox every 30 minutes, categorizes by urgency, drafts responses, sends Slack summary
  • Result: 78% time reduction

Client Onboarding

  • Before: 3-4 hours of admin per new client
  • After: One message triggers: folder creation, emails, CRM updates, calendar invites, access provisioning
  • Result: Under 15 minutes

Developer Workflows

  • GitHub integration with cron jobs and webhooks
  • Autonomous test running via Sentry webhook → error capture → auto-resolution → PR creation
  • Code review automation

Customer Support (First-Line)

  • Handles routine queries via WhatsApp/Telegram
  • Escalates complex issues to humans
  • 24/7 availability

Daily Operations

  • Morning briefings (weather, calendar, top emails)
  • Report generation and distribution
  • CRM data management
  • Meeting scheduling and follow-ups

Maintenance Schedule

Task Frequency Time
Update OpenClaw version Weekly/bi-weekly 5 min
Rotate API keys/tokens Monthly 10 min
Review and update skills Monthly 15 min
Check gateway logs Weekly 10 min
Review cron job health Weekly 5 min
Patch Node.js runtime Monthly 10 min
Docker image updates Monthly 5 min
Skill allowlist review As needed 10 min

Total monthly estimate: ~60 minutes. Annual: 12-15 hours.

Update Commands

# npm
npm update -g openclaw

# Docker (community image)
docker pull alpine/openclaw:latest && docker compose up -d

# Health check
curl http://localhost:18789/health

# List cron jobs
openclaw cron list

Managed Services

Service Price What You Get
Clawctl Paid (varies) RBAC, SIEM webhooks, managed hosting, SOC2 targeting
SetupClaw Paid White-glove setup for non-technical founders
DigitalOcean From ~$12/mo (droplet) One-click deploy, declarative multi-agent definitions
ClawHosted Paid Managed OpenClaw on dedicated Mac Mini M4 hardware

Enterprise Readiness Assessment

What OpenClaw HAS

  • Open-source (MIT license, full commercial use)
  • Self-hosted (complete data sovereignty)
  • Multi-channel (13+ messaging platforms)
  • Automation (cron, webhooks, heartbeats)
  • Multi-agent routing
  • Token usage monitoring
  • Docker sandboxing
  • Active development (8,664+ commits)

What OpenClaw LACKS (Out of the Box)

  • RBAC / SSO
  • Native audit logging
  • SLA guarantees
  • Compliance certifications (SOC2, HIPAA, ISO)
  • Human-in-the-loop approval gates
  • Enterprise support contracts

vs Enterprise Alternatives

Feature OpenClaw Microsoft Copilot NanoClaw
Open Source Yes No Yes
Self-Hosted Yes No Yes
RBAC No Yes No
SSO No Yes (Azure AD) No
Multi-Channel 12+ platforms Teams only WhatsApp
Auditability Low (430K+ lines) N/A High (~500 lines)
Cost Free + API tokens $30/user/month Free + API tokens

Risk Register

Risk Severity Mitigation
Security surface area (430K+ lines) High Use Docker isolation, ClawGuard, NanoClaw for critical paths
Shadow AI (employees deploying without IT) High Establish AI Agent Policy before any deployment
Supply chain attacks (malicious skills) High Vet all skills, use scanner, restrict ClawHub
No native RBAC Medium Use Clawctl or implement custom RBAC
Single maintainer risk Medium Growing community, but monitor
Token cost runaway Medium Monitor dashboard, set budget alerts, limit cron frequency
API key exposure High Docker secrets, credential rotation, never expose ports publicly

Compliance Considerations

GDPR (EU General Data Protection Regulation)

Requirement How It Applies to AI Agents Implementation
Data minimization Don't store more conversation data than needed Configure session retention limits
Right to deletion Users can request all data deleted openclaw session delete --user <id>
Consent Users must know they're interacting with AI Bot disclosure in channel descriptions
Data processing agreement Required if using cloud LLM APIs Sign DPAs with Anthropic, OpenAI, etc.
Data residency Data may not leave EU Use EU API endpoints or local models
Purpose limitation Only use data for stated purpose Restrict agent skills and data access

Key risk: Every message sent to a cloud LLM API leaves your infrastructure. For GDPR-sensitive data, use local models (Ollama, vLLM) or providers with EU data centers.

HIPAA (Healthcare)

Requirement Implementation
BAA required Sign Business Associate Agreement with LLM provider
PHI protection Never send Protected Health Information to non-BAA providers
Audit logging Enable full request/response logging
Access controls Implement RBAC (via Clawctl or custom)
Encryption HTTPS in transit, encrypted at rest

Current state: Anthropic and OpenAI offer BAAs for enterprise accounts. Most open-source LLM providers do not. Self-hosting with local models is the safest HIPAA path.

SOC 2

Control How to Meet It
Access control Gateway token auth + Tailscale VPN
Encryption HTTPS via Caddy/nginx, encrypted Docker volumes
Monitoring AgentOps + Crabwalk + gateway logs
Incident response openclaw-shield for secret detection + alerts
Change management Git-based config, PR reviews for skill changes

Timeline: Clawctl targeting SOC 2 Type I by October 2026.

EU AI Act (Effective Aug 2025)

Risk Level What It Means AI Agent Impact
Minimal No obligations Basic chatbots, content generation
Limited Transparency required Must disclose AI interaction to users
High Compliance framework required HR, legal, healthcare, financial agents
Unacceptable Banned Social scoring, real-time biometric surveillance

Most OpenClaw deployments are "Limited risk" -- requiring only transparency (tell users they're talking to AI). Enterprise deployments in HR, healthcare, or finance may be "High risk" and need conformity assessments.

Compliance Checklist

  • [ ] Data processing agreements signed with all LLM providers
  • [ ] Session retention policy configured (auto-delete after X days)
  • [ ] AI disclosure in all user-facing channels
  • [ ] RBAC implemented (even if manual via profiles)
  • [ ] Audit logging enabled
  • [ ] HTTPS enforced for all external access
  • [ ] API keys stored as Docker secrets (not env vars)
  • [ ] Regular security audits (openclaw security audit --deep)
  • [ ] Incident response plan documented
  • [ ] Staff trained on AI agent data handling

Enterprise Adoption Signals (Feb 2026)

YC-Backed Startups

"YC backing startups that turn OpenClaw into enterprise AI employees is a massive signal. OpenClaw isn't just a dev tool anymore — it's becoming infrastructure for entire business operations. Support, engineering, sales running 24/7." -- @Pritesh

Enterprise Governance Gap

"OpenClaw for the enterprise has just begun to arrive. It emerged out of sheer necessity. Once workers try to use agents to run workflows, touch credentials, access systems of record + act for the business, then security, governance suddenly becomes basic survival." -- @dhinchcliffe

The Next Race

"The next milestone race: whoever provides the agent cloud with shared workspace memory, skills, and team access (ie. openclaw enterprise). There is also a proactive element that will continue to grow on seeking out how a business ticks and mapping it." -- @bsheldonx

Enterprise Self-Build Pattern

@haldas demonstrates the current enterprise pattern: 1. 4 Claude Code workers specialized by system/function 2. 1 Enterprise manager Claude orchestrating all workers 3. Cross-system communication between Claudes for integrated operations 4. SaaS elimination: $35K/yr in recurring fees replaced by AI-written custom tools 5. Key benefit: "I will be able to customize operations 100% how I want, very quickly"

Enterprise Security Requirements (from @PrzemyslawKlys)

"My goal is for it to be more 'secure' by design and more guardrailed than OpenClaw, but allowing flexibility to build your own tools, with strict 'write' paths. You still have to 'approve' usage of ChatGPT Business, Enterprise or maybe GitHub Copilot subscription to be having access to this data."

┌─────────────────────────────────────────────┐
│              ENTERPRISE GATEWAY              │
│  Tailscale VPN + Cloudflare Tunnel + HTTPS  │
├─────────────────────────────────────────────┤
│  Agent Profiles (per function):              │
│  ├── Sales Agent (port 18790)               │
│  ├── Ops Agent (port 18791)                 │
│  ├── Support Agent (port 18792)             │
│  └── Research Agent (port 18793)            │
├─────────────────────────────────────────────┤
│  Model Routing (ClawRouter):                 │
│  ├── Complex → Claude Opus 4.6              │
│  ├── Routine → Kimi K2.5 or GLM-5          │
│  └── Heartbeat → Haiku 4.5 or Gemini Flash │
├─────────────────────────────────────────────┤
│  MCP Tools (vetted only):                    │
│  ├── Browser automation (CDP native)         │
│  ├── Git operations                          │
│  └── Custom internal tools                   │
├─────────────────────────────────────────────┤
│  Security:                                   │
│  ├── LiteLLM proxy (credential isolation)    │
│  ├── Docker sandboxing                       │
│  ├── openclaw security audit (post-config)   │
│  └── No public port exposure                 │
└─────────────────────────────────────────────┘