Onboarding (macOS App)
Onboarding (macOS App)
Section titled “Onboarding (macOS App)”This doc describes the current first‑run setup flow. The goal is a smooth “day 0” experience: pick where the Gateway runs, connect auth, run the wizard, and let the agent bootstrap itself. For a general overview of onboarding paths, see Onboarding Overview.
Approve macOS warning
Approve find local networks
Welcome and security notice
Security trust model:
- By default, OpenClaw is a personal agent: one trusted operator boundary.
- Shared/multi-user setups require lock-down (split trust boundaries, keep tool access minimal, and follow Security).
- Local onboarding now defaults new configs to
tools.profile: "coding"so fresh local setups keep filesystem/runtime tools without forcing the unrestrictedfullprofile. - If hooks/webhooks or other untrusted content feeds are enabled, use a strong modern model tier and keep strict tool policy/sandboxing.
Local vs Remote
Where does the Gateway run?
- This Mac (Local only): onboarding can configure auth and write credentials locally.
- Remote (over SSH/Tailnet): onboarding does not configure local auth; credentials must exist on the gateway host.
- Configure later: skip setup and leave the app unconfigured.
Permissions
Onboarding requests TCC permissions needed for:
- Automation (AppleScript)
- Notifications
- Accessibility
- Screen Recording
- Microphone
- Speech Recognition
- Camera
- Location
CLI
The app can install the global
openclawCLI via npm/pnpm so terminal workflows and launchd tasks work out of the box.Onboarding Chat (dedicated session)
After setup, the app opens a dedicated onboarding chat session so the agent can introduce itself and guide next steps. This keeps first‑run guidance separate from your normal conversation. See Bootstrapping for what happens on the gateway host during the first agent run.