#install & configure orbstack

I need a hand configuring orbstack to work with openclaw.
MacMini M1 16GB RAM, openclaw 2026.5.12, ollama, Gemma4:e4b
I have installed orbstack but I have not configured it to work with my openclaw environment. My objective is to correct "small models require sandboxing and web tools disable" critical security warning.

For OrbStack, OpenClaw is just looking for a working Docker-compatible daemon. There is no special “OrbStack backend” config; set sandbox backend to Docker, build the sandbox image, then deny the web/browser tools for the small local model warning.

Quick path:

docker version
openclaw config set agents.defaults.sandbox.mode all
openclaw config set agents.defaults.sandbox.backend docker

Then build the sandbox image. From a source/git OpenClaw checkout:

cd ~/openclaw-ref   # or your actual openclaw repo checkout
scripts/sandbox-setup.sh

If you are not running from a repo checkout, try:

openclaw doctor

and accept the sandbox image repair if prompted. If doctor says it cannot locate scripts/sandbox-setup.sh, install/use the git checkout method or clone the repo just to build the local image.

For the specific critical warning, also disable web/browser tool exposure for the small model:

openclaw config set tools.deny '["group:web","browser"]' --strict-json

If you already have a tools.deny list, don’t blindly replace it; add group:web and browser to the existing list.

Then restart the gateway and verify:

openclaw gateway restart
openclaw sandbox explain
openclaw doctor

Expected result: sandbox.mode shows all, backend docker, and the small-model security finding should either clear or downgrade because web_search, web_fetch, and browser are no longer available.

Docs I checked:
https://docs.openclaw.ai/gateway/sandboxing
https://docs.openclaw.ai/gateway/sandbox-vs-tool-policy-vs-elevated
https://docs.openclaw.ai/gateway/local-models
https://docs.openclaw.ai/tools/web

What is the repo root?

The repo root is the top-level OpenClaw source folder — the directory that contains files like package.json, pnpm-lock.yaml, Dockerfile.sandbox, and the scripts/ folder.

If you installed with the git/source method, it is usually something like:

cd ~/openclaw
# or wherever you cloned OpenClaw

You can confirm you’re in the right place with:

ls package.json Dockerfile.sandbox scripts/sandbox-setup.sh

If that command finds all three, you’re at the repo root. Then run:

scripts/sandbox-setup.sh

If you don’t have a source checkout yet, clone one:

git clone https://github.com/openclaw/openclaw ~/openclaw
cd ~/openclaw
scripts/sandbox-setup.sh

Agent failed before reply: Sandbox image not found: openclaw-sandbox:bookworm-slim. Build it with scripts/sandbox-setup.sh
before enabling Docker sandboxing.

That error means the config is now pointing OpenClaw at Docker sandboxing, but the local Docker image has not been built yet.

Run this in Terminal, from the OpenClaw repo root:

cd ~/openclaw
docker version
scripts/sandbox-setup.sh
docker image inspect openclaw-sandbox:bookworm-slim
openclaw gateway restart
openclaw sandbox explain

If cd ~/openclaw fails, find where the repo is:

find ~ -maxdepth 3 -name Dockerfile.sandbox -print

Then cd into the folder that contains Dockerfile.sandbox and run:

scripts/sandbox-setup.sh

If you do not have a source checkout at all, clone one just to build the image:

git clone https://github.com/openclaw/openclaw ~/openclaw
cd ~/openclaw
scripts/sandbox-setup.sh

openclaw gateway restart

With OrbStack, docker version is the important first check. If that cannot reach a server, open OrbStack first and wait until Docker is running.