15 First Prompts to Configure OpenClaw the Right Way

The moment OpenClaw comes online, it starts burning API credits. It doesn't know who you are, it has no guardrails, and your API keys are probably sitting exposed in a config file. Most people don't notice because the interface looks fine, the bot responds, the terminal is green, everything seems to work. But "seems to work" is costing some people $300–$700 a month.

That's not a usage problem. It's a configuration problem.

I put together 15 prompts that I run on every new OpenClaw install. They cover security, cost controls, personalization, and model routing, and the whole session takes under an hour. Before you start, grab the free prompt sheet so you're not rewinding the video every two minutes:

And before you run these prompts, make sure OpenClaw is actually deployed. If you haven't done that yet, I walk through the full Hostinger setup in the Part 1 beginner walkthrough. Hostinger's one-click Docker deployment is the fastest path, the KVM2 VPS has enough RAM and storage to run OpenClaw comfortably, and you can get 10% off with code MOE-LUEKER at hostinger.com/moe-lueker.

Once you're in the terminal, here's what to run first.

Start with the Security Audit#

The first prompt I run on any new install is a full security audit. Not because I'm a security researcher, I'm not, but because OpenClaw will find and patch its own vulnerabilities if you just ask it to.

When I ran it on my fresh install, it came back with one critical flag, four warnings, and one informational item. It then fixed all of them automatically: set allow_insecure to false, corrected file permissions, bound the gateway to loopback, confirmed token auth was enabled. One prompt, done.

This matters more than it sounds. If you're running OpenClaw on a VPS and your config is wide open, you're one exposed endpoint away from someone else running commands on your machine. Run the audit before you do anything else.

Move Your API Keys Out of the Config File#

The second prompt sets up a local .env file with placeholders for your Anthropic key, OpenAI key, OpenRouter key, Telegram token, and OpenClaw gateway token. It then updates the OpenClaw JSON to reference those variables instead of storing the keys directly.

This is standard web development practice. Hard-coding API keys into a config file that might get synced, shared, or logged is how keys get exposed. The .env approach keeps them local and readable only by you, OpenClaw sets the file permissions automatically when you run this prompt.

After it's done, it'll ask if you want to restart the OpenClaw gateway so the new environment variables load. Say yes. Takes about 30 seconds.

Set Safety Guardrails in soul.md#

OpenClaw is an agent. It can run shell commands, access files, and make network requests. Without guardrails, it'll do whatever it thinks is helpful, which is a problem if "helpful" means deleting a directory or running in an endless loop at 3am.

The safety guardrails prompt I use adds seven rules to the soul.md file:

• Don't run destructive commands
• Don't access password managers or SSH keys
• Don't make purchases
• Stop after a set number of failed attempts (no infinite loops)
• Log every shell command for debugging
• Soft daily API spend limit of $5, with a prompt before exceeding it
• Basic prompt injection resistance

None of this is bulletproof. But it's the difference between an agent that occasionally does something dumb and one that does something expensive or irreversible. Set it early.

Build the User Profile#

OpenClaw has no idea who you are out of the box. The user.md prompt fixes that. It asks you a series of questions, name, time zone, location, what you do day-to-day, and writes the answers into a persistent file that every session can reference.

You can skip questions and fill them in later. I gave it my name, time zone (America/Los Angeles), city, and a quick summary of what I use OpenClaw for. The whole thing took maybe three minutes. You can verify the file was written correctly by navigating to openclaw/workspace/user.md in the agent's file browser.

This is what separates a generic chatbot from something that actually knows your context. Without it, you're starting from zero every session.

Create the soul.md File#

After the safety guardrails, I run a separate prompt to build out the full soul.md, the file that defines how the agent behaves, its tone, and its operating principles. Think of it as the equivalent of a claude.md file if you've used Claude Code. It's the personality and operating instructions in one place.

The prompt I use creates this with cost controls already baked in, which leads directly into the next step.

Fix the Cost Problem#

This is where most people are bleeding money without knowing it.

Two changes make the biggest difference:

Default to a cheap model. I set GPT-4o Mini as my default for day-to-day operations. If you're on Anthropic, Haiku is the equivalent. For anything that doesn't require heavy reasoning, there's no reason to run Sonnet or GPT-4o on every message.

Extend the heartbeat interval. By default, OpenClaw's heartbeat, the background check that keeps the agent active, runs every 5–10 minutes. I set mine to every 30 minutes, and I tell it to only check for urgent messages during that heartbeat. That heartbeat also runs on the cheapest available model. These two changes alone can dramatically cut passive API spend.

Trim your workspace files. This one sounds minor but isn't. I run a workspace audit that checks every config file, soul, user, tools, and keeps each one under 5KB. Files that exceed that get trimmed. The result: up to 10 tokens saved per message. Across hundreds of interactions, that's real money.

Connect to Telegram#

Once the core configuration is done, I connect OpenClaw to Telegram so I can interact with it from my phone. The setup flow is straightforward: start a chat with BotFather in Telegram, create a new bot (the name has to end in "bot"), copy the access token, and paste it into the environment variable you set up earlier.

Once it's configured, messages you send to the Telegram bot show up in the OpenClaw conversation log and get responded to in real time. You can see both sides, the phone message and the agent's reply, in the terminal. It's a clean way to run quick tasks without opening a browser.

Add Web Search#

The last step I cover is web search. OpenClaw supports Perplexity, the Brave API, or Tavily. I use Perplexity, copy the API key into the environment variables, run the configuration prompt, and it's live. I tested it by asking for three noteworthy news stories from the current week and got a clean, sourced response.

A fresh OpenClaw install needs, at minimum: a security audit, .env setup, safety guardrails, a user profile, a soul file, and model routing set to something cheap by default. That's the floor. Everything else, Telegram, web search, multi-model routing, builds on top of that foundation.

The difference between a toy project and a production AI assistant that actually saves you time and money is about 90 minutes of configuration. Most people skip it. Don't.

If you found this useful, the Part 1 setup walkthrough goes deeper on the Hostinger deployment: https://youtu.be/pSvsLwGMy4A

Watch the full video on YouTube: https://youtu.be/5Xo_ni5VT-Y

Some links below may be affiliate links. I only recommend tools I actually use, and it may give you a discount if you use my links.