After 50+ OpenClaw installs, we've learned that the difference between a setup that "works" and a setup that works reliably for your business comes down to 32 specific checkpoints. Most DIY setups cover about 10 of them.
Run through this list. Every unchecked item is a risk or a gap.
Score your setup
🔒 Security (8 points)
- ☐Auth token setA strong random token in openclaw.json — not the default or empty
- ☐Gateway bind address lockedBound to 127.0.0.1 or your internal interface, not 0.0.0.0
- ☐Firewall configuredOnly necessary ports open — 22 (SSH), 80, 443. OpenClaw port not publicly exposed.
- ☐Reverse proxy with HTTPSnginx or Caddy in front with a valid Let's Encrypt certificate
- ☐API spend limits setHard caps on Anthropic and OpenAI dashboards before any real usage
- ☐SSH key auth onlyPassword authentication disabled on the server — key pairs only
- ☐Secrets never in chat or emailAPI keys entered directly into config files or environment, never pasted in chat
- ☐CVE monitoringSubscribed to OpenClaw GitHub releases so you're notified of security patches immediately
🧠 Identity & Configuration (7 points)
- ☐SOUL.md written for your businessCovers agent identity, tone, boundaries, and your specific workflow preferences
- ☐AGENTS.md configuredOrg structure, roles, delegation rules — not the default template
- ☐USER.md populatedYour name, timezone, communication preferences, business context
- ☐HEARTBEAT.md customizedDefines what the agent should do during idle cycles — not left at default
- ☐Memory structure establishedWorkspace organized — memory/, projects/, templates/ directories with initial content
- ☐Model configured appropriatelyRight model for your use case — Opus for reasoning, Sonnet for speed, local for cost
- ☐Workspace committed to gitVersion control on your workspace so you can roll back config changes
📡 Channels (5 points)
- ☐Primary channel tested end-to-endNot just installed — a real message sent and received on your phone or desktop
- ☐Webhook URLs registeredEach channel's webhook properly registered with the provider (Telegram, Discord, etc.)
- ☐Channel plugins verified after updatesPlugins re-tested after every major OpenClaw update — they break silently
- ☐Fallback channel configuredAt least one backup channel if your primary goes down
- ☐Notification schedule configuredHeartbeat schedule matches your actual working hours — no 3 AM pings
⚙️ Infrastructure (6 points)
- ☐systemd unit installedOpenClaw restarts automatically after server reboots or crashes
- ☐Log rotation configuredLogs don't grow to fill your disk over time
- ☐Disk space monitoredAlert at 80% — OpenClaw workspaces can grow quickly with memory files
- ☐Update process documentedWritten procedure for how to safely update — backup, changelog review, test
- ☐Node version pinnedSpecific Node.js version locked to avoid breaking changes from runtime updates
- ☐Uptime monitoringExternal ping (UptimeRobot free tier works) so you know when it's down before your users do
💾 Backup & Recovery (6 points)
- ☐Workspace backed upAutomated backup of ~/.openclaw/workspace — this is your agent's brain
- ☐Config backed up separatelyopenclaw.json and all plugin configs backed up and version controlled
- ☐Backup testedYou've actually restored from backup at least once — untested backups aren't backups
- ☐Pre-update snapshot habitManual backup before every OpenClaw update as a non-negotiable step
- ☐Recovery time documentedYou know how long it takes to get back up from a full failure — and it's acceptable
- ☐API keys stored securelyKeys in a password manager, not in Notion, Google Docs, or your email drafts
ClawReady covers all 32 checkpoints on every install. If you scored below 20, you have real gaps worth fixing — either DIY with this list or book a call and we'll close them for you.
What to Do With Your Score
29–32: You're in good shape. Re-run this checklist after every major OpenClaw update — the infrastructure items especially can drift.
21–28: Pick the unchecked items in Security and Backup first — those have the highest consequence if they fail. The rest you can work through systematically.
11–20: Your setup works but it's fragile. One bad update, one server reboot, or one rogue API call away from a problem. Prioritize systemd, API limits, and workspace backup this week.
0–10: You have "something running" — not a production setup. Please at minimum set an API spend cap and an auth token today before anything else.