OpenClaw – Complete Guide, Part 2: Channel Configuration and Security
In the previous article we installed OpenClaw and got the gateway running for the first time. Now comes the interesting part: connecting it to the messaging apps you use every day and protecting the installation from unwanted access.
This is also the most critical part from a security standpoint. Take the time to read it all the way through — skipping the hardening steps is the most common mistake I see people make when approaching OpenClaw for the first time.
What you’ll learn in this article:
- How to connect Telegram (the simplest channel to start with)
- How to connect WhatsApp via QR code
- How to configure the allowlist to limit who can interact with the agent
- How to protect the web dashboard from external access
- The fundamental security measures against prompt injection
Supported Channels Overview
OpenClaw works as a centralized hub for various messaging channels. Here are the available ones:
| Channel | Integration method | Difficulty |
|---|---|---|
| Telegram | Bot API (BotFather) | ⭐ Easy |
| QR code (Baileys library) | ⭐⭐ Medium | |
| Discord | Native server/DM | ⭐⭐ Medium |
| iMessage | AppleScript bridge / BlueBubbles | ⭐⭐⭐ Advanced |
| Slack / Teams | Enterprise apps | ⭐⭐⭐ Advanced |
| Signal / Matrix | Decentralized protocols | ⭐⭐⭐ Advanced |
For this guide we’ll focus on Telegram (the most immediate) and WhatsApp (the most widely used). Once you understand the mechanism, other channels follow the same pattern.
Channel 1: Telegram
Telegram is the simplest choice to start with, especially if you’re working on a VPS. It doesn’t require QR code scanning and the connection is stable.
Step 1: Create the Bot with BotFather
Open Telegram and search for @BotFather. It’s Telegram’s official bot for creating and managing other bots.
Send the command:
/newbot
BotFather will ask you two questions:
- The bot name — what users will see (e.g. “My Assistant”)
- The bot username — must end in
bot(e.g.my_assistant_bot)
At the end, BotFather will provide a token that looks something like:
1234567890:ABCdefGHIjklMNOpqrsTUVwxyz
Copy it and keep it safe: you’ll need it in the next step.
Step 2: Enter the Token in OpenClaw
You have two options:
Option A — Via the interactive wizard:
openclaw onboard
Follow the instructions to the Telegram section and paste the token when prompted.
Option B — Directly in the configuration file:
Open ~/.openclaw/openclaw.json with an editor and add the section:
{
"channels": {
"telegram": {
"token": "YOUR_TOKEN_HERE"
}
}
}
Step 3: Restart and Test
openclaw restart
Now open Telegram, search for your bot by username and send a message. If it responds, the connection works.
Channel 2: WhatsApp
WhatsApp uses a different mechanism: there are no “official bots” accessible to everyone, so OpenClaw connects directly to your account via a system similar to WhatsApp Web.
Important: This method uses the Baileys library, which connects to WhatsApp as an unofficial client. While it works, it technically violates WhatsApp’s terms of service. The risk of account ban exists, though in practice it’s rare for personal use. Consider whether the risk is acceptable for your use case.
Step 1: Start the Login Process
From the terminal:
openclaw channels login
The system will generate a QR code directly in the terminal (or in the web dashboard at http://127.0.0.1:18789/).
Step 2: Scan with WhatsApp
On your smartphone:
- Open WhatsApp
- Go to Settings → Linked Devices
- Tap Link a Device
- Scan the QR code shown in the terminal
The connection will be established in a few seconds. From this point on, OpenClaw will respond to messages you receive on WhatsApp — which is why configuring the allowlist (the next step) is absolutely essential.
Configuring the Allowlist: Who Can Talk to the Agent?
This is the most important security step in the entire guide. Without an allowlist, anyone who has your WhatsApp number (or your Telegram bot username) can send commands to the agent.
Open the configuration file:
nano ~/.openclaw/openclaw.json
Restricting access on WhatsApp
Add the allowFrom parameter with authorized phone numbers in international format:
{
"channels": {
"whatsapp": {
"allowFrom": ["+1XXXXXXXXXX", "+1YYYYYYYYYY"]
}
}
}
Only the numbers in this array will be able to interact with the agent. All other messages will be ignored.
Managing groups
If you add the bot to a group chat, without additional configuration it will respond to every message — which is undesirable and token-costly. Configure it to respond only when explicitly mentioned:
{
"channels": {
"whatsapp": {
"allowFrom": ["+1XXXXXXXXXX"],
"groups": {
"*": { "requireMention": true }
}
}
},
"messages": {
"groupChat": {
"mentionPatterns": ["@openclaw"]
}
}
}
With this configuration, the agent in a group responds only if the message contains @openclaw.
After every change to the configuration file, remember to restart:
openclaw restart
Protecting the Web Dashboard
By default, the OpenClaw dashboard is only accessible locally (127.0.0.1). If you’re working on a VPS, you need to avoid exposing it directly to the internet.
Option 1: SSH Tunneling (the simplest)
Every time you want to access the dashboard from your machine, open this SSH tunnel:
ssh -L 18789:localhost:18789 user@your-server-ip
Then in the browser go to http://localhost:18789. The connection is encrypted via SSH and the port is never exposed to the internet.
Option 2: Tailscale (the most convenient for ongoing use)
Tailscale creates a private VPN between your devices. Once installed on both the VPS and your computer/smartphone, you can access the dashboard using Tailscale’s private IP, without ever exposing public ports.
# Installation on Ubuntu/Debian VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
After connecting the devices, access the dashboard using the server’s Tailscale IP.
Option 3: Cloudflare Tunnel (for browser access from anywhere)
If you want to access the dashboard from any device without managing a VPN, Cloudflare Tunnel is an elegant solution. It requires a domain and a Cloudflare account (free for basic use), but provides automatic authentication and HTTPS.
Advanced Security: Defending Against Prompt Injection
Prompt injection is the most serious risk for OpenClaw users. An email, a message, or even a web page read by the agent could contain hidden instructions that the AI interprets as legitimate orders.
There’s no definitive technical solution to this problem — it’s still an unsolved problem at the industry level. But there are practical measures that drastically reduce the risk.
Rule 1: Principle of least privilege. Give the agent access only to what it strictly needs for its task. If you use it to manage social media, don’t give it access to email. If you use it to monitor GitHub, don’t connect it to your calendar. The fewer accesses it has, the less damage it can do if compromised.
Rule 2: Never access to critical data. Don’t provide the agent with bank account credentials, primary passwords, or confidential legal documents. Treat it like an external collaborator you trust, but to whom you don’t give the keys to your house.
Rule 3: Maintain human control over irreversible actions. Configure the agent so that for some operations — sending emails, publishing posts, making purchases — it always creates a draft that you can approve before execution. Automation is useful; blind automation is dangerous.
Rule 4: Be cautious with third-party skills. The ClawHub ecosystem is open and not all published software is reliable. Before installing a skill, check that it’s popular, maintained, and has positive community reviews. Avoid skills from unknown authors or with few downloads.
Rule 5: Install a monitoring system. In article 3 we’ll see how to configure a watchdog that notifies you on Telegram or WhatsApp in case of anomalous behavior or sudden spikes in token consumption.
Summary and Next Step
At this point you have:
- Telegram and/or WhatsApp connected and working
- The allowlist configured to limit agent access
- The web dashboard protected from unauthorized external access
- A clear understanding of the security risks and how to mitigate them
In the third and final article we’ll cover the most interesting part: how to configure the agent’s “mission” to make it proactive, how to leverage ClawHub skills, and how to set up a multi-model strategy to optimize costs.
← Part 1: Installation and First Launch Next article → Part 3: First Missions and Cost Optimization