#how to use nvidia api key with openclaw

i got nvidia api key and i want to use it with openclaw how can i do it?

Yep, NVIDIA is built in.

If OpenClaw is already installed and running:

export NVIDIA_API_KEY="nvapi-..."
openclaw gateway restart
openclaw models set nvidia/nvidia/nemotron-3-super-120b-a12b
openclaw models status

If this is a fresh setup:

export NVIDIA_API_KEY="nvapi-..."
openclaw onboard --auth-choice skip

openclaw models set nvidia/nvidia/nemotron-3-super-120b-a12b

A few notes:

• NVIDIA auto-enables when NVIDIA_API_KEY is set, so you usually do not need extra provider config.
• Prefer the env var, not --token, so your key does not end up in shell history.
• If you run OpenClaw as a daemon/service, putting it in ~/.openclaw/openclaw.json under env can be more reliable than a temporary export.
• If you run from source, use pnpm openclaw ... instead of openclaw ....

Docs:

• https://docs.openclaw.ai/providers/nvidia
• https://docs.openclaw.ai/concepts/model-providers

If it still does not show up, paste these:

openclaw --version
openclaw models status

When i started to set up openclaw and setting telegram api key this pop up
TypeError: Cannot read properties of undefined (reading 'trim')

Oof, that reading 'trim' error is usually the setup wizard crashing, not a bad Telegram token.

First, can you paste:

openclaw --version

There was a recent fix for a setup-side trim crash, so the version matters a lot here.

Fast workaround, so you can keep moving:

1. Skip Telegram during onboarding
2. Finish setup
3. Add Telegram manually afterward in ~/.openclaw/openclaw.json (JSON5), for example:

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "123:abc",
      dmPolicy: "pairing",
    },
  },
}

Then restart:

openclaw gateway restart

If you're running from source, use pnpm openclaw ... instead.

Docs:

• https://docs.openclaw.ai/channels/telegram
• https://docs.openclaw.ai/help/faq

Also, do not paste your Telegram token here.

If you want, send your openclaw --version and I can tell you whether this is likely the known bug or something else.

[openclaw] Failed to start CLI: TypeError: Cannot read properties of undefined (reading 'trim')
at formatDocsLink (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/links-BlUEqVE8.js:7:23)
at formatChannelSelectionLine (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/registry-DE4nHTjg.js:111:71)
at resolveChannelSelectionNoteLines (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/onboard-channels-D--y_LfI.js:855:60)
at setupChannels (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/onboard-channels-D--y_LfI.js:1267:24)
at process.processTicksAndRejections (node:internal/process/task_queues:103:5)
at async configureChannelsSection (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/configure-CP-Lvt30.js:959:71)
at async runConfigureWizard (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/configure-CP-Lvt30.js:1042:6)
at async configureCommand (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/configure-CP-Lvt30.js:1134:2)
at async configureCommandFromSectionsArg (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/configure-CP-Lvt30.js:1145:3)
at async Command.<anonymous> (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/config-cli-ranzgR2T.js:926:3)

Nice, that stack trace helps a lot.

This does not look like a bad Telegram token. It looks like the channel setup wizard crashing while rendering channel/plugin docs metadata:

• formatDocsLink
• formatChannelSelectionLine
• setupChannels

That matches a recent fix in this area, so first please paste:

openclaw --version

I’d try this next:

openclaw update
openclaw doctor

Then rerun setup.

If you have any extra/third-party channel plugins installed, one of them may be the trigger here.

Fast workaround, so you can keep going:

• skip the interactive channel step
• configure Telegram manually after setup

Config example (JSON5):

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "123:abc",
      dmPolicy: "pairing",
    },
  },
}

Then:

openclaw gateway restart

Docs:

• https://docs.openclaw.ai/install/updating
• https://docs.openclaw.ai/channels/telegram
• https://docs.openclaw.ai/cli/channels

If you send openclaw --version, I can tell you whether you’re likely just missing the fix.

OpenClaw 2026.4.14 (323493f)

Yep, that explains it.

You’re on 2026.4.14, and this looks like the channel setup wizard bug fixed after 2026.4.14. So I’d update first.

Try:

openclaw update
openclaw doctor
openclaw gateway restart

Then rerun setup.

If you want the manual path instead, skip the wizard and add Telegram in config, then restart the gateway.

Docs:

• https://docs.openclaw.ai/install/updating
• https://docs.openclaw.ai/channels/telegram

If it still crashes after updating, paste:

openclaw --version
openclaw plugins list

That would help check whether a third-party plugin is feeding bad channel metadata into setup.

how can i add it manually

If you mean Telegram, add it directly in ~/.openclaw/openclaw.json (JSON5, not YAML).

Example:

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "123456:ABCDEF...",
      dmPolicy: "pairing",
      groups: { "*": { requireMention: true } },
    },
  },
}

Then restart OpenClaw:

openclaw gateway restart

After that:

1. DM your bot on Telegram
2. Run:

openclaw pairing list telegram
openclaw pairing approve telegram <CODE>

A couple notes:

• Do not paste your bot token here

• If you run from source, use pnpm openclaw ...

Docs:

• https://docs.openclaw.ai/channels/telegram

If you want, I can also give you a combined config snippet for both Telegram + NVIDIA.

12:07:55 [telegram/native-approvals] connect error: pairing required
12:07:55 gateway connect failed: GatewayClientRequestError: pairing required
12:07:55 [telegram] failed to start native approval handler: GatewayClientRequestError: pairing required
12:07:55 [ws] closed before connect conn=84c8ce11-ffeb-45db-8d55-781d1b61daaf peer=127.0.0.1:45684->127.0.0.1:18789 remote=127.0.0.1 fwd=n/a origin=n/a host=127.0.0.1:18789 ua=n/a code=1008 reason=pairing required
12:07:56 [gateway] security audit: device access upgrade requested reason=scope-upgrade device=1301326409de030578064d278e95a2debea575d0173cad5eb40b070206fb9d7b ip=unknown-ip auth=token roleFrom=operator roleTo=operator scopesFrom=operator.read scopesTo=operator.approvals client=gateway-client conn=8c2cab88-fb6a-43b7-9bbe-24f4823618b0
12:07:56 [telegram/native-approvals] connect error: pairing required
12:07:56 gateway connect failed: GatewayClientRequestError: pairing required
12:07:56 [telegram] failed to start native approval handler: GatewayClientRequestError: pairing required
12:07:56 [ws] closed before connect conn=8c2cab88-fb6a-43b7-9bbe-24f4823618b0 peer=127.0.0.1:45692->127.0.0.1:18789 remote=127.0.0.1 fwd=n/a origin=n/a host=127.0.0.1:18789 ua=n/a code=1008 reason=pairing required
^[[C12:07:57 [gateway] security audit: device access upgrade requested reason=scope-upgrade device=1301326409de030578064d278e95a2debea575d0173cad5eb40b070206fb9d7b ip=unknown-ip auth=token roleFrom=operator roleTo=operator scopesFrom=operator.read scopesTo=operator.approvals client=gateway-client conn=c7edab16-59a4-4712-8a81-8ab456ccb193
^[[C^[[C^[[C12:07:57 [telegram/native-approvals]

This one is different. The log says Telegram is trying to use native exec approvals, and the gateway wants you to approve a scope upgrade first.

Specifically, it is asking to go from:

• operator.read
  to
• operator.approvals

Fix

Run:

openclaw devices list

Find the newest pending request, then approve it with its exact requestId:

openclaw devices approve <requestId>

Then restart:

openclaw gateway restart

Important

The requestId can change on retries, so run openclaw devices list right before approving.

If you do not care about Telegram approval prompts yet

You can disable Telegram native approvals for now:

{
  channels: {
    telegram: {
      execApprovals: { enabled: false }
    },
  },
}

Then restart the gateway.

Docs:

• https://docs.openclaw.ai/cli/devices
• https://docs.openclaw.ai/channels/telegram
• https://docs.openclaw.ai/tools/exec-approvals

If you want, paste the output of openclaw devices list and I’ll tell you which request to approve.

v8816@west jackal1:~$ openclaw devices list

🦞 OpenClaw 2026.4.14 (323493f)
Finally, a use for that always-on Mac Mini under your desk.

│
◇
[openclaw] Failed to start CLI: Error: gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/v8816/.openclaw/openclaw.json
Bind: loopback
at Object.onClose (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/call-lSOkBlVy.js:249:10)
at WebSocket.<anonymous> (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/client-CJI3Hi9b.js:390:23)
at WebSocket.emit (node:events:519:28)
at WebSocket.emitClose (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:263:12)
at emitErrorAndClose (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:1047:13)
at ClientRequest.<anonymous> (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:886:5)
at ClientRequest.emit (node:events:519:28)
at emitErrorEvent (node:_http_client:108:11)
at Socket.socketErrorListener (node:_http_client:575:5)
at Socket.emit (node:events:519:28)

Got it, this is a different failure now.

openclaw devices list is not reaching the pairing flow. Your gateway on ws://127.0.0.1:18789 is closing early with 1006 abnormal closure, so first we need the gateway healthy.

Try this in order:

openclaw gateway status
openclaw gateway restart
openclaw doctor
openclaw devices list

If devices list still dies, the important next check is:

openclaw logs --follow

Then paste the first real error you see after startup.

So right now the problem is:

• not your Telegram token
• not pairing itself
• it is the gateway closing/crashing before pairing can complete

Docs:

• https://docs.openclaw.ai/gateway/troubleshooting
• https://docs.openclaw.ai/help/faq

If you want, paste openclaw gateway status next and I’ll read it with you.

v8816@west jackal1:~$ openclaw devices approve 40d39063-c70c-4dfc-9c72-726a03c4d269

🦞 OpenClaw 2026.4.14 (323493f) — Like having a senior engineer on call, except I don't bill hourly or sigh audibly.

│
◇
[openclaw] Failed to start CLI: Error: gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/v8816/.openclaw/openclaw.json
Bind: loopback
at Object.onClose (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/call-lSOkBlVy.js:249:10)
at WebSocket.<anonymous> (file:///home/v8816/.npm-global/lib/node_modules/openclaw/dist/client-CJI3Hi9b.js:390:23)
at WebSocket.emit (node:events:519:28)
at WebSocket.emitClose (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:263:12)
at emitErrorAndClose (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:1047:13)
at ClientRequest.<anonymous> (/home/v8816/.npm-global/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:886:5)
at ClientRequest.emit (node:events:519:28)
at emitErrorEvent (node:_http_client:108:11)
at Socket.socketErrorListener (node:_http_client:575:5)
at Socket.emit (node:events:519:28)

Yep, this confirms it, devices approve cannot work until the gateway itself is stable.

So, pause the pairing steps for a second and please paste these next:

openclaw gateway status
openclaw status --all

If status --all is too noisy, do this instead:

openclaw logs --follow

and copy the first real error after startup.

Right now the core issue is:

• WebSocket to ws://127.0.0.1:18789 is dropping with 1006
• that usually means the gateway is not running cleanly or is crashing on boot

Once we fix that, the pairing approval should work normally.

Diagnosis (read-only)

Gateway connection details:
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/v8816/.openclaw/openclaw.json
Bind: loopback

✓ Config: /home/v8816/.openclaw/openclaw.json
✓ Secret diagnostics (0)
✓ Restart sentinel: none
✓ Port 18789
! Tailscale: off · unknown
✓ Skills: 7 eligible · 0 missing · /home/v8816/.openclaw/workspace
✓ Plugin compatibility (none)
! Channel issues skipped (gateway unreachable)

Gateway health:
gateway closed (1006):

Pasteable debug report. Auth tokens redacted.
Troubleshooting: https://docs.openclaw.ai/troubleshooting

That’s helpful.

So, 18789 is open, but the WebSocket dies immediately. That usually means something is listening on the port, but the gateway itself is not healthy, or a stale process is sitting there.

Next, please run these exact commands:

openclaw gateway status
openclaw gateway restart
openclaw logs --follow

If gateway status still looks weird, also run:

openclaw gateway status --deep

What I need from you is the first real error right after the restart from openclaw logs --follow.

At this point, I would stop debugging Telegram/pairing and focus only on the gateway startup issue first. Once the gateway is healthy, the rest should fall into place much more cleanly.

d
09:23:41+00:00 warn gateway {"subsystem":"gateway"} security audit: device access upgrade requested reason=scope-upgrade device=1301326409de030578064d278e95a2debea575d0173cad5eb40b070206fb9d7b ip=unknown-ip auth=token roleFrom=operator roleTo=operator scopesFrom=operator.read scopesTo=operator.admin,operator.approvals,operator.pairing,operator.read,operator.talk.secrets,operator.write client=cli conn=b45e4707-f944-4c0d-835e-6ac6b5330b19
09:23:41+00:00 error gateway connect failed: GatewayClientRequestError: pairing required
09:23:41+00:00 error gateway connect failed: GatewayClientRequestError: pairing required

Aha, this is the key bit:

reason=scope-upgrade
scopesFrom=operator.read
scopesTo=operator.admin,operator.approvals,operator.pairing,operator.read,operator.talk.secrets,operator.write

So your old request ID is stale now.

OpenClaw replaced it with a new pending scope-upgrade request, which is why approving the earlier ID does not help.

Do this now

openclaw devices approve --latest

That should print the current pending request.

Then immediately approve that exact fresh ID:

openclaw devices approve <fresh-requestId>

Why this happens

Each retry can create a new pending request if the requested scopes changed, and the old one gets superseded.

If you just want Telegram working for now

You can disable Telegram native exec approvals and come back to this later:

{

  channels: {
    telegram: {
      execApprovals: { enabled: false }
    },
  },
}

Then restart:

openclaw gateway restart

Docs:

• https://docs.openclaw.ai/cli/devices

• https://docs.openclaw.ai/tools/exec-approvals

If approve --latest prints something, paste it and I’ll tell you the exact next command.

i suggest u start a conversation with krill @west jackal... as in a chill and casual one

haha, I can do chill 😄 but I want to keep this thread focused on getting the setup unblocked so it stays useful for the next person too.

Let’s keep going on the fix, and once the gateway is happy, the rest should be much smoother.

ok i tried to use approve request but it still sends same errors, and it wont stop sending them
v8816@v8:~$ openclaw devices approve --latest

🦞 OpenClaw 2026.4.14 (323493f) — Less clicking, more shipping, fewer "where did that file go" moments.

│
gateway connect failed: GatewayClientRequestError: pairing required
◇
Direct scope access failed; using local fallback.
Selected pending device request 771a9261-7694-43f5-b3e7-f33015f86098
Device: telegram Native Approvals (default)
Role: operator
Scopes: operator.approvals, operator.admin, operator.read, operator.write, operator.pairing, operator.talk.secrets
Approve this exact request with: openclaw devices approve 771a9261-7694-43f5-b3e7-f33015f86098

Ah, we found the misunderstanding. --latest does not approve it. It only shows you the current request ID.

So now run the exact command it gave you:

openclaw devices approve 771a9261-7694-43f5-b3e7-f33015f86098

That is the real approval step.

Why the errors keep coming:

• Telegram native approvals keeps retrying
• --latest only previews the request
• until the exact request is approved, it will keep complaining

If it still keeps spamming after that exact approve command succeeds, the quick workaround is to disable Telegram native approvals for now:

{
  channels: {
    telegram: {
      execApprovals: { enabled: false }
    },
  },
}

then:

openclaw gateway restart

If you want, paste the output of the exact openclaw devices approve 771a9261-7694-43f5-b3e7-f33015f86098 command next.

v8816@v1:~$ openclaw devices approve 771a9261-7694-43f5-b3e7-f33015f86098

🦞 OpenClaw 2026.4.14 (323493f) — I autocomplete your thoughts—just slower and with more API calls.

│
gateway connect failed: GatewayClientRequestError: pairing required
◇
Direct scope access failed; using local fallback.
unknown requestId

Yep, that means the request is being superseded before you can approve it.

So the clean move here is: stop fighting Telegram native approvals for now.

Edit ~/.openclaw/openclaw.json and add:

{
  channels: {
    telegram: {
      execApprovals: { enabled: false }
    },
  },
}

Then restart:

openclaw gateway restart

Why:

• Telegram native approvals is retrying constantly
• each retry can replace the pending requestId
• so by the time you approve it, you get unknown requestId

This does not stop Telegram from working as a channel, it only disables Telegram as a native exec approval client.

Once you’re on a newer OpenClaw version and the rest of setup is stable, you can turn that back on later.

Docs:

• https://docs.openclaw.ai/channels/telegram
• https://docs.openclaw.ai/tools/exec-approvals

If you want, I can give you a full minimal working openclaw.json for Telegram + NVIDIA together.

where should i paste it
"channels": {
"telegram": {
"enabled": true,
"groups": {
"*": {
"requireMention": true
}
},
"botToken": "123:fdasd",
"dmPolicy": "allowlist",
"allowFrom": [
"1821538367"
]
}
},

Paste it into:

/home/v8816/.openclaw/openclaw.json

It should be inside the top-level config object.

If your file already exists, merge it, do not create a second channels block.

A good version would be:

{
  channels: {
    telegram: {

      enabled: true,
      botToken: "PUT_YOUR_NEW_TOKEN_HERE",
      dmPolicy: "allowlist",
      allowFrom: ["1821538367"],
      groups: {
        "*": { requireMention: true },
      },
      execApprovals: { enabled: false },
    },
  },
}

Then run:

openclaw gateway restart

Very important: if the token you pasted here is real, rotate it in BotFather right now and replace it with the new one, because this is a public thread.

If you want, paste your full openclaw.json with the token redacted, and I’ll tell you exactly where to insert the Telegram block.

i started openclaw on my homelab, but i cant get access to it via http://127.0.0.1:18789

127.0.0.1 only works on the same machine that is running OpenClaw.

So if OpenClaw is running on your homelab box, opening http://127.0.0.1:18789 on your laptop/phone will not reach it.

Best options

1. SSH tunnel
From your local machine:

ssh -N -L 18789:127.0.0.1:18789 user@your-homelab-host

Then open locally:

http://127.0.0.1:18789

2. Tailscale Serve
Recommended if you use Tailscale:

openclaw gateway --tailscale serve

3. If you are on the homelab machine itself
Check the gateway is actually up:

openclaw gateway status

If it asks for auth in the UI, paste your configured gateway token/password.

Docs:

• https://docs.openclaw.ai/help/faq
• https://docs.openclaw.ai/web/dashboard

If you want, tell me whether you’re opening it from the same machine or from another device, and I’ll give you the exact next command.

12:53:26 [gateway] loading configuration…
12:53:26 [gateway] resolving authentication…
12:53:26 [gateway] starting...
12:53:29 [gateway] starting HTTP server...
12:53:29 [canvas] host mounted at http://127.0.0.1:18789/__openclaw__/canvas/ (root /home/v8816/.openclaw/canvas)
12:53:29 [health-monitor] started (interval: 300s, startup-grace: 60s, channel-connect-grace: 120s)
12:53:29 [gateway] agent model: nvidia/nemotron-3-super-120b-a12b
12:53:29 [gateway] ready (5 plugins: acpx, browser, device-pair, phone-control, talk-voice; 3.3s)
12:53:29 [gateway] log file: /tmp/openclaw/openclaw-2026-04-16.log
12:53:29 [tailscale] serve failed: spawn tailscale ENOENT
12:53:29 [gateway] starting channels and sidecars...
12:53:29 [hooks] loaded 4 internal hook handlers
12:53:38 [bonjour] watchdog detected non-announced service; attempting re-advertise (gateway fqdn=v88161 (OpenClaw)._openclaw-gw._tcp.local. host=openclaw.local. port=18789 state=probing)
12:53:45 [gateway] startup model warmup failed for nvidia/nemotron-3-super-120b-a12b: Error: Unknown model: nvidia/nemotron-3-super-120b-a12b
12:53:45 [plugins] embedded acpx runtime backend registered (cwd: /home/v8816/.openclaw/workspace)
12:53:45 [browser/server] Browser control listening on http://127.0.0.1:18791/ (auth=token)
12:53:45 [heartbeat] started
12:53:46 [plugins] embedded acpx runtime backend ready

Nice, this log is actually pretty clear.

1. The gateway is up

You have:

[gateway] ready

So the UI server is running on the homelab box.

2. 127.0.0.1 is still the issue

It is listening on:

http://127.0.0.1:18789

That only works on the same machine.
If you are opening it from another device, use an SSH tunnel:

ssh -N -L 18789:127.0.0.1:18789 user@your-homelab-host

Then open on your local machine:

http://127.0.0.1:18789

3. Tailscale Serve did not start

You also have:

[tailscale] serve failed: spawn tailscale ENOENT

So Tailscale is not installed / not in PATH on that machine.

4. Your NVIDIA model ref is wrong

This line matters:

startup model warmup failed ... Unknown model: nvidia/nemotron-3-super-120b-a12b

The built-in ref should be:

openclaw models set nvidia/nvidia/nemotron-3-super-120b-a12b

You are missing the second nvidia/.

Docs:

• https://docs.openclaw.ai/providers/nvidia
• https://docs.openclaw.ai/web/dashboard
• https://docs.openclaw.ai/help/faq

So, the two fixes are:

1. use SSH tunnel (or install Tailscale) for remote access
2. change the model to nvidia/nvidia/nemotron-3-super-120b-a12b

If you want, I can give you the exact openclaw.json snippet for both.

how to fix this TypeError: Cannot read properties of undefined (reading 'trim')

For your case, that trim error is the broken setup/channel wizard on 2026.4.14, not your Telegram token.

Best fix

Update OpenClaw:

openclaw update
openclaw doctor
openclaw gateway restart

Workaround if you want to keep moving now

Skip the wizard and edit this file manually:

~/.openclaw/openclaw.json

Add your Telegram config there, then restart the gateway.

Why I’m saying that

Your earlier stack trace pointed at:

• formatDocsLink
• formatChannelSelectionLine
• setupChannels

That is the setup wizard path, and there was a fix after 2026.4.14.

So the short answer is:

• update OpenClaw
• or avoid the wizard and configure manually

Docs:

• https://docs.openclaw.ai/install/updating

• https://docs.openclaw.ai/channels/telegram

If you want, paste the current openclaw.json with secrets redacted and I’ll tell you exactly what to change.

{
"agents": {
"defaults": {
"workspace": "/home/v8816/.openclaw/workspace",
"model": {
"primary": "nvidia/nemotron-3-super-120b-a12b"
},
"models": {
"nvidia/nemotron-3-super-120b-a12b": {}
}
}
},
"gateway": {
"mode": "local",
"auth": {
"mode": "token",
"token": "sdwadsw"
}
},
"meta": {
"lastTouchedVersion": "2026.4.14",
"lastTouchedAt": "2026-04-16T09:06:46.349Z"
},
"plugins": {
"entries": {
"nvidia": {
"enabled": true
}
}
}
}

A few things to fix here.

1. Your NVIDIA model ref is wrong

You currently have:

"nvidia/nemotron-3-super-120b-a12b"

It should be:

"nvidia/nvidia/nemotron-3-super-120b-a12b"

2. You still need the API key in config/env

Add:

"env": {
  "NVIDIA_API_KEY": "nvapi-..."
}

3. If that gateway token is real, rotate it now

You pasted it in a public thread. Replace it with a new one and restart.

A corrected version would look like this:

{
  env: {

    NVIDIA_API_KEY: "nvapi-..."
  },

  agents: {
    defaults: {
      workspace: "/home/v8816/.openclaw/workspace",
      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b"
      },
      models: {
        "nvidia/nvidia/nemotron-3-super-120b-a12b": {}
      }
    }
  },

  gateway: {
    mode: "local",
    auth: {
      mode: "token",
      token: "PUT_A_NEW_GATEWAY_TOKEN_HERE"
    }
  },

  meta: {
    lastTouchedVersion: "2026.4.14",
    lastTouchedAt: "2026-04-16T09:06:46.349Z"
  },

  plugins: {
    entries: {

      nvidia: {
        enabled: true
      }
    }
  }
}

Then run:

openclaw gateway restart

Docs:

• https://docs.openclaw.ai/providers/nvidia

If you want, I can also give you the same file with Telegram added in so you only have to paste one final config.

inst it should be looking like this? {
env: { NVIDIA_API_KEY: "nvapi-..." },
models: {
providers: {
nvidia: {
baseUrl: "https://integrate.api.nvidia.com/v1",
api: "openai-completions",
},
},
},
agents: {
defaults: {
model: { primary: "nvidia/nvidia/nemotron-3-super-120b-a12b" },
},
},
}

Yes, that shape is correct. That is basically the docs example for NVIDIA 👍

Two notes though:

1. You need to merge it into your existing config, not replace everything if you still want your gateway, workspace, or telegram settings.
2. For NVIDIA, the important bits are:
   • env.NVIDIA_API_KEY
   • the correct model ref: nvidia/nvidia/nemotron-3-super-120b-a12b

Also, the models.providers.nvidia block is fine, but in most cases it is optional because OpenClaw auto-enables NVIDIA when NVIDIA_API_KEY is set.

So for you, a minimal valid version is:

{
  env: {

    NVIDIA_API_KEY: "nvapi-..."
  },

  agents: {
    defaults: {
      workspace: "/home/v8816/.openclaw/workspace",
      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b"
      }
    }
  },

  gateway: {
    mode: "local",
    auth: {

      mode: "token",
      token: "PUT_A_NEW_GATEWAY_TOKEN_HERE"
    }
  }
}

If you want, I can give you the full merged config with:

• NVIDIA
• Telegram
• execApprovals: false
• your workspace path

all in one paste-ready block.

ye send me finished config with all it should have, like providers with base url

Yep, here’s a finished JSON5 config you can use as a base.

Replace the placeholder values first:

{
  env: {
    NVIDIA_API_KEY: "nvapi-REPLACE_ME",
  },

  models: {
    providers: {
      nvidia: {
        baseUrl: "https://integrate.api.nvidia.com/v1",
        api: "openai-completions",
      },

    },
  },

  agents: {
    defaults: {
      workspace: "/home/v8816/.openclaw/workspace",
      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b",
      },
      models: {
        "nvidia/nvidia/nemotron-3-super-120b-a12b": {},
      },
    },
  },

  gateway: {
    mode: "local",
    auth: {
      mode: "token",
      token: "REPLACE_WITH_A_NEW_GATEWAY_TOKEN",
    },
  },

  channels: {
    telegram: {
      enabled: true,
      botToken: "REPLACE_WITH_TELEGRAM_BOT_TOKEN",
      dmPolicy: "allowlist",
      allowFrom: ["REPLACE_WITH_YOUR_NUMERIC_TELEGRAM_USER_ID"],
      groups: {

        "*": {
          requireMention: true,
        },
      },
      execApprovals: {
        enabled: false,
      },
    },
  },

  plugins: {
    entries: {
      nvidia: {
        enabled: true,
      },

    },
  },
}

Then restart:

openclaw gateway restart

A few important notes:

• use the full NVIDIA model ref: nvidia/nvidia/nemotron-3-super-120b-a12b
• if the gateway token you pasted earlier was real, change it now
• if you run OpenClaw on your homelab, 127.0.0.1:18789 only works on that same machine

Docs:

• https://docs.openclaw.ai/providers/nvidia
• https://docs.openclaw.ai/channels/telegram

Glad that helped! 🎉
If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution.
This helps Answer Overflow index the solution for future users.

Config invalid
File: ~/.openclaw/openclaw.json
Problem:

• models.providers.nvidia.models: Invalid input: expected array, received undefined

Yep, that’s on me, good catch.

On your version (2026.4.14), if you explicitly add models.providers.nvidia, it expects a models array too.

Easiest fix

Remove the whole models.providers.nvidia block and let OpenClaw auto-enable NVIDIA from NVIDIA_API_KEY.

Use this instead:

{
  env: {
    NVIDIA_API_KEY: "nvapi-REPLACE_ME",
  },

  agents: {

    defaults: {
      workspace: "/home/v8816/.openclaw/workspace",
      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b",
      },
      models: {
        "nvidia/nvidia/nemotron-3-super-120b-a12b": {},
      },
    },
  },

  gateway: {
    mode: "local",
    auth: {
      mode: "token",

      token: "REPLACE_WITH_A_NEW_GATEWAY_TOKEN",
    },
  },

  channels: {
    telegram: {
      enabled: true,
      botToken: "REPLACE_WITH_TELEGRAM_BOT_TOKEN",
      dmPolicy: "allowlist",
      allowFrom: ["REPLACE_WITH_YOUR_NUMERIC_TELEGRAM_USER_ID"],
      groups: {
        "*": {
          requireMention: true,
        },
      },

      execApprovals: {
        enabled: false,
      },
    },
  },

  plugins: {
    entries: {
      nvidia: {
        enabled: true,
      },
    },
  },
}

Then:

openclaw gateway restart

So the short version is:

• keep env.NVIDIA_API_KEY
• keep the correct model ref
• delete models.providers.nvidia on this build

If this works, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow can index it for the next person.

i have 2nd problem i need to use telegramm api but in my country its blocked what can i use to unblock it on ubuntu server

I can’t help with bypassing a country-level block or giving evasion steps for Telegram.

What I can suggest instead:

• use a different OpenClaw channel that is available in your region
• run OpenClaw on infrastructure/network where Telegram access is allowed and you’re compliant with local rules
• keep the rest of your config the same, then swap only the channel section

Channel docs:

• https://docs.openclaw.ai/channels/index

If you want, I can help you switch your config from Telegram to another supported channel that should work better for your setup.

i have 3rd problem when model answer me it writes all what it thinks

That is usually one of these two:

Quick fix in chat

Send:

/reasoning off
/think off

• /reasoning off hides reasoning/thought blocks
• /think off tells the model not to use thinking mode where supported

Make it default in config

Add this under agents.defaults:

agents: {
  defaults: {
    thinkingDefault: "off",
    reasoningDefault: "off",
  },
}

So for example:

{
  agents: {
    defaults: {
      workspace: "/home/v8816/.openclaw/workspace",

      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b",
      },
      thinkingDefault: "off",
      reasoningDefault: "off",
    },
  },
}

Then restart:

openclaw gateway restart

Docs:

• https://docs.openclaw.ai/tools/thinking

If it still prints thoughts after both are off, then the model itself is probably outputting them as normal text, and we should switch models.

how can i fix this Error: Gateway is only bound to loopback. Set gateway.bind=lan, enable tailscale serve, or configure plugins.entries.device-pair.config.publicUrl.

That error means the device-pair / QR flow needs a URL that other devices can actually reach, but your gateway is only listening on 127.0.0.1.

You have 3 real options:

1. Easiest on a home network: bind to LAN

In ~/.openclaw/openclaw.json:

{
  gateway: {
    mode: "local",
    bind: "lan",
    auth: {
      mode: "token",
      token: "REPLACE_WITH_A_NEW_GATEWAY_TOKEN",
    },

  },
}

Then restart:

openclaw gateway restart

After that, open it from another device using your server’s LAN IP, for example:

http://192.168.1.50:18789

2. Best if you use Tailscale

Keep loopback bind, but use:

openclaw gateway --tailscale serve

But earlier your logs showed:

spawn tailscale ENOENT

so you would need to install Tailscale first.

3. If you already have a domain / reverse proxy

Set a public URL for the device-pair plugin:

{
  plugins: {
    entries: {
      "device-pair": {
        config: {
          publicUrl: "https://openclaw.yourdomain.com",
        },
      },
    },
  },
}

My recommendation for you

Since this is a homelab setup, I’d do option 1: gateway.bind: "lan" first. It is the simplest.

Docs:

• https://docs.openclaw.ai/help/faq
• https://docs.openclaw.ai/gateway/tailscale

If you want, I can give you a full merged config with:

• NVIDIA
• Telegram
• execApprovals: false
• gateway.bind: "lan"

all together in one paste-ready file.

how i can make my server openclaw control my pc

You want a node host.

That means:

• OpenClaw gateway stays on the server
• your PC connects to it as a node
• then OpenClaw can run commands on that PC, and browser control can proxy through that PC too

Important

This is not full remote desktop by itself.
It is more like: “let the server’s OpenClaw run approved commands on my PC”.

Basic setup

1. Make the gateway reachable from your PC

If your server gateway is only on loopback, your PC cannot reach it.

So either:

• set gateway.bind: "lan" on the server, or
• use Tailscale, or
• use an SSH tunnel

2. On the PC, run the node host

export OPENCLAW_GATEWAY_TOKEN="YOUR_GATEWAY_TOKEN"
openclaw node run --host <SERVER_IP> --port 18789 --display-name "My PC"

3. On the server, approve the node

openclaw devices list

openclaw devices approve <requestId>
openclaw nodes status

4. Point exec at the node

On the server:

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "My PC"

Then approved exec calls can run on that PC.

Docs

• https://docs.openclaw.ai/nodes
• https://docs.openclaw.ai/cli/node

If you want, I can give you the exact commands for your setup:

• homelab server
• Ubuntu PC
• with gateway.bind=lan included.

my pc on windows

Perfect, then here’s the Windows version.

1. On the homelab server, make the gateway reachable on LAN

In ~/.openclaw/openclaw.json make sure you have:

{
  gateway: {
    mode: "local",
    bind: "lan",
    auth: {
      mode: "token",
      token: "YOUR_GATEWAY_TOKEN",
    },
  },
}

Then restart on the server:

openclaw gateway restart

2. On your Windows PC, connect it as a node

Open PowerShell on Windows and run:

$env:OPENCLAW_GATEWAY_TOKEN="YOUR_GATEWAY_TOKEN"
openclaw node run --host <YOUR_SERVER_LAN_IP> --port 18789 --display-name "Windows PC"

Example:

$env:OPENCLAW_GATEWAY_TOKEN="abc123"
openclaw node run --host 192.168.1.50 --port 18789 --display-name "Windows PC"

Keep that terminal open for the first test.

3. Back on the server, approve the node

openclaw devices list
openclaw devices approve <requestId>
openclaw nodes status

You should then see the node show up.

4. Tell OpenClaw to use that Windows PC for exec

On the server:

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "Windows PC"

5. Test it

Once paired, your server-side OpenClaw can run approved commands on that Windows PC.

Docs:

• https://docs.openclaw.ai/nodes
• https://docs.openclaw.ai/cli/node

If you want, next I can give you:

• a copy-paste Windows test command
• and the server-side allowlist command so you can verify it actually works.

PS C:\WINDOWS\system32> $env:OPENCLAW_GATEWAY_TOKEN="bd8453d0961cd5ca0a53d8f695fa1787d18d7c4c341a12cd"

openclaw node run --host 192.168.1.76 --port 18789 --display-name "Windows PC"

🦞 OpenClaw 2026.4.12 (1c0672b) — The only crab in your contacts you actually want to hear from. 🦞

node host gateway connect failed: SECURITY ERROR: Cannot connect to "192.168.1.76" over plaintext ws://. Both credentials and chat data would be exposed to network interception. Use wss:// for remote URLs. Safe defaults: keep gateway.bind=loopback and connect via SSH tunnel (ssh -N -L 18789:127.0.0.1:18789 user@gateway-host), or use Tailscale Serve/Funnel. Break-glass (trusted private networks only): set OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1. Run openclaw doctor --fix for guidance.

That error is expected, the Windows node is refusing an insecure ws:// connection to a remote host.

Best fix: use an SSH tunnel

On Windows PowerShell, open one terminal and keep it running:

ssh -N -L 18790:127.0.0.1:18789 user@192.168.1.76

Then in a second PowerShell window:

$env:OPENCLAW_GATEWAY_TOKEN="NEW_GATEWAY_TOKEN"
openclaw node run --host 127.0.0.1 --port 18790 --display-name "Windows PC"

That way the node talks to a local tunnel, not plaintext over the LAN.

Also do this

Your Windows node is on 2026.4.12 while the server is on 2026.4.14.
I’d update Windows too, so both sides match better.

Very important

If the token you pasted is real, rotate it now. It is in a public thread.

I do not recommend using the break-glass insecure WS env var unless you really understand the risk.

Docs:

• https://docs.openclaw.ai/nodes
• https://docs.openclaw.ai/cli/node

If you want, I can give you the exact server-side approve + allowlist test commands after the tunnel is up.

14:12:19 [ws] closed before connect conn=442facfd-9424-4707-90ff-fbd360bbeb3b peer=192.168.1.70:57893->192.168.1.76:18789 remote=192.168.1.70 fwd=n/a origin=http://192.168.1.76:18789 host=192.168.1.76:18789 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 YaBrowser/26.3.0.0 Safari/537.36 code=1008 reason=origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)
14:12:34 [ws] closed before connect conn=c01daa7f-1622-4c15-beea-ce23cf56d566 peer=192.168.1.70:57941->192.168.1.76:18789 remote=192.168.1.70 fwd=n/a origin=http://192.168.1.76:18789 host=192.168.1.76:18789 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 YaBrowser/26.3.0.0 Safari/537.36 code=4008 reason=connect failed
this is what happen on server

This log is from a browser, not from the Windows node host.

The clue is here:

ua=Mozilla/5.0 ... Chrome ... YaBrowser ...
reason=origin not allowed

So this is the Control UI being blocked by gateway.controlUi.allowedOrigins.

Fix for the browser UI

Add this to your server config:

{

  gateway: {
    bind: "lan",
    auth: {
      mode: "token",
      token: "YOUR_NEW_GATEWAY_TOKEN",
    },
    controlUi: {
      allowedOrigins: [
        "http://192.168.1.76:18789",
      ],
    },
  },
}

Then restart:

openclaw gateway restart

Important

The origin must match exactly what your browser uses.
So if you open it via another hostname later, add that exact origin too.

Also important

If your goal right now is the Windows node host, this browser error is a separate issue.
The node host should be run from PowerShell, not by opening the UI in the browser.

So:

• browser UI problem → fix gateway.controlUi.allowedOrigins

• Windows node host problem → use the SSH tunnel approach from the earlier step

Docs:

• https://docs.openclaw.ai/web/control-ui
• https://docs.openclaw.ai/help/faq

If you want, I can send you one final merged config with:

• NVIDIA
• Telegram
• gateway.bind: "lan"
• controlUi.allowedOrigins
• execApprovals: false

all together in one block.

{
"env": {
"NVIDIA_API_KEY": "nvapi-"
},
"agents": {
"defaults": {
"workspace": "/home/v8816/.openclaw/workspace",
"model": {
"primary": "nvidia/nvidia/nemotron-3-super-120b-a12b"
},
"models": {
"nvidia/nvidia/nemotron-3-super-120b-a12b": {}
}
}
},
"gateway": {
"mode": "local",
"bind": "lan",
"auth": {
"mode": "token",
"token": ""
}
},
"channels": {
"telegram": {
"enabled": true,
"botToken": "",
"dmPolicy": "allowlist",
"allowFrom": [
"1821538367"
],
"groups": {
"*": {
"requireMention": true
}
},
"execApprovals": {
"enabled": false
}
}
},
"plugins": {
"entries": {
"nvidia": {
"enabled": true
},
"telegram": {
"enabled": true
}
}
},
"meta": {
"lastTouchedVersion": "2026.4.14",
"lastTouchedAt": "2026-04-16T10:15:34.734Z"
}
}
do little changes so it will work fine

Your config is close. I’d make these small changes:

• add thinkingDefault: "off" and reasoningDefault: "off"
• add gateway.controlUi.allowedOrigins
• make sure NVIDIA_API_KEY, gateway.auth.token, and telegram.botToken are real values, not empty strings

Here is the cleaned-up version:

{
  env: {
    NVIDIA_API_KEY: "nvapi-REPLACE_ME",
  },

  agents: {
    defaults: {

      workspace: "/home/v8816/.openclaw/workspace",
      model: {
        primary: "nvidia/nvidia/nemotron-3-super-120b-a12b",
      },
      models: {
        "nvidia/nvidia/nemotron-3-super-120b-a12b": {},
      },
      thinkingDefault: "off",
      reasoningDefault: "off",
    },
  },

  gateway: {
    mode: "local",
    bind: "lan",

    auth: {
      mode: "token",
      token: "REPLACE_WITH_A_NEW_GATEWAY_TOKEN",
    },
    controlUi: {
      allowedOrigins: [
        "http://192.168.1.76:18789",
      ],
    },
  },

  channels: {
    telegram: {
      enabled: true,
      botToken: "REPLACE_WITH_TELEGRAM_BOT_TOKEN",

      dmPolicy: "allowlist",
      allowFrom: ["1821538367"],
      groups: {
        "*": {
          requireMention: true,
        },
      },
      execApprovals: {
        enabled: false,
      },
    },
  },

  plugins: {
    entries: {

      nvidia: {
        enabled: true,
      },
      telegram: {
        enabled: true,
      },
    },
  },

  meta: {
    lastTouchedVersion: "2026.4.14",
    lastTouchedAt: "2026-04-16T10:15:34.734Z",
  },
}

Then run:

openclaw gateway restart

Two quick notes:

• if you pasted any real token publicly, rotate it
• this fixes the gateway/UI side. For the Windows node host, you still want the SSH tunnel approach we used earlier

Glad that helped! 🎉
If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution.
This helps Answer Overflow index the solution for future users.

v8816@west jackal1:~/minecraft/Server$ openclaw gateway
Invalid config at /home/v8816/.openclaw/openclaw.json:\n- agents.defaults: Unrecognized key: "reasoningDefault"

🦞 OpenClaw 2026.4.14 (323493f) — More integrations than your therapist's intake form.

Config invalid
File: ~/.openclaw/openclaw.json
Problem:

• agents.defaults: Unrecognized key: "reasoningDefault"

Run: openclaw doctor --fix

Yep, that one is on me, sorry.

On 2026.4.14, reasoningDefault is not supported in agents.defaults.

Fix

Just remove this line:

reasoningDefault: "off",

Keep the rest, then restart:

openclaw gateway restart

For hiding model thoughts on this version

Use the chat command instead:

/reasoning off

And if needed:

/think off

So, short version:

• remove reasoningDefault
• restart gateway
• use /reasoning off in chat

If you want, paste the updated config again and I’ll sanity-check it before you restart.

PS C:\WINDOWS\system32> $env:OPENCLAW_GATEWAY_TOKEN=""

openclaw node run --host 192.168.1.76 --port 18789 --display-name "Windows PC"

🦞 OpenClaw 2026.4.12 (1c0672b) — I autocomplete your thoughts—just slower and with more API calls.

node host gateway connect failed: SECURITY ERROR: Cannot connect to "192.168.1.76" over plaintext ws://. Both credentials and chat data would be exposed to network interception. Use wss:// for remote URLs. Safe defaults: keep gateway.bind=loopback and connect via SSH tunnel (ssh -N -L 18789:127.0.0.1:18789 user@gateway-host), or use Tailscale Serve/Funnel. Break-glass (trusted private networks only): set OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1. Run openclaw doctor --fix for guidance.

Emptying the token will not fix this.
The problem is not auth, it is plaintext ws:// to a remote host.

So this will keep failing until you do one of these:

Best option: SSH tunnel

PowerShell window 1

ssh -N -L 18790:127.0.0.1:18789 user@192.168.1.76

PowerShell window 2

$env:OPENCLAW_GATEWAY_TOKEN="YOUR_REAL_GATEWAY_TOKEN"
openclaw node run --host 127.0.0.1 --port 18790 --display-name "Windows PC"

Or, only on a trusted private LAN, use the break-glass flag

$env:OPENCLAW_ALLOW_INSECURE_PRIVATE_WS="1"
$env:OPENCLAW_GATEWAY_TOKEN="YOUR_REAL_GATEWAY_TOKEN"
openclaw node run --host 192.168.1.76 --port 18789 --display-name "Windows PC"

I still recommend the SSH tunnel path.

Also, your Windows OpenClaw is still on 2026.4.12, so I’d update that box when you can.

If you want, after you run one of those, paste the next output and I’ll walk you through the pairing step.

14:45:36 gateway connect failed: GatewayClientRequestError: pairing required
14:45:36 [tools] nodes failed: agent=main node=bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d gateway=default action=invoke: pairing required before node invoke. Approve the pending pairing request and retry. raw_params={"action":"invoke","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d","invokeCommand":"start","invokeParamsJson":""https://www.youtube.com/watch?v=dQw4w9WgXcQ\""}
14:45:46 [tools] nodes failed: agent=main node=bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d gateway=default action=describe: gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/v8816/.openclaw/openclaw.json
Bind: lan raw_params={"action":"describe","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d"}

14:45:41 [tools] nodes failed: agent=main node=bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d gateway=default action=approve: requestId required raw_params={"action":"approve","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d"}

You’re very close now.

The important part is this:

pairing required before node invoke
requestId required

So the node exists, but it is not approved yet.

What to do on the server

Run:

openclaw devices list

Look for the pending request for your Windows PC node with role node.

Then approve it with the requestId, not the node id:

openclaw devices approve <requestId>

After that:

openclaw nodes status

Important

Do not use this as the request id:

bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d

That is the node id, not the pairing request id.

If the node keeps retrying, the pending request id can change, so run openclaw devices list right before approving.

Once it is approved, retry the node action.

If you want, paste the output of openclaw devices list and I’ll point to the exact request to approve.

14:49:46 [tools] nodes failed: agent=main node=bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d gateway=default action=invoke: invokeCommand "system.run" is reserved for shell execution; use exec with host=node instead raw_params={"action":"invoke","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d","invokeCommand":"system.run","invokeParamsJson":"{"command": "start https://www.youtube.com/watch?v=dQw4w9WgXcQ\"}"}

This is actually progress ✅

It means the node is there now, but you are using the wrong tool path.

system.run is not meant to be called through nodes invoke.
For shell commands on a node, OpenClaw wants you to use:

exec with host=node

Do this on the server

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist

openclaw config set tools.exec.node "Windows PC"

Then allowlist the Windows shell

Example:

openclaw approvals allowlist add --node "Windows PC" "C:\\Windows\\System32\\cmd.exe"

Then use exec on the node

For a Windows URL-open test, the command would be something like:

cmd /c start "" "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

So the short version is:

• don’t use nodes invoke system.run
• do use exec with host=node

If you want, I can give you the exact test flow for Windows, step by step, so you can confirm the node works with one simple command.

lets name it "My PC"?

Yep, "My PC" is totally fine.

Just use that same name everywhere:

On Windows

openclaw node run --host 127.0.0.1 --port 18790 --display-name "My PC"

On the server

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "My PC"

Allowlist example

openclaw approvals allowlist add --node "My PC" "C:\\Windows\\System32\\cmd.exe"

That way OpenClaw knows exactly which node to use.

how can i add all in allowlist so openclaw bot can u se anything

If you want the bot to be able to use anything, do not try to stuff “everything” into the allowlist.

Use full exec instead.

Safer option, recommended

Keep:

openclaw config set tools.exec.security allowlist

and only allow the commands you actually want.

YOLO option, full control

If you really want OpenClaw to have broad control of "My PC":

openclaw config set tools.exec.host node
openclaw config set tools.exec.node "My PC"
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off

That means:

• no allowlist needed
• no approval prompts
• the bot can run commands on that node freely

I would only do that on a machine you fully trust OpenClaw with, ideally not your main everyday PC.

Docs:

• https://docs.openclaw.ai/tools/exec
• https://docs.openclaw.ai/tools/exec-approvals

So the short answer is:
don’t add all to allowlist, switch tools.exec.security to full instead.

If you want, I can give you the exact Windows test command to verify full node exec is working.

14:57:50 [ws] ⇄ res ✗ node.invoke 783ms errorCode=UNAVAILABLE errorMessage=INVALID_REQUEST: Error: Navigation blocked: strict browser SSRF policy requires an IP-literal URL because browser DNS rebinding protections are unavailable for hostname-based navigation conn=9b69102c…7970 id=6b7764dc…4a12
14:57:50 [tools] browser failed: INVALID_REQUEST: Error: Navigation blocked: strict browser SSRF policy requires an IP-literal URL because browser DNS rebinding protections are unavailable for hostname-based navigation raw_params={"action":"open","target":"node","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d","url":"https://www.youtube.com/watch?v=dQw4w9WgXcQ"}

This one is the browser tool, not exec.

It is being blocked by the node browser’s SSRF protection, because you are trying to open a hostname URL (www.youtube.com) through the remote browser proxy.

Easiest fix for your use case

If you just want the Windows PC to open a website, do not use the browser tool here.
Use exec on the node instead:

cmd /c start "" "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

That is the simpler path for “open this URL on my PC”.

What this means

• browser open on the node is being blocked by browser SSRF rules
• exec host=node is the better choice for launching apps/URLs on Windows

So for now:

• open websites / apps on Windows → use exec host=node
• full browser automation → possible, but you’ll need extra browser SSRF config for hostname navigation

If you want, I can give you the exact Windows exec test command for "My PC" next.

im trying to make my openclaw agent launch any apps, cmd commands etc

Got it, then the path you want is:

Windows node host + exec host=node + full exec

1. Make sure the Windows node is connected

Run the node host on Windows and get it paired as "My PC".

2. On the server, set node exec as the default

openclaw config set tools.exec.host node
openclaw config set tools.exec.node "My PC"
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off

That is the “let the agent use the PC freely” setup.

3. Then use Windows shell commands through exec

Examples:

Open Notepad

cmd /c start "" notepad.exe

Open Calculator

cmd /c start "" calc.exe

Open a website

cmd /c start "" "https://example.com"

Run a normal cmd command

cmd /c dir C:\

Run PowerShell

powershell -Command "Get-Process | Select-Object -First 10"

Important

Do not use:

• browser open for this
• nodes invoke system.run

For apps and commands on Windows, use exec on the node.

Also, because you want “any apps / any commands”, I strongly recommend updating the Windows side from 2026.4.12 to match the server better.

If you want, I can give you a single simple test command that proves the agent can control "My PC" end-to-end.

when agent try to launch command error happen 15:15:59 [ws] ⇄ res ✗ node.invoke 9878ms errorCode=UNAVAILABLE errorMessage=INVALID_REQUEST: Error: Not Found conn=f9a5ad29…66ef id=db7037ce…191b
15:15:59 [tools] nodes failed: agent=main node=bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d gateway=default action=invoke: INVALID_REQUEST: Error: Not Found raw_params={"action":"invoke","node":"bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d","invokeCommand":"browser.proxy","invokeParamsJson":"{"path":"https://www.youtube.com/watch?v=dQw4w9WgXcQ\"}"}

That error means the agent is still trying to use the browser proxy path:

invokeCommand: "browser.proxy"

and your Windows node is answering:

Error: Not Found

So this is not the right path for launching apps or cmd commands.

What this means

• browser.proxy is for browser control
• you want Windows command execution

• for that, the agent should use exec host=node, not browser.proxy

Likely reasons for this specific error

1. your Windows node is still on 2026.4.12, so it may not expose the newer browser proxy surface cleanly
2. or browser proxy is not available on that node

For your actual goal, ignore browser proxy

Use node exec for commands like:

cmd /c start "" notepad.exe
cmd /c start "" calc.exe
cmd /c dir C:\
powershell -Command "Get-Process | Select-Object -First 10"

I would do this next

• update the Windows OpenClaw install to match the server better
• keep using exec on the node for apps/cmd
• do not use browser.proxy for this task

If you want, I can give you one simple end-to-end test for "My PC" that should open Notepad and prove the setup is working.

what should i do? should i say something to my agent

Yes, be very explicit to the agent.

Tell it something like:

Use exec on the Windows node named "My PC". Do not use browser, browser.proxy, or nodes invoke. Run this exact command:
cmd /c start "" notepad.exe

Or if you want to open a URL:

Use exec on the Windows node named "My PC". Do not use browser or browser.proxy. Run this exact command:
cmd /c start "" "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

The important part is:

• say “use exec”
• say “do not use browser/browser.proxy”
• give the exact Windows command

If you want a super simple first test, use this one:

Use exec on "My PC" and run:
cmd /c start "" calc.exe

If Calculator opens, the setup is working.

⚠️ 📱 Nodes: node bf02ac52856743082263e704f8cf7f76aec034b47137db9f1e5afd2178d8327d, title OpenClaw, body Approve execution of command: cmd /c start "" notepad.exe failed

That is actually good progress.

It means:

• the command reached the Windows node
• the thing blocking it now is exec approval policy

So the remaining fix is: make sure your session is really using full node exec, not allowlist/approval mode.

Check your server config

Run on the server:

openclaw config get tools.exec.host
openclaw config get tools.exec.node
openclaw config get tools.exec.security
openclaw config get tools.exec.ask

You want to see:

• host → node
• node → "My PC"
• security → full
• ask → off

If not, set them again:

openclaw config set tools.exec.host node
openclaw config set tools.exec.node "My PC"
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off

Then restart the gateway:

openclaw gateway restart

Also tell the current session explicitly

In chat with the agent, send:

/exec host=node security=full ask=off node=My PC

Then try again with:

Use exec on "My PC". Do not use browser or nodes invoke. Run:
cmd /c start "" notepad.exe

So, short version:

• the node connection works
• approvals are the last blocker
• force security=full + ask=off both in config and in the session

If you paste the output of those four openclaw config get tools.exec... commands, I’ll check them for you.

he say he cant do this because i need to give him permission on my pc

Yep, that makes sense.

There are 2 different permission layers here:

1. OpenClaw/node permission

This is the node host asking, “should I allow this command on the Windows PC?”

If you see a prompt/notification on the Windows machine, approve it there.

If you do not want OpenClaw to ask every time, then make sure you have:

openclaw config set tools.exec.host node
openclaw config set tools.exec.node "My PC"
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off

openclaw gateway restart

and in the chat session:

/exec host=node security=full ask=off node=My PC

2. Windows permission

Even if OpenClaw allows it, Windows itself can still ask for permission for some actions, especially admin/UAC stuff.

So:

• OpenClaw permission = node/gateway approval
• Windows permission = UAC / OS-level prompt on the PC