< back to blog
2026-02-19

If You Are Using OpenClaw, Don't Use the Installer — Clone with Git Instead

OpenClaw is a high-privilege automation system. It can access messages, files, browser actions, cron jobs, and credentials. Vulnerabilities and security fixes are inevitable.

If your instance is customized, installer-based updating is not enough. You need a repeatable, auditable update path so you can patch quickly without losing local work.

The Problem

The installer path is not designed for code-level diff workflows in customized deployments.

That means you lose the tooling you need to maintain safely over time:

  • clear local-vs-upstream diffs,
  • predictable merge/conflict handling,
  • auditable update history.

When those are missing, updates get postponed. Postponed updates are the security risk.

The Solution

Treat your deployment like a maintained codebase: 

git remote add upstream https://github.com/openclaw/openclaw.git
git fetch upstream

Then update on a regular cadence: 

git checkout main
git fetch upstream
git log --oneline main..upstream/main
git merge upstream/main

Before each merge, create a checkpoint commit. After each merge, run your security checks and validate critical workflows.

Copy/Paste Prompt for OpenClaw (Auto-Fix Setup)

Use this workspace as a customized OpenClaw repo and set up safe upstream
updates without rewriting history or resetting local changes.

Tasks:
1. Detect whether `upstream` remote exists. If not, add:
   - `https://github.com/openclaw/openclaw.git`
2. Fetch upstream.
3. Check whether local `main` and `upstream/main` share a merge base.
4. If they do not share history, create a one-time safety merge commit using:
   - `git merge --allow-unrelated-histories -s ours upstream/main       -m "chore: link local history to upstream for future updates"`
   Do not reset, rebase, or force-push.
5. Create/update `UPDATE_UPSTREAM.md` with this exact recurring update routine:
   - `git checkout main`
   - `git fetch upstream`
   - `git log --oneline main..upstream/main`
   - `git merge upstream/main`
   - resolve conflicts, test, then continue
6. Add a short "security cadence" section recommending regular upstream
   merges and periodic security/health checks.
7. Show me:
   - current remotes,
   - branch tracking status,
   - whether histories are now linked,
   - and the final update checklist path.

Constraints:
- Preserve all local commits.
- No destructive git commands (reset --hard, clean -fd, force push,
  rebase onto upstream).
- If anything is risky, stop and ask before proceeding.

Important Reminders

  • You do not need a GitHub account to clone or pull from the public OpenClaw repo.
  • Do not publish your local OpenClaw repo to a public remote. It can contain secrets (tokens, config, memory files, operational data).
  • If you need backup, use a private encrypted backup workflow, not a public git push.

Operating Rule

Use git clone + upstream pull workflow for OpenClaw maintenance so updates stay diffable, auditable, and fast to apply.

Goal: minimize time-to-patch while preserving your local customizations and avoiding secret exposure.

Nick Trierweiler