1. Using the wrong API key
Problem: OpenClaw recommends Anthropic Claude (Opus 4.6). Pasting an OpenAI key where an Anthropic key is expected gives cryptic errors. Mixing up API keys and OAuth subscriptions is common.
Fix: Use an Anthropic API key (starts with sk-ant-) from console.anthropic.com, or configure an Anthropic Pro/Max OAuth subscription during openclaw onboard.
2. Exposing the Gateway without authentication
Problem: Running the OpenClaw Gateway on port 18789 bound to 0.0.0.0 without auth. Anyone who finds the port can access your assistant — and through it, your email, calendar, and chat channels.
Fix: Keep gateway.bind on loopback. Use Tailscale Serve (tailnet-only) or Funnel (public, password-required) for remote access. Set gateway.auth.mode to 'password' for any public exposure.
3. Leaving DM policy on 'open'
Problem: Setting dmPolicy to 'open' on WhatsApp/Telegram/Discord means anyone can message your bot and it will process their requests. This is a security risk, especially if the bot has access to your email and calendar.
Fix: Keep the default dmPolicy='pairing' which requires a pairing code for unknown senders. Only add trusted contacts to allowFrom lists. Run openclaw doctor to check for risky DM policies.
4. Wrong OAuth scopes for Gmail
Problem: Gmail integration requires specific OAuth scopes. Using the wrong scopes means OpenClaw can read emails but can't send, or can't access calendar events.
Fix: Make sure you include gmail.modify, gmail.send, and calendar.events scopes. Check Google Cloud Console for the exact scope URLs.
5. Telegram webhook URL not publicly reachable
Problem: Setting up a Telegram bot but the webhook URL points to localhost or a private IP. Telegram can't reach your Gateway, so messages never arrive.
Fix: Use Tailscale Funnel for a public HTTPS endpoint, or set up a reverse proxy with a real domain. For development, use ngrok or Cloudflare Tunnel.
6. Not persisting data across Docker restarts
Problem: Running OpenClaw in Docker without mounting ~/.openclaw as a volume. Every restart wipes conversation history, credentials, memory, and skill configurations.
Fix: Mount a Docker volume to /root/.openclaw. Use our Docker templates which handle this automatically.
7. Skipping openclaw doctor after setup
Problem: Assuming everything works after running openclaw onboard. The doctor command catches misconfigurations that the onboarding wizard doesn't surface — like expired tokens, port conflicts, and missing permissions.
Fix: Always run openclaw doctor after setup and after any configuration changes. It surfaces risky DM policies, missing tokens, and other issues.
8. Hardcoding API keys in openclaw.json
Problem: Storing Anthropic keys, channel tokens, and OAuth credentials directly in openclaw.json, then accidentally syncing or sharing the config.
Fix: Use environment variables (ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN, etc.) which OpenClaw reads automatically. Add ~/.openclaw to .gitignore. Rotate any exposed keys immediately.
9. Not installing the Gateway daemon
Problem: Running openclaw gateway manually in a terminal. When you close the terminal or reboot, the Gateway stops and all channels go offline.
Fix: Run openclaw onboard --install-daemon to install a launchd (macOS) or systemd (Linux) service that keeps the Gateway running in the background.
10. Forgetting to test channels end-to-end
Problem: Setting up 5 channels, assuming they work, and discovering a week later that WhatsApp messages are going to a void because the QR pairing expired.
Fix: Test each channel immediately after setup. Send a test message on every connected platform. Verify the full round trip. Re-pair WhatsApp if the session expires.
The Pattern
Most of these mistakes fall into three categories: security (mistakes 2, 3, 8), integration configuration (mistakes 1, 4, 5, 9), and infrastructure (mistakes 6, 7, 10).
The basic installation is straightforward. It's the integration setup, security hardening, and testing that take the most time and cause the most frustration. This is exactly what our $100 setup service handles.