First 60 seconds
Run this ladder in order:openclaw statusshows configured channels, no auth errors.openclaw status --allproduces a full, shareable report.openclaw gateway probeshowsReachable: yes.Capability: ...is the auth level the probe proved;Read probe: limited - missing scope: operator.readis degraded diagnostics, not a connect failure.openclaw gateway statusshowsRuntime: running,Connectivity probe: ok, and a plausibleCapability: .... Add--require-rpcto also require read-scope RPC proof.openclaw doctorreports no blocking config/service errors.openclaw channels status --probereturns live per-account transport state (works/audit ok) when the gateway is reachable; falls back to config-only summaries when it is not.openclaw logs --followshows steady activity, no repeating fatal errors.
Assistant feels limited or missing tools
Check the effective tool profile:tools.profile: "minimal"allows onlysession_status.tools.profile: "messaging"is narrow, for chat-only agents.tools.profile: "coding"is the default for new local configs (repo, file, shell, and runtime work).tools.profile: "full"removes profile restrictions; limit to trusted operator-controlled agents.- Per-agent
agents.list[].toolsoverrides narrow or expand the root profile for one agent.
openclaw status --all. Full profile/group table: Tool profiles.
Anthropic long context 429
HTTP 429: rate_limit_error: Extra usage is required for long context requests
→ Anthropic 429 extra usage required for long context.
Local OpenAI-compatible backend works directly but fails in OpenClaw
Your local/self-hosted/v1 backend answers direct /v1/chat/completions
probes but fails on openclaw infer model run or normal agent turns:
- Error mentions
messages[].contentexpecting a string: setmodels.providers.<provider>.models[].compat.requiresStringContent: true. - Still fails only on OpenClaw agent turns: set
models.providers.<provider>.models[].compat.supportsTools: falseand retry. - Tiny direct calls work but larger OpenClaw prompts crash the backend: that is an upstream model/server limit, not an OpenClaw bug. Continue in Local OpenAI-compatible backend passes direct probes but agent runs fail.
Plugin install fails with missing openclaw extensions
package.json missing openclaw.extensions means the plugin package uses a
shape OpenClaw no longer accepts.
Fix in the plugin package:
- Add
openclaw.extensionstopackage.json, pointing at built runtime files (usually./dist/index.js). - Republish, then run
openclaw plugins install <package>again.
Install policy blocks plugin installs or updates
Update finishes but plugins are stale, disabled, or showblocked by install policy, install policy failed closed, or Disabled "<plugin>" after plugin update failure: check security.installPolicy.
Install policy runs on plugin installs and updates. @openclaw/* plugin
versions normally move with the OpenClaw release, so an OpenClaw update can
need a matching plugin update during post-update sync.
Avoid these policy shapes unless you also maintain the matching upgrade rule:
- Freezing OpenClaw-owned plugins to one exact old version (for example, only
@openclaw/*@2026.5.3). - Blocking by source kind alone (every npm, network, or
request.mode: "update"request). - Treating the policy command as optional: when
security.installPolicyis enabled, a missing, slow, unreadable, or permission-blocked policy executable fails closed. - Approving versions without checking the request’s
openclawVersionagainst plugin candidate metadata.
@openclaw/* updates compatible with the
current host, instead of pinning one release forever. If you block npm by
default, add a narrow exception for the plugin ids you use, and apply the same
trust rule to request.mode: "update" as to installs.
Recovery:
openclaw plugins update --all, then restore the stricter rule.
If update failure disabled a plugin, inspect before re-enabling:
Plugin present but blocked by suspicious ownership
openclaw doctor, setup, or startup warnings show:
node (uid 1000). Repair the host bind mounts:
Decision tree
No replies
No replies
Runtime: runningConnectivity probe: okCapability: read-only,write-capable, oradmin-capable- Channel shows transport connected and, where supported,
worksoraudit okinchannels status --probe - Sender is approved (or DM policy is open/allowlist)
drop guild message (mention required→ Discord mention gating blocked the message.pairing request→ sender unapproved, waiting on DM pairing approval.blocked/allowlistin channel logs → sender, room, or group filtered.
Dashboard or Control UI will not connect
Dashboard or Control UI will not connect
Dashboard: http://...shown inopenclaw gateway statusConnectivity probe: okCapability: read-only,write-capable, oradmin-capable- No auth loop in logs
device identity required→ HTTP/non-secure context cannot complete device auth.origin not allowed→ browserOriginis not allowed for the Control UI gateway target.AUTH_TOKEN_MISMATCHwithcanRetryWithDeviceToken=true→ one trusted device-token retry may occur automatically, reusing the paired token’s cached scopes.- repeated
unauthorizedafter that retry → wrong token/password, auth mode mismatch, or stale paired device token. too many failed authentication attempts (retry later)→ repeated failures from that browserOriginare temporarily locked out; other localhost origins use separate buckets. See Dashboard/Control UI connectivity for the Tailscale Serve concurrent-retry nuance.gateway connect failed:→ UI targets the wrong URL/port, or the gateway is unreachable.
Gateway will not start or service installed but not running
Gateway will not start or service installed but not running
Service: ... (loaded)Runtime: runningConnectivity probe: okCapability: read-only,write-capable, oradmin-capable
Gateway start blocked: set gateway.mode=localorexisting config is missing gateway.mode→ gateway mode is remote, or config is missing the local-mode stamp and needs repair.refusing to bind gateway ... without auth→ non-loopback bind without a valid auth path (token/password, or trusted-proxy where configured).another gateway instance is already listeningorEADDRINUSE→ port already taken.
Channel connects but messages do not flow
Channel connects but messages do not flow
- Channel transport connected.
- Pairing/allowlist checks pass.
- Mentions detected where required.
mention required→ group mention gating blocked processing.pairing/pending→ DM sender not approved yet.not_in_channel,missing_scope,Forbidden,401/403→ channel permission token issue.
Cron or heartbeat did not fire or did not deliver
Cron or heartbeat did not fire or did not deliver
cron statusshows the scheduler enabled with a next wake.cron runsshows recentokentries.- Heartbeat is enabled and inside active hours.
cron: scheduler disabled; jobs will not run automatically→ cron is disabled.heartbeat skippedreasonquiet-hours→ outside configured active hours.heartbeat skippedreasonempty-heartbeat-file→HEARTBEAT.mdexists but contains only blank, comment, header, fence, or empty-checklist scaffolding.heartbeat skippedreasonno-tasks-due→ task mode is active but no task interval is due yet.heartbeat skippedreasonalerts-disabled→showOk,showAlerts, anduseIndicatorare all off.requests-in-flight→ main lane busy; heartbeat wake deferred.unknown accountId→ heartbeat delivery target account does not exist.
Node is paired but tool fails camera canvas screen exec
Node is paired but tool fails camera canvas screen exec
- Node listed as connected and paired for role
node. - Capability exists for the command you are invoking.
- Permission state granted for the tool.
NODE_BACKGROUND_UNAVAILABLE→ bring the node app to the foreground.*_PERMISSION_REQUIRED→ OS permission denied/missing.SYSTEM_RUN_DENIED: approval required→ exec approval is pending.SYSTEM_RUN_DENIED: allowlist miss→ command not on the exec allowlist.
Exec suddenly asks for approval
Exec suddenly asks for approval
- Unset
tools.exec.hostdefaults toauto, which resolves tosandboxwhen a sandbox runtime is active,gatewayotherwise. host=autoonly routes; the no-prompt behavior comes fromsecurity=fullplusask=offon gateway/node.- Unset
tools.exec.securitydefaults tofullongateway/node. - Unset
tools.exec.askdefaults tooff. - If you are seeing approvals, some host-local or per-session policy tightened exec away from these defaults.
- Set only
tools.exec.host=gatewayfor stable host routing. - Use
security=allowlistwithask=on-missfor host exec with review on allowlist misses. - Enable sandbox mode so
host=autoresolves back tosandbox.
Approval required.→ command is waiting on/approve ....SYSTEM_RUN_DENIED: approval required→ node-host exec approval is pending.exec host=sandbox requires a sandbox runtime for this session→ implicit/explicit sandbox selection but sandbox mode is off.
Browser tool fails
Browser tool fails
- Browser status shows
running: trueand a chosen browser/profile. openclawprofile starts, oruserprofile sees local Chrome tabs.
unknown command "browser"→plugins.allowis set and excludesbrowser.Failed to start Chrome CDP on port→ local browser launch failed.browser.executablePath not found→ configured binary path is wrong.browser.cdpUrl must be http(s) or ws(s)→ configured CDP URL uses an unsupported scheme.browser.cdpUrl has invalid port→ configured CDP URL has a bad or out-of-range port.No Chrome tabs found for profile="user"→ the Chrome MCP attach profile has no open local Chrome tabs.Remote CDP for profile "<name>" is not reachable→ configured remote CDP endpoint unreachable from this host.Browser attachOnly is enabled ... not reachable→ attach-only profile has no live CDP target.- Stale viewport/dark-mode/locale/offline overrides on attach-only or remote CDP profiles → run
openclaw browser stop --browser-profile <name>to close the control session and release emulation state without restarting the gateway.
Related
- FAQ — frequently asked questions
- Gateway Troubleshooting — gateway-specific issues
- Doctor — automated health checks and repairs
- Channel Troubleshooting — channel connectivity issues
- Scheduled tasks: Troubleshooting — cron and heartbeat issues