Quick Start Guide
One-command installation - OpenClaw with ArmorClaw security in under 5 minutes
Quick Start Guide
Get OpenClaw with ArmorClaw security plugin running in under 5 minutes with our automated installer.
One Command Installation
The ArmorClaw installer handles everything: cloning OpenClaw, applying security patches, building, installing the plugin, configuring your LLM and Telegram bot, and writing production-ready config — all in one interactive flow.
Prerequisites
- Supported OS: macOS, Linux, or Windows (use Git Bash or WSL on Windows)
- Node.js v22+ and pnpm (installer will check and guide you)
- Git (installer will check)
- An LLM API key — OpenAI (
sk-...), Google Gemini, OpenRouter (sk-or-...), or Anthropic - ArmorIQ API key from platform.armoriq.ai
- Optional: Telegram bot token for chat interface
Setup Steps
Install with One Command
Run the ArmorClaw installer:
curl -fsSL https://armoriq.ai/install-armorclaw.sh | bashcurl -fsSL https://armoriq.ai/install-armorclaw.sh | bashRun from Git Bash (or WSL), not plain CMD/PowerShell.
The installer runs 7 stages with interactive prompts:
╔════════════════════════════════════════════════════════════╗
║ ║
║ ▄▀█ █▀█ █▀▄▀█ █▀█ █▀█ █▀▀ █ ▄▀█ █ █ █ ║
║ █▀█ █▀▄ █ ▀ █ █▄█ █▀▄ █▄▄ █▄▄ █▀█ ▀▄▀▄▀ ║
║ ║
║ AI agents are moving fast. Security isn't. ║
║ ║
║ The control layer for the agent era. ║
║ Track intent. Catch drift. Stop risk. ║
║ ║
║ armoriq.ai ║
║ ║
╚════════════════════════════════════════════════════════════╝
[1/7] Preparing environment
✓ Git 2.53.0
✓ pnpm 10.28.2
✓ Python3 3.14.2
[2/7] Cloning OpenClaw v2026.2.19
✓ Cloned OpenClaw v2026.2.19
[3/7] Applying ArmorClaw patches
[████████████████████] 100% 8 patches applied
✓ Patches applied
[4/7] Building OpenClaw
✓ Dependencies installed
✓ Build complete
[5/7] Setting up ArmorClaw
✓ ArmorClaw plugin installed from npm
[6/7] Configuring channels and agent
→ Telegram bot setup (token, DM policy, stream mode)
→ LLM provider selection and API key
→ ArmorIQ API key
[7/7] Writing configuration
✓ openclaw.json configured
✓ .env written with ArmorIQ endpointsWhat the installer sets up automatically:
- Clones the latest stable OpenClaw release
- Applies 8 ArmorClaw security patches (sender context, tool hooks, abort ordering)
- Installs and enables the
@armoriq/armorclawnpm plugin - Writes
~/.openclaw/openclaw.jsonand your LLM API keys to~/.openclaw/auth-profiles.json - Writes
~/openclaw-armoriq/.envwith ArmorIQ production endpoints
If OpenClaw is already installed, the installer checks the existing version. If there's a version mismatch it will prompt you to re-clone (overwrite) or keep your current installation.
Installation complete! OpenClaw is installed at ~/openclaw-armoriq with ArmorClaw fully configured.
Interactive Prompts During Install
The installer walks you through three interactive setup sections during Stage 6.
Telegram Bot (optional)
❯ Set up Telegram bot?
> Yes, I have a bot token
No, skip for nowIf you choose yes, you'll be asked:
- Bot token — paste the token from @BotFather
- DM policy — who can message the bot:
open— anyone can DM (recommended for personal use)pairing— new users must enter a pairing codeallowlist— only explicitly allowed user IDs
- Stream mode — how replies appear in DMs:
partial— stream partial text as it generates (recommended)block— send chunked complete messagesoff— disable streaming
To get a Telegram bot token:
- Open Telegram and message @BotFather
- Send
/newbotand follow the prompts - Copy the token (format:
1234567890:ABCdef...)
LLM Provider
❯ Select primary LLM provider
> OpenAI GPT (gpt-5.2)
Google Gemini (gemini-2.5-flash)
OpenRouter (any model)
Custom model ID| Provider | Key format | Where to get it |
|---|---|---|
| OpenAI | sk-... | platform.openai.com/api-keys |
| Google Gemini | AIza... | aistudio.google.com/apikey |
| OpenRouter | sk-or-... | openrouter.ai/keys |
| Custom | any model ID | e.g. anthropic/claude-4 via OpenRouter |
The installer saves your key directly into ~/.openclaw/auth-profiles.json — no manual .env edits needed for the LLM key.
ArmorIQ API Key
❯ Do you have an API key?
> Yes, enter it now
No, I'll set it up laterGet your key from platform.armoriq.ai → API Dashboard → API Keys.
All prompts can be skipped. You can always add keys later by editing ~/.openclaw/openclaw.json or ~/openclaw-armoriq/.env.
Verify Configuration (Manual / Review)
The installer writes everything for you. To review or adjust your config:
cat ~/.openclaw/openclaw.jsonA complete auto-generated config looks like this:
{
"auth": {
"profiles": {
"openai:default": {
"provider": "openai",
"mode": "api_key"
}
},
"order": {
"openai": ["openai:default"]
}
},
"agents": {
"defaults": {
"model": {
"primary": "openai/gpt-5.2"
}
}
},
"channels": {
"telegram": {
"enabled": true,
"botToken": "YOUR_BOT_TOKEN",
"dmPolicy": "open",
"allowFrom": ["*"],
"groupPolicy": "allowlist",
"streamMode": "partial"
}
},
"gateway": {
"mode": "local"
},
"plugins": {
"enabled": true,
"allow": ["armorclaw", "telegram"],
"entries": {
"telegram": { "enabled": true },
"armorclaw": {
"enabled": true,
"config": {
"enabled": true,
"policyUpdateEnabled": true,
"policyUpdateAllowList": ["*"],
"userId": "default-user",
"agentId": "openclaw-agent-001",
"contextId": "default",
"policyStorePath": "~/.openclaw/armoriq.policy.json",
"iapEndpoint": "https://customer-iap.armoriq.ai",
"proxyEndpoint": "https://customer-proxy.armoriq.ai",
"backendEndpoint": "https://customer-api.armoriq.ai",
"apiKey": "ak_live_YOUR_KEY"
}
}
}
},
"messages": {
"ackReactionScope": "group-mentions"
}
}Common values to customise:
agents.defaults.model.primary— change provider/model (e.g.google/gemini-2.5-flash,openrouter/auto)armorclaw.config.userId— your user identifierarmorclaw.config.agentId— unique agent namearmorclaw.config.policyUpdateAllowList— IDs authorised to manage policies via chat
Important: Include "agent:main:main" and "main" in policyUpdateAllowList as fallback identities for when Telegram does not pass sender info.
LLM API keys are stored separately in ~/.openclaw/auth-profiles.json (written by the installer). Do not put them in openclaw.json.
Start OpenClaw Gateway
That's it! Start the gateway:
cd ~/openclaw-armoriq
pnpm dev gatewayExpected output:
[plugins] IAP Verification Service initialized - Base URL: https://customer-api.armoriq.ai
[plugins] CSRG Verification URL: https://customer-iap.armoriq.ai
[plugins] CSRG proof headers are REQUIRED for tool execution
🦞 OpenClaw 2026.2.19
[gateway] agent model: openai/gpt-5.2
[gateway] listening on ws://127.0.0.1:18789
[telegram] starting provider (@your_bot)Gateway is running!
- ArmorClaw plugin loaded
- Production endpoints configured
- Intent verification active
- Telegram connected (if configured)
Leave this terminal open.
What to look for:
- "IAP Verification Service initialized" with production URL
- "CSRG Verification URL" with production endpoint
- NO "Missing model context" errors
- Telegram provider starts (if bot token configured)
Test Your Bot
Open your messaging app and message your bot. Try these commands:
Using Slack, Discord, or WhatsApp? Message your bot on that platform with the same commands below.
Test 1: Basic command
Policy helpExpected: List of policy management commands.
Test 2: List policies
Policy listExpected: "No policies defined" (fresh setup).
Test 3: Create a policy
Policy new: block exec commandsExpected: Policy created with ID and priority.
Test 4: Regular task
What is the weather in San Francisco?Bot should search the web and respond.
Check logs (in another terminal):
tail -f /tmp/openclaw/openclaw-*.log | grep -i armorclawYou should see:
[plugins] armorclaw: [agent_start] sessionKey=agent:main:main
Intent token issued: id=..., expires=60.0s
[plugins] armorclaw: [tool_call] tool=web_search allowed=trueVerification
Your setup is complete when:
- Gateway shows "listening on ws://127.0.0.1:18789"
- Your bot responds to messages
- Logs show "Intent token issued"
- Policy commands work without "denied" errors
- Dashboard at platform.armoriq.ai shows executions
Directory Structure
After installation, your setup looks like this:
~/openclaw-armoriq/ # OpenClaw installation
├── dist/ # Built gateway
├── src/ # Patched source files
├── .env # ArmorIQ endpoints
└── package.json
~/.openclaw/ # OpenClaw config directory
├── openclaw.json # Main config (model, channels, plugin)
├── auth-profiles.json # LLM API keys (written by installer)
├── armoriq.policy.json # Policy store
└── extensions/
└── armorclaw/ # Installed ArmorClaw pluginKey files:
~/openclaw-armoriq/.env— ArmorIQ endpoint environment variables~/.openclaw/openclaw.json— OpenClaw main configuration~/.openclaw/auth-profiles.json— Encrypted LLM API keys (do not edit manually)~/.openclaw/armoriq.policy.json— Active security policies
Non-Interactive / CI Usage
Pass everything via flags to skip all prompts:
curl -fsSL https://armoriq.ai/install-armorclaw.sh | bash -s -- \
--api-key ak_live_YOUR_KEY \
--openai-key sk-YOUR_OPENAI_KEY \
--model openai/gpt-5.2 \
--telegram-token YOUR_BOT_TOKEN \
--telegram-dm-policy open \
--telegram-stream partialAvailable flags:
| Flag | Description |
|---|---|
--api-key | ArmorIQ API key |
--openai-key | OpenAI API key |
--gemini-key | Google Gemini API key |
--openrouter-key | OpenRouter API key |
--anthropic-key | Anthropic API key |
--model | Model ID (e.g. google/gemini-2.5-flash, openrouter/auto) |
--telegram-token | Telegram bot token |
--telegram-dm-policy | open / pairing / allowlist |
--telegram-stream | partial / block / off |
--install-dir | Override install directory (default: ~/openclaw-armoriq) |
--no-prompt | Disable all interactive prompts (CI mode) |
--skip-build | Skip the build step (faster re-installs) |
--dry-run | Show plan without installing |
Troubleshooting
Gateway won't start
Check Node.js version:
node --version # Should be v22+Check dependencies installed:
cd ~/openclaw-armoriq
pnpm installCheck build completed:
ls ~/openclaw-armoriq/dist/entry.js # Should exist"openclaw: command not found"
Use the full path:
cd ~/openclaw-armoriq
pnpm dev gatewayPlugin not loading
Verify plugin installed:
ls ~/.openclaw/extensions/armorclaw/ # Should have filesCheck OpenClaw config:
cat ~/.openclaw/openclaw.json | grep -A3 armorclaw"policy_update denied"
Cause: Your user ID not in allowList.
Fix: Add "agent:main:main" and "main" to policyUpdateAllowList in config.
"IAP_BACKEND_URL not set"
Cause: Environment variables not loaded.
Fix: Ensure the .env file exists in your OpenClaw directory:
cat ~/openclaw-armoriq/.envIf the file is missing, re-run the installer or manually create it:
echo "ARMORIQ_API_KEY=ak_live_YOUR_KEY" >> ~/openclaw-armoriq/.env
echo "IAP_BACKEND_URL=https://customer-api.armoriq.ai" >> ~/openclaw-armoriq/.envBot not responding
For Telegram:
curl https://api.telegram.org/bot<YOUR_TOKEN>/getMeShould return bot info. If error, regenerate token with @BotFather.
For other platforms: Check your bot credentials and refer to platform-specific setup guides:
Check gateway logs:
grep -i "telegram\|slack\|discord\|whatsapp" /tmp/openclaw/openclaw-*.log | tail -20Next Steps
- Monitor Dashboard: platform.armoriq.ai - view intent executions and proofs
- Add Policies: Create allow/block rules via chat
- Configure Channels: Set up Telegram, Slack, Discord, or WhatsApp
- Learn More: Understand Core Concepts and explore Configuration