OpenClaw + Telegram demo
AI agent on Telegram, gated by Airlock mobile approval
Chat with your OpenClaw agent via Telegram. When the agent runs a sensitive tool (shell, computer control, etc.), Airlock intercepts the call and sends an encrypted approval request to your phone. You approve or reject from the Airlock mobile app (Google Play) in real time.
This walkthrough assumes you have already followed OpenClaw & Airlock Gateway for installation, server deployment, and base configuration.
Architecture
┌─────────────┐ ┌──────────────────┐ ┌─────────────────────┐ ┌─────────────────┐
│ Telegram │───▶│ OpenClaw Agent │───▶│ Airlock Plugin │───▶│ Airlock Gateway │
│ User Chat │ │ (VPS) │ │ (enforcer) │ │ (igw.airlocks.io)│
└─────────────┘ └──────────────────┘ └─────────────────────┘ └────────┬────────┘
▲ │
│ ▼
│ ┌─────────────────┐
└───────────────────────────────────────────│ Airlock Mobile │
decision (approve/reject) │ App (phone) │
└─────────────────┘ Payloads are end-to-end encrypted with X25519 ECDH + AES-256-GCM. The gateway routes ciphertext only.
Prerequisites
| Component | Requirement |
|---|---|
| OpenClaw VPS | Installed and running (e.g. DigitalOcean Marketplace) |
| Telegram bot | Created via @BotFather, token configured in OpenClaw |
| Airlock account | airlockapp.io with an enforcer app |
| Airlock mobile app | Installed on your phone |
| Airlock plugin | Deployed under ~/.openclaw/extensions/airlock per installation guide |
Step 1: Configure the Airlock plugin
In ~/.openclaw/openclaw.json, ensure the Airlock entry matches your credentials and protected tools:
{
"plugins": {
"entries": {
"airlock": {
"enabled": true,
"config": {
"gatewayUrl": "https://igw.airlocks.io",
"enforcerId": "my-enforcer-001",
"pat": "airpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"pairingCode": "XXXXXX",
"protectedTools": [
"exec",
"shell.*",
"computer.*",
"*"
]
}
}
}
}
}Protected tools for this demo
| Pattern | What it catches |
|---|---|
exec | OpenClaw's built-in shell/bash execution tool (its internal name is exec) |
shell.* | Shell-related tools in the shell.* namespace |
computer.* | Screen, mouse, keyboard automation |
* | Every tool call regardless of name — recommended for maximum coverage |
Restart after edits:
systemctl restart openclaw
journalctl -u openclaw --no-pager | grep -i airlock
# Expected: [Airlock] Plugin loaded — enforcer=my-enforcer-001, failMode=closed, protectedTools=exec,shell.*,computer.*,*Step 2: User consent (Authorized Apps)
openclaw airlock consentThe CLI calls the gateway, sends a push to the mobile app, and polls about every 5 seconds. On the phone: open Airlock, respond to New app requesting access (or Settings → Authorized Apps), review the app and Authorize.
Consent states
| Status | Meaning |
|---|---|
approved | Proceed to pairing |
required | First contact; push sent |
pending | Waiting for user response |
denied | User rejected; cannot proceed until resolved |
Step 3: Pair with the mobile app
Generate a pairing code in the Airlock app (Workspaces → your workspace → pre-generated codes or add enforcer). Put the code in pairingCode, restart OpenClaw if needed, then run:
openclaw airlock pair
The CLI validates consent, performs X25519 ECDH, and writes ~/.openclaw/.airlock/pairing-state.json. In the app, the enforcer should show as online for the workspace.
Step 4: Pair Telegram (DM access)
- Message your bot on Telegram so it issues a pairing code.
- On the server, approve that pairing:
openclaw pairing approve telegram <pairing-code>Step 5: Verify
openclaw airlock setupExpect green checks for gateway connectivity, consent, pairing, and your protected tool list.
Demo scenario 1: Approve a shell command
Ask the bot to check disk usage. The agent calls the exec tool with df -h (OpenClaw's internal shell tool name). Airlock sends a push; approve on the phone; the agent completes and replies on Telegram. If you reject, the agent should explain the action was blocked. If you do not respond, the default fail-closed timeout (often about 5 minutes) blocks the tool.
Demo scenario 2: Reject a risky command
Ask for a destructive cleanup (for example removing files under /tmp). When the push shows the exact command, reject if it is too risky; the agent should offer a safer follow-up (such as listing directory contents first).
Demo scenario 3: Explicit airlock_request_approval
For high-stakes actions the agent can call airlock_request_approval with structured fields, for example:
{
"action": "Create system user account",
"details": "useradd -m demo-user && passwd demo-user",
"risk": "Creates a new user with shell access"
}Talking points
| Topic | Detail |
|---|---|
| E2E encryption | X25519 ECDH + AES-256-GCM; gateway sees ciphertext only |
| Fail-closed | Phone off or timeout blocks the tool by default |
| Glob patterns | shell.* groups related tools; tune breadth to your risk model |
| Same plugin | Shared enforcement model with IDE and CLI enforcers where Airlock is integrated |
| DND policies | Gateway can auto-approve low-risk requests under configured policies |
| Consent | Users explicitly authorize enforcer apps before enforcement |
| Audit | Approvals and rejections are logged with timestamps and signer metadata |
Flow summary
┌───────────────────────────────────────────────────────────────────────┐ │ SETUP (one-time) │ ├───────────────────────────────────────────────────────────────────────┤ │ │ │ 1. Deploy plugin ──► openclaw extensions directory │ │ 2. Configure ──► openclaw.json (credentials + protectedTools) │ │ 3. Consent ──► openclaw airlock consent ──► Mobile: Authorize│ │ 4. Pair ──► openclaw airlock pair ──► Mobile: Confirm │ │ 5. Verify ──► openclaw airlock setup │ │ │ ├───────────────────────────────────────────────────────────────────────┤ │ RUNTIME (per tool call) │ ├───────────────────────────────────────────────────────────────────────┤ │ │ │ User ──telegram──► Agent ──tool call──► Airlock Plugin │ │ │ │ │ ▼ │ │ Encrypt (AES-256-GCM) │ │ │ │ │ ▼ │ │ Airlock Gateway │ │ │ │ │ ▼ │ │ Mobile Push Notification │ │ │ │ │ ┌────┴────┐ │ │ Approve Reject │ │ │ │ │ │ ▼ ▼ │ │ User ◄──telegram──◄ Agent ◄── tool proceeds / tool blocked │ │ │ └───────────────────────────────────────────────────────────────────────┘
Related
- OpenClaw & Airlock Gateway — full installation and configuration
- Developer Guide
- openclaw-airlock README ↗