OpenClaw · May 20, 2026 · Last updated 2026-05-21 · 18 min read

OpenClaw Mac App Setup: Host It On Hyperbox

We ran the new OpenClaw Mac app on a Hyperbox Mac and captured the setup path end to end. The short version: OpenClaw.app is the native macOS control surface for Gateway connection, permissions, node capabilities, channels, skills, and execution approvals. Your laptop can use it. A persistent Hyperbox Mac mini is where the always-on runtime belongs.

OpenClaw Mac app selecting a discovered hyperbox.local Gateway during onboarding — The OpenClaw Mac app can discover a nearby Gateway such as hyperbox.local and connect this Mac as a native OpenClaw node.

Questions this page answers

What is the OpenClaw Mac app?
How does the OpenClaw Mac app connect to a local or remote Gateway?
Which macOS permissions and tools does the OpenClaw Mac app own?
How should I set up OpenClaw remote Gateway on a Mac?
When should I host OpenClaw on a Hyperbox Mac mini instead of my laptop?

Start here

What The OpenClaw Mac App Is

The OpenClaw Mac app is a menu-bar companion for OpenClaw on macOS. It is not just a prettier installer and it is not a replacement for the Gateway. It sits at the macOS boundary: where permissions, local desktop tools, remote Gateway connection, and operator settings have to become native.

It connects to a local Gateway or a remote Gateway, including a discovered host such as hyperbox.local.
It owns macOS permission prompts for Accessibility, Automation, Screen Recording, Notifications, Microphone, Speech Recognition, Camera, and related system surfaces.
It exposes the Mac as an OpenClaw node with local capabilities such as screen, camera, Canvas, notifications, and controlled command execution.
It includes settings for channels, skills, local model preferences, exec approvals, Canvas, Camera, Peekaboo Bridge, and debug tools.
It registers the app with macOS so OpenClaw can feel like a native resident agent companion instead of a terminal-only service.

The hosting takeaway

Use OpenClaw.app on the Mac that needs native control and permissions. Use a persistent Mac mini when the Gateway needs to stay awake, preserve browser and desktop state, keep channels online, and recover over SSH or VNC.

Step 1: Launch The App And Read The Boundary

OpenClaw Mac app welcome screen describing the local helper, remote Gateway, and security notice — The first screen is explicit about the model: OpenClaw can run a local helper, connect to a remote Gateway, and request permissions only when you enable the capabilities that need them.

The welcome screen is doing useful work. It frames the Mac app as a native helper that can connect outward to a Gateway, not as a black box that silently takes over your machine. That matters because OpenClaw can be granted serious local powers: screen, microphone, camera, automation, and shell execution.

Treat permissions like deployment choices

Do not grant every macOS permission just because the button is visible. Grant the permissions for the workflows this machine will actually run. If a Hyperbox Mac mini will perform the desktop automation, grant the permissions there.

Step 2: Choose Local Or Remote Gateway

OpenClaw Mac app Gateway chooser showing Local and Nearby options with hyperbox.local — The Gateway chooser offers local setup, manual configuration, and nearby Gateway discovery. In our run it found hyperbox.local on the network.

This is the most important setup decision. Local mode makes the Mac in front of you the Gateway host. Remote mode connects the Mac app to a Gateway running somewhere else. For a serious always-on assistant, remote mode is usually the better shape: the Gateway lives on a stable Mac mini, while your laptop or desktop can still join as a node when needed.

Choice	What it means	Use it when
Local Gateway	The Gateway runs on the same Mac as OpenClaw.app.	You are testing, developing, or building a single-machine personal setup.
Nearby Gateway	The app discovers another Gateway on the network, such as hyperbox.local.	You already have a Mac mini, LAN host, or private-network machine running OpenClaw.
Manual remote	You enter SSH, direct WebSocket, or secure WebSocket connection details yourself.	You are using Tailscale, a private DNS name, a static LAN address, or a custom tunnel.

OpenClaw Mac app with hyperbox.local selected as the remote Gateway — Selecting hyperbox.local tells the app to check whether it can reach the remote Gateway over SSH.

Step 3: Check The Remote Connection

OpenClaw Mac app remote connection check showing an SSH host key verification failure — The app surfaces SSH failures directly. In this run, the connection check stopped on host-key verification for hyperbox.local.

The remote check is where OpenClaw stops being abstract. The app is not merely asking for a URL. It is validating that it can reach the Gateway host and establish the path it needs. If SSH host key verification fails, the app shows the failing command output instead of hiding it behind a generic connection error.

# The app suggested this cleanup when a stale SSH key was suspected.
ssh-keygen -R hyperbox.local

# Then retry the remote connection check from OpenClaw.app.

If the error persists

Confirm the hostname resolves from the same macOS account running OpenClaw.app, verify the SSH identity, and check whether you are connecting through LAN DNS, Tailscale, or another private name. In our run, there was no user-level ~/.ssh/known_hosts entry to remove, so the next thing to inspect was the app's SSH context and the host identity presented by hyperbox.local.

Step 4: Use Advanced Gateway Options When Needed

OpenClaw Mac app advanced Gateway options with Gateway token field — Advanced setup exposes the Gateway token field and explicit remote configuration controls.

The Advanced section is for setups that should not depend on automatic discovery alone. If you are connecting across Tailscale, using a direct ws:// or wss:// endpoint, or separating the Gateway token from the initial discovery flow, this is where those details belong.

Use SSH tunnel mode when the Gateway should stay private and the Mac app should reach it through SSH.
Use direct ws or wss only when the network path and authentication model are intentional.
Keep the Gateway token out of screenshots, shared docs, and shell history.
Prefer private DNS, LAN, or Tailscale names over exposing the Gateway to the public internet.

Step 5: Grant The Permissions Your Workflows Need

OpenClaw Mac app permissions screen showing Automation and Accessibility granted with other permission request buttons — After the remote step, the app moves into permission setup. Automation and Accessibility were already granted in this capture; other capabilities remained requestable.

This is where the Mac app earns its keep. Browser apps and headless services cannot cleanly own every macOS TCC prompt. OpenClaw.app can guide the operator through the native permission surfaces and then expose those capabilities to the Gateway as node tools.

Permission	Unlocks	Grant on
Accessibility	Desktop app control, UI automation, and input-style workflows.	The Mac that will operate apps on screen.
Automation	Apple Events and app-to-app control.	The Mac that will automate Finder, browsers, Messages, Mail, or other local apps.
Screen Recording	Screen snapshots and recordings for visual context.	The Mac whose screen the assistant needs to inspect.
Microphone and Speech Recognition	Voice Wake, audio capture, and speech workflows.	Only the machine expected to listen or transcribe.
Camera	Camera snapshots and clips.	Only when camera workflows are part of the assistant design.
Notifications	Local system notifications from OpenClaw.	Any Mac where you want operator-visible alerts.

Step 6: Finish And Review The Runtime Summary

OpenClaw Mac app all set summary with remote Gateway, menu bar panel, channels, Voice Wake, Canvas, and skills checklist — The final screen summarizes the remote Gateway, permissions, menu-bar panel, channels, Voice Wake, Canvas, and skills setup path.

The all-set screen is a good checklist for what OpenClaw thinks a complete Mac install can become. It is not only about getting a process running. It is about having a reachable Gateway, a menu-bar operator panel, useful channels, voice and Canvas options, and a skill surface the assistant can actually use.

Confirm the Gateway is reachable from the Mac app.
Confirm the app appears in the menu bar and can reopen settings.
Grant only the permissions needed for the current node role.
Connect one low-risk channel before adding production credentials.
Run one simple request and inspect the resulting logs or session state.

What The Settings Window Reveals

OpenClaw native macOS app menu showing About, Settings, Services, Hide, and Quit — After onboarding, OpenClaw behaves like a native Mac app with standard menu entries and a Settings window.

OpenClaw settings General pane showing active status, launch at login, Dock icon, Canvas, Camera, Peekaboo Bridge, debug tools, and Quit — The General pane covers app residency and local capability toggles: launch at login, Dock icon, Canvas, Camera, Peekaboo Bridge, debug tools, and OpenClaw active state.

Settings make the app feel less like an installer and more like a control station. You can decide whether OpenClaw launches at login, whether it shows a Dock icon, whether Canvas and Camera are enabled, and whether local debugging tools should be exposed.

OpenClaw settings Connection pane showing Remote Gateway via SSH and an SSH host key error for hyperbox.local — The Connection pane preserves the remote Gateway configuration and shows the same SSH error state until the host identity issue is resolved.

Settings pane	What to configure	Why it matters
Connection	Local Gateway, remote Gateway, SSH tunnel, direct ws or wss, SSH target, Gateway token, and nearby Gateway selection.	This decides where the control plane lives and how private the network path stays.
Permissions	Accessibility, Screen Recording, Microphone, Speech Recognition, Camera, Automation, Notifications, and related system grants.	This decides what the Mac node can actually do.
Channels	Operator-facing ways for people or systems to reach OpenClaw.	Channels are where an always-on Gateway starts to matter.
Skills	Installed capabilities and tool surfaces.	Skills turn a connected runtime into useful agent behavior.
Exec approvals	Command execution policy for local system.run style work.	This keeps shell access from becoming an accidental blank check.

OpenClaw settings Exec Approvals pane — Exec approvals belong in the same mental bucket as SSH keys and production credentials: configure them before trusting broad automation.

How To Host OpenClaw On A Hyperbox Mac Mini

The Mac app and Hyperbox solve different halves of the same problem. The app gives OpenClaw a native macOS control surface. Hyperbox gives OpenClaw a Mac that stays online, keeps state on local disk, accepts SSH and VNC recovery, and can run desktop workflows without depending on your personal laptop being open.

Architecture diagram showing OpenClaw Mac app, remote Gateway, and Hyperbox Mac mini runtime — A clean production setup separates the operator surface from the durable runtime: OpenClaw.app locally, Gateway and state on the Hyperbox Mac mini.

Layer	Recommended location	Reason
OpenClaw.app	Your local Mac, and optionally the Hyperbox Mac if it needs native node permissions.	The app owns operator settings and macOS permission prompts.
Gateway	Hyperbox Mac mini.	The Gateway owns sessions, channels, cron, tools, auth, logs, node routing, and long-lived state.
State directory	Local disk on the runtime Mac, usually ~/.openclaw.	Agent state should not depend on iCloud Drive or a synced CloudStorage folder.
Private network path	LAN DNS, Tailscale, SSH tunnel, or another private route.	The Gateway should be reachable to your operator devices without being casually public.
Recovery access	SSH and VNC on the Hyperbox Mac.	You need a way back in when a channel, permission, or Gateway process is unhealthy.

Provision the Hyperbox Mac mini that will own the OpenClaw runtime.
Install the required Node version and OpenClaw CLI on the Hyperbox Mac.
Run OpenClaw onboarding and install the Gateway as a launchd service.
Keep OPENCLAW_STATE_DIR on local disk, normally ~/.openclaw.
Enable SSH and VNC recovery before connecting production channels.
Install OpenClaw.app where you want the native control surface, then connect it to the Hyperbox Gateway.
Grant Screen Recording, Accessibility, Automation, Microphone, Speech Recognition, Camera, and Notifications on the Mac that will perform those tasks.
Run one small end-to-end request, inspect logs, restart the Gateway, and confirm the Mac app reconnects.

Recommended Architecture

Local Mac:
  OpenClaw.app
  menu-bar operator surface
  optional local node capabilities

Private route:
  LAN DNS, Tailscale, direct wss, or SSH tunnel

Hyperbox Mac mini:
  OpenClaw Gateway
  launchd service
  ~/.openclaw state
  dedicated macOS user
  browser profile
  SSH + VNC recovery

This gives you a clean failure model. If the laptop closes, the Gateway keeps running. If the Gateway needs recovery, you SSH or VNC into the Hyperbox Mac. If a workflow needs a local desktop permission, you grant that permission on the node that will actually perform the work.

When Hyperbox Is The Right Host

You do not need a hosted Mac mini for every OpenClaw install. A laptop is fine for exploration. A small VPS can be fine for message-first work that never touches macOS. Hyperbox fits when OpenClaw depends on macOS state, desktop permissions, or background reliability.

Use Hyperbox when OpenClaw needs	Why a laptop is weak
Channels that should keep responding	Laptop sleep turns an always-on assistant into a best-effort assistant.
Screen Recording, Accessibility, Automation, or browser sessions	Those permissions and sessions live on a real macOS desktop and are brittle on a personal machine.
Xcode, iOS Simulator, Messages, Mail, or other Mac-only apps	Linux hosting cannot provide the app surface, and your laptop mixes personal and agent state.
Cron jobs, logs, and background tasks	A dedicated host can be monitored, restarted, and kept on a stable network.
Multiple control devices	The Gateway endpoint should stay stable even when your laptop is offline.

Production Setup Checklist

Verify the Mac app download from the official OpenClaw release or docs path.
Install the CLI and Gateway on the Mac that will own the runtime.
Run openclaw doctor after install or upgrade.
Record your Gateway URL, token flow, package manager, Node version, state path, and channel config before changing hosts.
Keep ~/.openclaw, logs, channel credentials, and agent workspace data on the runtime Mac.
Configure exec approvals before granting broad shell or desktop workflows.
Grant macOS permissions only on the machines that need each capability.
Test Dashboard access, remote connection, logs, sessions, cron, nodes, and one agent request before leaving the setup unattended.
Keep SSH and VNC access available for recovery if the app, Gateway, or node host gets stuck.

Frequently asked questions

What is the OpenClaw Mac app?

The OpenClaw Mac app is a macOS menu-bar companion. It owns native permissions, runs or connects to the Gateway, exposes macOS node capabilities, opens the Control UI, and registers the openclaw:// deep-link scheme.

Does the OpenClaw Mac app replace hosting?

No. The Mac app improves the native control surface and permission story. Long-running OpenClaw workflows still need a runtime machine that stays awake, keeps logs, preserves browser and desktop state, and can be recovered remotely.

What is the best host for OpenClaw with the Mac app?

Use your laptop for testing. Use a persistent Mac such as Hyperbox when OpenClaw needs background reliability, desktop apps, browser profiles, Messages, Mail, Xcode, SSH, VNC, screen access, or GUI automation.

Always-on Mac runtime

Give your agent a Mac that stays online after your laptop closes.

Hyperbox gives Codex, Claude Code, OpenClaw, and remote dev workflows a persistent macOS machine with SSH, VNC, and full desktop access.

Start with Hyperbox