← Back to Blog

The OpenClaw Production Checklist: 15 Things to Do Before Going Live

The OpenClaw Production Checklist: 15 Things to Do Before Going Live

You installed OpenClaw. You sent a test message. Your AI responded.

Now what?

Most people stop here. They have a working chatbot and call it an "AI agent." Then they wonder why it forgets everything tomorrow, has no security, and can't do anything useful without being prompted.

Going from "it works" to "it works in production" requires 15 specific steps. Here's the checklist.

Security (Do These First)

### 1. Disable Password SSH Login

If your server accepts password-based SSH, you're inviting brute force attacks. Switch to key-only authentication.

# Generate SSH key (if you don't have one)
ssh-keygen -t ed25519 -C "your-email@example.com"

Copy to server ssh-copy-id user@your-server

Then disable password auth on the server sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl restart sshd ```

Skip this and you'll get brute-forced within 48 hours. Not a hypothetical — it's one of the most common attacks on public-facing servers.

### 2. Set Up a Firewall

Only open the ports you actually need.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

That's it. SSH, HTTP, HTTPS. Everything else is blocked.

### 3. Install fail2ban

Automatically bans IPs that fail too many login attempts.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Default config bans after 5 failed attempts for 10 minutes. For production, increase the ban time to 1 hour.

### 4. Move Secrets to Environment Variables

Never store API keys in files. Use environment variables.

# Bad
echo "sk_live_abc123" > ~/.stripe-key

Good export STRIPE_SECRET_KEY="sk_live_abc123" # Or add to ~/.bashrc / systemd service file ```

If your AI can read files, it can read your API keys. Environment variables are harder to accidentally expose.

### 5. Set Up Audit Logging

Every command your AI runs should be logged. If something goes wrong, you need to know what happened.

Create a command logging script that captures every shell execution with timestamps. Store logs in a dedicated directory with daily rotation.

Identity (Make Your AI Useful)

### 6. Write SOUL.md

The most important file in your setup. This defines what your AI must NEVER do.

Essential rules: - Never delete files without confirmation - Never share API keys or secrets - Never make purchases without approval - Never access systems outside the defined scope - If uncertain, stop and ask

Be specific. "Be careful" is not a rule. "Never run rm -rf without showing the exact command and receiving YES in chat" is a rule.

### 7. Define IDENTITY.md

Your AI's role, mission, and authority level.

A CEO agent has different authority than a support agent. Define it explicitly: - Role: CEO, CTO, Support, Marketing, Custom - Mission: one sentence, measurable - Authority: what can it do without asking?

### 8. Configure USER.md

Your preferences. Timezone, communication style, how autonomous you want the AI to be.

This prevents the AI from defaulting to generic behavior. It knows you prefer bullet points over paragraphs, Chicago time over UTC, concise updates over lengthy reports.

### 9. Initialize MEMORY.md

Operating knowledge. Start with: - Your hard rules (things the AI should always/never do) - Communication preferences - Current projects and priorities - Lessons from past mistakes

This file grows over time. The AI adds to it as it learns how you work.

Architecture (Make It Reliable)

### 10. Set Up Three-Layer Memory

  • **Knowledge graph** (`~/life/`): folders for people, projects, companies. Each gets a `summary.md` and `items.json`.
  • **Daily notes** (`memory/YYYY-MM-DD.md`): what happened today. The AI reads this every morning.
  • **Tacit knowledge** (`MEMORY.md`): preferences, habits, hard rules. Not project-specific — person-specific.

### 11. Configure the Heartbeat

A cron job that fires every 10-15 minutes:

openclaw cron add --interval 600000 --prompt "Read HEARTBEAT.md and follow it strictly."

The heartbeat is what turns your AI from reactive to proactive. Without it, the AI only works when you prompt it.

### 12. Install at Least One Playbook

Don't try to do everything at once. Pick one business function: - **Marketing**: content creation, social media, blog posts - **Sales**: lead research, email drafting, CRM updates - **Support**: ticket triage, response drafting, FAQ management - **DevOps**: server monitoring, deployment, alerting

Start with one. Add more as trust builds.

Operations (Keep It Running)

### 13. Set Up Monitoring

Check that your AI is actually running. Monitor: - Gateway process health - Heartbeat execution (is the cron firing?) - Memory growth (are daily notes being written?) - Error logs

A dead AI is worse than no AI — you think work is getting done when it isn't.

### 14. Create a Daily Review Process

Every evening (or automated at 3 AM): - What was accomplished today? - What's still pending? - What blocked progress? - What's the plan for tomorrow?

This keeps the AI accountable and prevents drift.

### 15. Test the Recovery Path

Kill the gateway. Restart it. Verify: - Memory is intact - Heartbeat resumes - Identity files load correctly - Tools still have access

If your AI can't survive a restart, it's not production-ready.

The Bottom Line

Installing OpenClaw takes 5 minutes. Making it production-ready takes 2 hours. The difference is the 15 steps above.

Skip them and you have a chatbot with extra steps. Complete them and you have a reliable AI employee that works 24/7.

The [DeployAlden kit](/#pricing) automates most of this checklist. The CLI handles steps 1-5 and 10-11. The guide walks you through 6-15. The playbooks give you pre-built workflows for step 12.

[Get the Kit — $49 →](/#pricing)

Get the Kit — $49 →

14-day money-back guarantee · Instant download