Implementing OpenClaw: A Self-Hosted AI Assistant with Real Integrations
AI

🤖 Implementing OpenClaw: A Self-Hosted AI Assistant with Real Integrations

Installation, hardening and Google Workspace — full documentation of a real implementation

Cesar Rosa Polanco · 2026-03-08

Introduction

In the world of conversational AI, most solutions are closed cloud services where your data passes through third-party servers. OpenClaw is different: it’s a self-hosted AI assistant framework that you can run on your own server, maintaining total control over your data and conversations.

In this article I’ll document the complete implementation of OpenClaw on a VPS, from installation to configuring real integrations with Google Workspace, including lessons learned in security and hardening.

What is OpenClaw?

OpenClaw is an open-source framework for building persistent AI assistants that can:

Resources:

Implementation Architecture

Infrastructure

VPS: DigitalOcean Droplet OS: Ubuntu 22.04 LTS (x64) Resources: 2 GB RAM, 50 GB SSD, 2 vCPUs Hostname: openclaw-crp

Main Components

  1. OpenClaw Gateway — Main daemon that manages sessions and conversations
  2. Node.js Runtime — v22.22.0 (required)
  3. Skills — Modules that extend functionality
  4. Workspace — Persistent directory where the agent stores memory and data

Base Installation

1. Prepare the Server

# Update system
sudo apt update && sudo apt upgrade -y

# Install dependencies
sudo apt install -y curl git build-essential

2. Install Node.js 22

OpenClaw requires Node.js 22.x:

# Install Node.js 22 via NodeSource
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs

# Verify version
node --version  # v22.22.0
npm --version   # 10.9.2

3. Install OpenClaw

# Install globally
sudo npm install -g openclaw

# Verify installation
openclaw --version

4. Initial Configuration

# Initialize OpenClaw
openclaw init

# Configure Anthropic API key (Claude)
openclaw config set ANTHROPIC_API_KEY sk-ant-...

# Start the gateway
openclaw gateway start

The gateway will run as a systemd service.

Security Hardening

IMPORTANT: A poorly configured OpenClaw server can be a gateway into your infrastructure. Here’s what I implemented:

1. Firewall (UFW)

# Deny-by-default policy
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow only SSH, HTTP, HTTPS
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

# Verify status
sudo ufw status verbose

2. SSH Hardening

# Generate ed25519 key (more secure than RSA)
ssh-keygen -t ed25519 -C "admin@openclaw-crp"

# Copy key to server
ssh-copy-id -i ~/.ssh/openclaw_ed25519.pub user@server

# Edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config

Critical configuration:

PasswordAuthentication no
PermitRootLogin prohibit-password
PubkeyAuthentication yes
AuthenticationMethods publickey
# Restart SSH
sudo systemctl restart sshd

3. Fail2ban

Brute force attack protection:

# Install
sudo apt install -y fail2ban

# Configure
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Minimum configuration:

[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
# Start and verify
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status sshd

4. Workspace Permissions

# Protect credentials
chmod 700 ~/.openclaw/credentials
chmod 600 ~/.openclaw/credentials/*.json

# Verify
ls -la ~/.openclaw/credentials/

5. Security Audit

OpenClaw includes an audit command:

openclaw status --security

Expected result:

✓ Firewall active (UFW)
✓ SSH hardening complete
✓ Fail2ban active (1,626 IPs banned)
✓ Credentials protected (chmod 700)
✓ 0 critical vulnerabilities

Installing the GOG Skill (Google Workspace)

One of the most powerful integrations is gog — a CLI for Google Workspace that allows the assistant to interact with Gmail, Calendar, Drive, Docs and Sheets.

1. Install gog CLI

# Via Homebrew (Linux)
brew install steipete/tap/gogcli

# Verify
gog --version

2. Configure OAuth 2.0

You need a project in Google Cloud Console:

a) Create Project in Google Cloud

  1. Go to https://console.cloud.google.com
  2. Create new project: “OpenClaw Integration”
  3. Enable APIs:
    • Gmail API
    • Google Calendar API
    • Google Drive API
    • Google Docs API
    • Google Sheets API
    • People API (Contacts)

b) Create OAuth Credentials

  1. APIs & ServicesCredentials
  2. Create CredentialsOAuth 2.0 Client ID
  3. Type: Desktop app
  4. Download JSON → client_secret.json

c) Configure Scopes

In OAuth consent screen, add scopes:

https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.send
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/documents
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/contacts.readonly

3. Authenticate gog

# Upload client_secret.json to server via SCP
scp client_secret.json user@server:/tmp/

# On the server:
gog auth credentials /tmp/client_secret.json

# Add account
gog auth add nova@crp.gi --services gmail,calendar,drive,contacts,docs,sheets

This will open an OAuth flow in the browser. After authorizing, gog will store the token.

4. Verify Access

# List authenticated accounts
gog auth list

# Test Gmail
gog gmail search "newer_than:7d" --max 5

# Test Calendar
gog calendar list

# Test Drive
gog drive search "type:folder" --max 5

5. Configure Environment Variable

So OpenClaw uses the correct account automatically:

# Add to ~/.bashrc
echo 'export GOG_ACCOUNT=nova@crp.gi' >> ~/.bashrc
source ~/.bashrc

6. Install Skill in OpenClaw

# Navigate to workspace
cd ~/.openclaw/workspace/skills

# Clone gog skill from ClawHub
clawhub install gog

The gog skill includes SKILL.md with examples and complete reference.

Practical Use Cases

With OpenClaw + gog configured, these are some workflows I implemented:

1. Send Emails

gog gmail send \
  --to cesar.rosa@crp.gi \
  --subject "Daily Report" \
  --body "The watchlist alerted changes in 3 stocks today."

Note: gog does NOT add signatures automatically. The signature must be included manually in the body.

2. Schedule Calendar Events

gog calendar create primary \
  --summary "Team meeting" \
  --from "2026-03-10T14:00:00Z" \
  --to "2026-03-10T15:00:00Z" \
  --event-color 9

3. Upload Files to Drive

gog drive upload ./report.pdf

# Share with someone
gog drive share <fileId> \
  --to user \
  --email cesar.rosa@crp.gi \
  --role reader

4. Search Gmail

# Advanced search
gog gmail messages search "from:github.com subject:security" --max 20

# Export to JSON
gog gmail messages search "newer_than:30d" --max 100 --json > emails.json

5. Automated Financial Watchlist

One of the most interesting use cases was configuring a cron job that:

  1. Queries stock prices via API
  2. Compares against configured thresholds
  3. Sends email alerts if there are significant changes

Implementation:

# Create cron job in OpenClaw
openclaw cron create \
  --label "watchlist-daily-alert" \
  --schedule "30 13 * * 1-5" \
  --task "Query stock watchlist and send report via email" \
  --timezone UTC

6. Persistent Memory

OpenClaw maintains memory between sessions using Markdown files in the workspace:

~/.openclaw/workspace/
├── SOUL.md          # Assistant personality
├── USER.md          # User information
├── MEMORY.md        # Long-term memory
├── TOOLS.md         # Tool notes
└── memory/
    └── 2026-03-08.md  # Daily log

The assistant reads these files at the start of each session, maintaining context.

Lessons Learned

1. Security is Critical

An AI assistant with access to Gmail, Calendar and system commands can be devastating if compromised. Hardening is NOT optional.

Minimum checklist:

2. OAuth is More Secure than API Keys

Google Workspace with OAuth 2.0 allows:

3. Session Separation

OpenClaw supports multiple channels (web, WhatsApp, Telegram). Each channel is a separate session — they don’t share memory automatically.

Solution: Use shared memory files (MEMORY.md) that are read at the start of each session.

4. The Sandbox Protects But Limits

OpenClaw runs commands in a Docker sandbox by default. This protects the host, but:

Solution: Use tools that operate via API (like gog) instead of direct file access.

5. Document Everything

The agent is only as good as its documentation. Keeping TOOLS.md, SKILL.md and guides updated makes the difference between a useful assistant and one that constantly asks questions.

Operating Costs

VPS Server (DigitalOcean): $12-18/month Claude API (Anthropic): Variable by usage (~$10-50/month) Google APIs: Free (within quotas) Domain + SSL: $10-15/year (optional)

Estimated total: $25-70/month

Compared to cloud AI services ($20-200/month) that do NOT include real integrations or data control, OpenClaw is very competitive.

Next Steps

The current implementation covers:

Roadmap:

Conclusion

OpenClaw demonstrates that it’s possible to have a powerful, self-hosted AI assistant with real integrations, without sacrificing control over your data.

The combination of OpenClaw + gog CLI opens infinite possibilities: from automating email workflows to managing calendars, analyzing documents in Drive, or creating automatic financial reports.

The initial configuration effort (especially OAuth and hardening) is totally worth it when the assistant starts saving hours of manual work every week.

If you’re looking for a real alternative to ChatGPT/Claude/etc. that you can completely control, OpenClaw is a serious option to consider.

by: Cesar Rosa Polanco — Senior Consultant with 30+ years of experience in infrastructure, security and automation.

← Back to articles Leer en Español →