Claude Code Agent with OpenClaw: Setup, Security, and Production Deployment (2026)
Claude Code became one of the fastest-growing developer tools in 2025. Anthropic's agentic CLI lets you write code, run shell commands, and manage files from the terminal. Developers adopted it fast.
But Claude Code runs on your laptop. It stops when you close the terminal. It only works for one person at a time. And it has no security controls beyond your OS permissions.
What happens when you need a Claude-powered agent that runs 24/7? One that works across WhatsApp, Telegram, Discord, and Slack? One with audit trails, approval workflows, and a kill switch?
That is what OpenClaw does. And Claude is one of the best models to power it.
What Is a Claude Code Agent?
Claude Code is Anthropic's official CLI coding agent. You install it with npm. You run it in your terminal. It reads your project files, understands context, and takes action.
npm install -g @anthropic-ai/claude-code
cd my-project
claude
From there, you type natural language. "Refactor the auth module." "Write tests for the payment endpoint." "Find the memory leak." Claude Code reads files, edits code, runs shell commands, and commits to git.
It is good at what it does. Anthropic's Claude models lead on code generation benchmarks. The agentic workflow feels natural. Terminal-first developers love it.
Where Claude Code Stops
Claude Code is a single-user, single-session tool. It runs on your machine with your permissions. When you close the terminal, the agent stops. There is no way to schedule tasks, connect messaging channels, or enforce security policies.
For coding assistance at your desk, that is fine. For production agent workflows, you need something more.
OpenClaw: The Agent Runtime for Claude
OpenClaw is an open-source AI agent that runs on your machine or server. It connects to any LLM provider. It works across WhatsApp, Telegram, Discord, and Slack. It can execute shell commands, read and write files, call APIs, and browse the web.
Think of it as the runtime layer that turns a language model into a persistent, multi-channel agent.
When you connect Claude to OpenClaw, you get:
- Always-on operation. The agent runs as a background service. No terminal session required.
- Multi-channel access. Talk to your Claude agent from WhatsApp, Telegram, Discord, or Slack.
- Tool execution. Shell commands, HTTP requests, file operations, and custom tools.
- Persistent memory. The agent remembers context across conversations.
- Skills system. Pre-built capabilities you can add without writing code.
Claude provides the intelligence. OpenClaw provides the runtime.
Setup Guide: Connect Claude to OpenClaw
Here is how to configure OpenClaw with Anthropic's Claude as the LLM backend.
Step 1: Get Your Anthropic API Key
Go to console.anthropic.com. Create an account. Generate an API key. It starts with sk-ant-.
Step 2: Configure the LLM Provider
In your OpenClaw configuration, set Claude as the language model:
# openclaw.yaml
llm:
name: claude-agent
type: anthropic
model: claude-sonnet-4-20250514
credentials:
anthropic:
api_key: "${ANTHROPIC_API_KEY}"
For complex reasoning tasks, swap in Claude Opus:
llm:
name: claude-agent
type: anthropic
model: claude-opus-4-20250514
Step 3: Set Environment Variables
Store your API key as an environment variable. Never commit keys to version control.
export ANTHROPIC_API_KEY="sk-ant-your-key-here"
Step 4: Define Tools
Give your agent capabilities through tools:
tools:
- name: run_shell
type: shell
sandbox: true
permissions: [read_write]
- name: git_commit
type: shell
command: "git add -A && git commit -m"
approval_required: true
- name: run_tests
type: shell
command: "npm test"
sandbox: true
- name: browse_web
type: http
allowed_domains:
- github.com
- docs.anthropic.com
Step 5: Connect a Channel
Add a messaging channel so your team can talk to the agent:
channels:
- type: discord
bot_token: "${DISCORD_BOT_TOKEN}"
- type: slack
bot_token: "${SLACK_BOT_TOKEN}"
- type: telegram
bot_token: "${TELEGRAM_BOT_TOKEN}"
Start the agent:
openclaw start
Your Claude-powered agent is now running. It listens on all configured channels. It persists across sessions. It uses Claude's intelligence for every interaction.
What You Can Build
Claude through OpenClaw is not limited to code editing. Here are real use cases teams run today.
Code Review Agent on Discord
Connect OpenClaw to your team's Discord server. When someone pastes a pull request link, the agent reviews the diff. It uses Claude's code understanding to flag bugs, suggest improvements, and check for security issues.
skills:
- name: code_review
trigger: "review PR"
tools: [run_shell, browse_web]
instructions: |
Fetch the PR diff. Review for bugs, security issues,
and style violations. Post findings in the channel.
Deployment Assistant on Slack
Your agent watches a Slack channel. When someone types "deploy staging," the agent runs your deployment scripts, monitors the health check, and reports back the result. All with approval required before executing.
Customer Support Agent on WhatsApp
Connect Claude to WhatsApp through OpenClaw. The agent handles customer questions using your knowledge base. It escalates to humans when confidence is low. Every interaction is logged for compliance.
Infrastructure Monitor on Telegram
The agent runs periodic health checks. When a service goes down, it sends an alert to your Telegram group. It can also attempt automated remediation steps before paging a human.
Each of these agents uses Claude's reasoning. OpenClaw provides the runtime, channels, and tools.
The Production Problem
Running an OpenClaw agent on your laptop works for testing. Running one in production is a different problem.
The Shodan Scan
In January 2026, a Shodan scan found 42,665 exposed OpenClaw instances on the public internet. Of those, 93.4% had authentication bypasses. That means anyone on the internet could send commands to those agents.
These were not test instances. Many had active API keys, database credentials, and access to internal systems. The agents had shell execution enabled. They could read and write files. Some had access to production databases.
Bruce Schneier wrote: "Security is a process, not a product." That applies directly here. The model being good does not make the deployment safe. Claude can be brilliant. Your agent can still be wide open to attack.
The ZeroLeaks Assessment
A security firm called ZeroLeaks tested unprotected OpenClaw instances for prompt injection. The result: 91.3% prompt injection success rate on instances without defense layers.
An attacker sends a crafted message to your WhatsApp agent. The agent follows the injected instructions. It reads your .env file. It sends the contents back to the attacker. Game over.
This is not a theoretical risk. It is happening right now on thousands of exposed instances.
DIY Hardening Takes Weeks
You can secure OpenClaw yourself. Configure Docker networking. Set up firewall rules. Build approval workflows. Add log aggregation. Implement egress controls. Test prompt injection defenses. Set up monitoring and alerting.
Most teams estimate 4 to 6 weeks of engineering time to harden a single OpenClaw deployment. And that assumes you know what to harden.
Clawctl: Production-Grade OpenClaw in 60 Seconds
Clawctl is the managed runtime for OpenClaw. Think of it as WP Engine for AI agents. You get all of OpenClaw's capabilities with security controls pre-configured.
What Clawctl Adds
| Security Layer | What It Does |
|---|---|
| Sandbox isolation | Agent runs in an isolated container. Cannot access host system. |
| Encrypted secrets vault | API keys and credentials stored encrypted at rest. |
| 70+ risky actions blocked | Dangerous operations require human approval before execution. |
| Network egress control | Whitelist which domains the agent can contact. Block everything else. |
| Full audit trail with replay | Every tool call, input, and output recorded. Replay any session. |
| Kill switch | Instantly halt all agent activity with one click. |
| Prompt injection defense | Input sanitization and anomaly detection blocks injection attacks. |
Deploy Time Comparison
| Task | DIY on Your Infra | Clawctl |
|---|---|---|
| Basic deployment | 2-4 hours | 60 seconds |
| Authentication setup | 1-2 days | Included |
| Sandbox isolation | 2-3 days | Included |
| Egress controls | 1-2 days | Included |
| Audit logging | 1-2 days | Included |
| Prompt injection defense | 1-2 weeks | Included |
| Kill switch | 1 day | Included |
| Total | 4-6 weeks | 60 seconds |
Pricing
| Plan | Agents | Price |
|---|---|---|
| Starter | 1 agent | $49/mo |
| Team | 5 agents | $299/mo |
| Business | 25 agents | $999/mo |
Every plan includes sandbox isolation, the secrets vault, audit trails, and the kill switch. The difference is the number of agents you can run.
How It Works with Claude
Clawctl does not change how you configure Claude. You still use your Anthropic API key. You still pick your model. You still define tools and channels. Clawctl wraps the entire runtime in security controls.
# clawctl.yaml
llm:
name: claude-agent
type: anthropic
model: claude-sonnet-4-20250514
security:
sandbox: strict
approval_required:
- shell_write
- git_push
- http_external
egress:
allowed_domains:
- api.anthropic.com
- github.com
- your-api.internal.com
block_all_other: true
audit:
log_level: full
retention_days: 90
kill_switch: enabled
channels:
- type: discord
bot_token: "${DISCORD_BOT_TOKEN}"
- type: slack
bot_token: "${SLACK_BOT_TOKEN}"
Deploy with one command:
clawctl deploy
Your Claude-powered agent is live. Sandboxed. Audited. Secured. In 60 seconds.
When to Use What
Use Claude Code for interactive coding sessions at your desk. It is the best terminal-based coding agent available. Great for one developer, one project, one session.
Use OpenClaw with Claude when you need an agent that runs 24/7 across channels. When you need persistent memory, scheduled tasks, and team access. When the agent does more than write code.
Use Clawctl when that agent touches production systems. When you need audit trails for compliance. When you cannot afford a prompt injection breach. When you want to deploy in 60 seconds instead of 6 weeks.
They are not mutually exclusive. Use Claude Code for your personal workflow. Run OpenClaw on Clawctl for your team's production agents. Both powered by Claude.
Deploy securely with Clawctl →