Agents in Action — OpenClaw on AWS Lightsail Lab Guide

01

Prerequisites — Do These Before the Lab

💰 This lab uses paid AWS services. Lightsail instances ($24/month for the recommended size) and Bedrock API calls (pay-per-token) are not included in the AWS Free Tier. Expect to spend roughly ~$1–2 for today's lab session. After the lab, stop your instance to avoid ongoing charges — or keep it running as a daily-driver agent for ~$27–44/month.

AWS Account

You need an AWS account with permissions to create Lightsail instances. Free tier is fine for testing.

Verify Bedrock Model Access (Required)

The Lightsail blueprint uses AWS Bedrock as the model provider — no separate Anthropic account needed. You just need to confirm Claude models are available in your account.

Go to AWS Console → Amazon Bedrock → Model catalog
Find Claude Sonnet 4.6 and click Open in playground
Type a quick message — "Hi" works — and confirm it responds
If it responds, you're good. Model access is enabled.

First-time Bedrock users: The first time you use a Claude model, AWS may show a one-time acceptance form. Just complete it — access is immediate, no waiting.

Telegram

Install on your phone and desktop before the lab.

Phone: App Store / Play Store → "Telegram" → sign up with your phone number
Desktop: web.telegram.org — no install needed, same account
Create your bot now: Open Telegram → search @BotFather → send /newbot → follow prompts → copy the token

Bot token looks like 123456789:ABCdef... — save it somewhere. Bot username must end in bot (e.g. MyAgentBot).

Set an AWS Budget Alert (Required)

Bedrock charges per token on your AWS bill. Without a budget alert, a debugging loop or runaway cron job can cost you $40+ in a single day. Set this up now.

Go to AWS Console → Search for 'Budgets' → Create budget
Select Use a template → Monthly cost budget
Budget amount: $25 (covers Lightsail + moderate Bedrock use)
Enter your email address for alerts
You'll be notified at 85% and 100% of your budget automatically

This is not optional. Anthropic Console spending caps do NOT apply to Bedrock. AWS Budgets is your only cost protection here.

If you want your agent to respond with voice notes, sign up for an ElevenLabs account before the lab:

Create a free account at elevenlabs.io
Go to Profile + API key → generate an API key (starts with sk_)
Free tier gives you premade voices only (that's fine — there are great options)

This is covered in detail in Section 05: Give It a Voice.

✅

Prerequisites complete! You're ready for the lab. If you have all the accounts above, you're good to go. Continue to the next section to start deploying.

02

Deploy in 20 Minutes

This follows the official AWS blog walkthrough — the same flow Channy Yun published on launch day.

Launch Lightsail Instance

AWS Console

AWS Console → Lightsail → Create instance

Platform:   Linux/Unix
Blueprint:  Apps + OS → search "OpenClaw" → select it  (shows as OpenClaw 2026.3.23)

SSH key:    Click Create custom key → download the .pem file
            # You need this if you want to SSH from your own laptop/phone
            # instead of only using the Lightsail browser terminal

Snapshots:  Enable automatic snapshots (optional — adds ~$4/month for 80 GB)
            # Recommended if you plan to keep this instance

Size:       4 GB RAM, 2 vCPUs, 80 GB SSD — General purpose
            # This is the $24/month size — AWS recommended for OpenClaw

Name it:    OpenClaw-Lab
Click:      Create instance  (takes ~2 minutes)

This lab is built for OpenClaw 2026.3.23. If Lightsail shows a newer version, the steps may not match exactly. Your mileage may vary on newer releases. This guide is regularly updated when new blueprints are released.

Automatic snapshots: Snapshots cost $0.05/GB-month — about $4/month for the 80 GB instance. You can skip this for the lab, but if you keep the instance, enable it. At minimum, always create a manual snapshot before updating OpenClaw. Updates can break things, and a snapshot lets you revert to a known-good state in minutes.

Connect via Browser SSH

Lightsail Console → your instance → Getting started tab → Connect using SSH (orange button).

A browser terminal opens — you will be asked to Approve OpenClaw CLI? Select Y. Then take note of the Lightsail OpenClaw MOTD displaying three things you need:

MOTD — what you'll see

Lightsail OpenClaw MOTD v1.0.0
+----------------------------------------------+
|          OpenClaw Dashboard Access            |
+----------------------------------------------+

Dashboard URL:
    https://<your-ip>/overview

Access Token:
    <your-token>

Current Model:
    bedrock/global.anthropic.claude-sonnet-4-6

Continue with device pairing? (y = pair now, n = skip):

Don't press y yet. First, copy the Dashboard URL and Access Token — you'll need them in the next step. Use right-click → Copy (not Ctrl+C — that exits the SSH session). If that happens, close the terminal and click Connect via SSH again.

If you get disconnected (close the tab, lock your laptop, or your session times out), you don't need to pair the browser again. The MOTD asks every time you reconnect — it's just part of its startup loop. Your pairing is already saved.

Pair Your Browser with the Dashboard

Back in the Lightsail console, click the Open Dashboard button (or paste the Dashboard URL into a new browser tab). Then:

Paste the Access Token into the Gateway Token field
Click Connect
The dashboard will show a "device pairing required" message — that's expected

Now go back to the SSH terminal:

SSH terminal

Continue with device pairing? (y = pair now, n = skip): y
...approve prompt appears...
a   ← approve the device pairing

The dashboard should now show Health: OK with a green indicator. Your browser is paired.

You may see "Update available" — do not update during the lab. The instance may prompt you to update (e.g. v2026.4.16). Skip it. Updates can break your setup mid-lab and won't be supported, as this lab is built for the current Lightsail Blueprint. If you want to update later, back up your instance first and treat it as a future exercise.

After pairing, in the SSH session, it may ask if you want to change the model — select n (keep the default). It will then run through a security settings check — review it and press n to continue without changes for now.

Enable Bedrock API Access (CloudShell Script)

Your instance needs IAM permissions to call Bedrock. The Getting started tab in the Lightsail console shows a script — copy it and run it in AWS CloudShell.

Go back to the Lightsail console → your instance → Getting started tab
Find the "Enable Amazon Bedrock as your model provider" section
Click Copy the script
Click the Launch CloudShell button right next to it — a terminal will open
Paste and run the script — it creates an IAM role granting Bedrock access

This is a one-time setup. The script creates an IAM role attached to your Lightsail instance. You don't need to run it again unless you delete and recreate the instance.

Test: Chat via Dashboard

Go to Chat in the OpenClaw dashboard and say hi — anything works. If you get a response, Bedrock is working and your agent is live.

Once it's responding, you can optionally ask "What can you do?" to see what it's capable of out of the box.

✓ Checkpoint: You should have a working AI agent responding in the dashboard. If not — verify Bedrock model access is granted and the CloudShell script completed successfully.

Set Tools Profile (REQUIRED)

Back in the SSH terminal:

terminal

openclaw config set tools.profile full
openclaw gateway restart

Don't skip this. The default tools profile is restrictive — your agent can't create files, run code, or use most skills. The full profile unlocks the complete toolset (file system, code execution, web requests, etc.) that makes the agent actually useful.

Connect Telegram

terminal

openclaw channels add
# Select: Telegram (Bot API)
# Paste your bot token from BotFather when prompted
# Accept the defaults for remaining options
# When the menu loops back, arrow down to "Finished" and press Enter

Now go to Telegram — BotFather's message has a link to your bot. Click it, then hit Start. Send any message and the bot will reply with a pairing code. If there's no response, wait a minute and tap Start once or twice more.

Back in SSH, approve the pairing:

terminal

openclaw pairing approve telegram <CODE>

Don't use openclaw channels add telegram — passing the channel name as an argument throws an error. Run openclaw channels add with no arguments and select Telegram from the menu.

✓ Checkpoint: Send "Hello" to your bot on Telegram. If it responds, you have a working agent on your phone. If not — check Gotchas.

Enable Web Search

This version of OpenClaw includes web search with DuckDuckGo by default. No API keys needed.

First, set sandbox mode so the agent can run search tools on the host:

terminal

sed -i 's/"mode": "all"/"mode": "non-main"/' ~/.openclaw/openclaw.json
openclaw gateway restart

Then try it out — send this in Telegram:

Send via Telegram

Search for the latest OpenClaw news using DuckDuckGo

03

Make It Stick — SOUL.md

Your agent works — but it has no name, no personality, no rules. That identity lives in session memory and will fade between restarts. To make it permanent, create a SOUL.md file.

OpenClaw loads SOUL.md into context on every interaction. Everything in it costs tokens, so keep it lean.

terminal — create SOUL.md

cat > ~/.openclaw/workspace/SOUL.md << 'EOF'
# Identity
Name: [Your agent's name]
Timezone: Eastern (ET)
Owner: [Your name]

# Behavior
- Be concise and direct
- Always confirm before taking destructive actions
- Use my timezone for all time references
- When you receive a voice note, always respond with a voice note using sag
EOF

This is how Mira (Jorge's agent) knows her name, timezone, stock watchlist, and operating rules. Try it — ask "What's your name?" or "What time is it?"

04

Give It a Voice — ElevenLabs + sag

This is the "wow moment." Your agent responds with voice notes — a real human-sounding voice powered by ElevenLabs. Takes about 15 minutes.

One-script install available. If you want to skip the manual steps below and let a script handle everything (Go, dependencies, sag build, symlinks, config), download and run the voice setup script:

terminal — download and run

curl -sL https://lab.jorgeai.net/voice-setup.sh -o voice-setup.sh
bash voice-setup.sh

It will prompt you for your ElevenLabs API key and let you pick a voice. If it completes successfully, skip to Step 7 — Test it below.

Heads up: This skill requires building a Go binary from source. The ClawHub installer rate-limits, and Homebrew on a headless Linux server is a dead end. The commands below are the reliable path — tested on the Lightsail pre-baked image.

Install Go 1.24+ (the apt version is too old)

terminal

# Download official Go binary
wget https://go.dev/dl/go1.24.1.linux-amd64.tar.gz

# Remove any old Go and install
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.24.1.linux-amd64.tar.gz

# Add to PATH (and make it persist)
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc

# Verify
go version
# → go version go1.24.1 linux/amd64

Install build dependencies

terminal

sudo apt update && sudo apt install -y pkgconf libasound2-dev

You may see a scary-looking kernel dialog during the ALSA install. Just press Enter on "OK", then Enter again to accept the defaults. It's harmless.

Build sag from source

terminal

go install github.com/steipete/sag/cmd/sag@latest

Symlink so the gateway and sandbox can find it

terminal

# Gateway service needs this (runs with its own PATH)
sudo ln -sf ~/go/bin/sag /usr/local/bin/sag

# Sandbox needs this (only mounts /usr/bin, not /usr/local/bin)
sudo ln -sf ~/go/bin/sag /usr/bin/sag

Both symlinks are required. The gateway service can't see ~/go/bin. The Docker sandbox can't see /usr/local/bin. Missing either one causes sag to show as "blocked" or the agent to say it can't find the binary.

Disable sandbox for main agent (required for sag)

terminal

sed -i 's/"mode": "all"/"mode": "non-main"/' ~/.openclaw/openclaw.json

Why? The Lightsail image uses Docker-based sandboxing by default (mode: all). Skills like sag that run as host binaries can't execute inside the sandbox container. Setting sandbox to non-main lets sag run on the host where it's installed while keeping sub-agents sandboxed.

Set API key and voice ID

Pick a voice — here are the best premade options available on the free tier:

Voice	ID	Gender	Style
Bella	`hpp4J3VqNfWAUOO0d1Us`	Female	Warm, natural
Rachel	`21m00Tcm4TlvDq8ikWAM`	Female	Calm, narration
Sarah	`EXAVITQu4vr4xnSDxMaL`	Female	Soft, clear
Brian	`nPczCjzI2devNBz1zQrb`	Male	Deep, narration
Adam	`pNInz6obpgDQGcFmaJgB`	Male	Deep, American
Daniel	`onwK4e9ZLuTAKqWW03F9`	Male	Deep, British

Set your chosen voice in both locations — the env file and the gateway config:

terminal — replace the voice ID with your pick

# Write API key and voice ID to the env file (.env is a symlink — needs sudo)
echo -e '\nELEVENLABS_API_KEY=sk_your_elevenlabs_api_key_here\nELEVENLABS_VOICE_ID=nPczCjzI2devNBz1zQrb' | sudo tee -a ~/.openclaw/.env

# Also set voice ID in the gateway config (used by the TTS tag)
openclaw config set messages.tts.elevenlabs.voiceId nPczCjzI2devNBz1zQrb

# Restart gateway
openclaw gateway restart

ElevenLabs API keys start with sk_. If your key doesn't start with sk_, you copied the wrong thing. Go back to elevenlabs.io → Profile + API key.

Voice ID must be set in two places. The ~/.openclaw/.env file is what sag reads directly. The messages.tts.elevenlabs.voiceId config is what the gateway's built-in TTS tag uses. If they don't match, you'll get a different voice depending on how the agent chooses to speak.

Test it

Send this text message to your bot on Telegram:

Send via Telegram

Use sag to say "Hello, voice test — is this thing on?"

Your bot should reply with a voice note (audio message). If it replies with text only, check the sag gotchas below.

🎤 Checkpoint: If your bot replies with a voice note, sag is fully working. If it replies with text saying sag "isn't installed" or "can't be found" — check that both symlinks exist and sandbox mode is set to non-main. See gotchas below.

symptom Skill shows as "blocked" in gateway dashboard

Cause: sag binary not in the gateway service's PATH.

Fix: sudo ln -sf ~/go/bin/sag /usr/local/bin/sag then restart gateway.

symptom Agent says "sag not installed in sandbox" or "can't find sag"

Cause: The Docker sandbox only mounts /usr/bin. The binary is in /usr/local/bin which is invisible to the sandbox. Or sandbox mode is still all.

Fix: Add symlink to /usr/bin: sudo ln -sf ~/go/bin/sag /usr/bin/sag. Also set sandbox to non-main: sed -i 's/"mode": "all"/"mode": "non-main"/' ~/.openclaw/openclaw.json. Restart gateway.

symptom Build fails with "pkg-config: executable file not found"

Cause: Missing pkgconf package. On Ubuntu 24+, pkg-config was replaced by pkgconf.

Fix: sudo apt update && sudo apt install -y pkgconf libasound2-dev

symptom Go build fails with "cannot find package"

Cause: apt-installed Go is too old (< 1.24).

Fix: Install Go from the official tarball, not apt. See step 1 above.

symptom Build fails with "alsa/asoundlib.h: No such file"

Cause: Missing ALSA development headers.

Fix: sudo apt install -y libasound2-dev

symptom Bot replies with text instead of voice (wrong voice / female when expecting male)

Cause: Voice ID only set in ~/.openclaw/.env but not in the gateway config (messages.tts.elevenlabs.voiceId). The gateway's TTS tag uses a different voice than what sag reads from the env.

Fix: Set voice ID in both places: ~/.openclaw/.env AND openclaw config set messages.tts.elevenlabs.voiceId YOUR_VOICE_ID. Restart gateway.

symptom ClawHub installer hangs or fails

Cause: ClawHub rate-limits npx clawhub install.

Fix: Skip ClawHub entirely. Build sag from Go source as shown above — it's faster and more reliable.

05

Security — The Non-Negotiables

Run the Security Audit

terminal

openclaw security audit --fix    # apply safe auto-remediations

Verify Key Settings

terminal

openclaw config get gateway.bind         # should be: loopback ✅
openclaw config get tools.profile        # should be: full

Priority	Action	How
#1	Run security audit after onboarding	`openclaw security audit --fix`
#2	Keep DM policy as "pairing"	Default — never change to "open"
#3	Don't install random skills from ClawHub	Check what permissions a skill requests first
#4	Stop your instance when not using it	Lightsail Console → Stop instance
	Note: Stopping the instance will make your agent unavailable until you start it again.

Why this matters: In February 2026, over 42,000 exposed OpenClaw instances were found online — 93.4% had authentication bypasses. The Lightsail blueprint is better isolated than a raw EC2/Docker setup, but your gateway token is still your only authentication layer. Treat it like a password.

No port 18789 to worry about. Unlike a raw EC2/Docker install, the Lightsail pre-baked image routes the Control UI through HTTPS on port 443 via a built-in reverse proxy. The gateway never binds to a public port.

You're done! You have a working AI agent. It runs on your AWS account, responds on Telegram, searches the web, and talks back with a real voice. Everything below is reference material — take it home and explore at your own pace.

Here's what you built today:

Layer	What	Status
Infrastructure	Lightsail 4GB instance + Bedrock	✓ Running
Agent	OpenClaw with full tools profile	✓ Live
Channel	Telegram bot paired to your phone	✓ Connected
Identity	SOUL.md — persistent name & rules	✓ Loaded
Security	Audit run, permissions locked	✓ Hardened
Web search	Tavily (1,000 free queries/month)	✓ Enabled
Voice	ElevenLabs + sag	✓ Talking

Keep going after the lab: The sections below cover real cost data, troubleshooting gotchas, essential CLI commands, and resource links. Bookmark this page — it's all here when you need it.

06

What It Actually Costs

Real numbers from Mira — a production agent running 24/7 on this exact Lightsail + Bedrock stack since March 2026.

	Lightsail Instance	Bedrock (Sonnet 4.6)	Monthly Total
Today's lab	~$0.80	< $0.50	~$1
Light use	$24/month	~$3–5/month	~$27–29
Daily driver	$24/month	~$15–20/month	~$39–44

Mira runs 5 cron jobs daily. Here's what each costs in steady state:

Job	Model	Tokens/run	Cost/day
Calendar Briefing (7am)	Sonnet	~11k	~$0.17
Tech & AI Briefing (7:30am)	Sonnet	~50k	~$0.75
Morning Stock Update (10am)	Haiku	~7–35k	~$0.04
Pre-Close Stock Update (3pm)	Haiku	~8–31k	~$0.04
Total cron cost			~$1/day

The cost lever: model routing. Simple structured tasks (stock lookups) go to Haiku at ~10x cheaper per token. Complex tasks (news analysis, calendar reasoning) stay on Sonnet. One command:

terminal — route a cron job to Haiku

openclaw models aliases add haiku bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0
openclaw cron edit <job-id> --model haiku

The $44 day. During setup, a calendar cron ran 12 times in one day while debugging sandbox issues. Each run burned Sonnet tokens. Normal operation is $1–2/day — but debugging loops can spike costs fast. Set an AWS Budget alert before experimenting.

Bedrock billing goes to your AWS account — the same place as your Lightsail instance. One bill, one place to set budget alerts. No separate Anthropic account needed.

Stop your instance when you're done — Lightsail charges even when idle.

07

Gotchas & Troubleshooting

Hard-won lessons from ~7 OpenClaw installs across EC2 and Lightsail. Every one of these cost real debugging time.

symptom Bedrock error: "not authorized to perform sts:AssumeRole"

Cause: The CloudShell script (step 4 of Deploy) wasn't run — or didn't complete. Your Lightsail instance has no IAM permissions to call Bedrock.

Fix: Go back to Lightsail console → your instance → Getting started tab → copy the Bedrock script → run it in CloudShell. Wait a minute, then try chatting again.

symptom Agent says "I need to read my key files before responding"

Cause: Can happen on the very first message after running the CloudShell script. The agent is initializing.

Fix: Just send another message. It works on the second try.

symptom openclaw channels add telegram throws "too many arguments"

Cause: The add subcommand takes zero positional arguments. Passing telegram as an argument is invalid.

Fix: Run openclaw channels add with no arguments. Select Telegram from the interactive menu, paste your bot token, accept defaults, then select "Finished."

symptom Agent can barely do anything / tools seem missing

Cause: Default tools profile is nearly useless.

Fix: openclaw config set tools.profile full

symptom ~/.openclaw/.env permissions or "No such file" errors

Cause: .env is a symlink to root-owned /opt/aws/open_claw/openclaw.env.

Fix: Don't chmod it — the Lightsail image manages its own permissions. Use sudo tee -a to write to it.

symptom Dashboard shows 1008 WebSocket error, can't connect

Cause: Stale browser device token — NOT an outage. Your Telegram bot is still working fine.

Fix:

terminal

# Get the current valid token
openclaw config get gateway.auth.token
# Paste into dashboard → Gateway Token field → hit Connect

# If that still fails:
openclaw devices list
openclaw devices approve <requestId>

symptom Sandbox can't find a binary you installed

Cause: OpenClaw's Docker sandbox only mounts /usr/bin — not /usr/local/bin where most manually installed binaries land.

Fix: Symlink into /usr/bin: sudo ln -sf /usr/local/bin/<binary> /usr/bin/<binary>

symptom Sandbox can't access OAuth tokens or config files

Cause: ~/.config directories aren't mounted in the sandbox.

Fix: Copy configs into the workspace and set XDG_CONFIG_HOME:

terminal

cp -r ~/.config/<tool> ~/.openclaw/workspace/.<tool>
# Then in your cron command, prefix with:
XDG_CONFIG_HOME=/workspace/.<tool> /usr/bin/<tool> ...

symptom Skill set in gateway UI but still "blocked"

Cause: ~/.openclaw/.env is the canonical secrets location. Skills like sag read API keys from the environment, not from the gateway UI.

Fix: Put all API keys in ~/.openclaw/.env, then openclaw gateway restart.

symptom ClawHub skill install hangs or rate-limits

Cause: ClawHub rate-limits npx clawhub install aggressively.

Fix: Skip ClawHub. Use manual installation (curl for simple skills) or build from source (Go/Node skills). It's more reliable.

symptom Bedrock error: "Invocation of model ID with on-demand throughput is not supported"

Cause: Haiku 4.5 on Bedrock requires the cross-region inference profile prefix us. — bare model IDs are rejected.

Fix:

terminal

# ❌ Wrong
anthropic.claude-haiku-4-5-20251001-v1:0

# ✅ Correct — note the us. prefix
openclaw models aliases add haiku bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0

symptom Gateway crashes on startup

Cause: agents.defaults.env is NOT a valid config key in this version. Attempting to set it crashes the gateway.

Fix: Use ~/.openclaw/.env for environment variables. Don't try to set env vars through the config system.

symptom Cron job runs but Telegram message never arrives

Cause: Manual test runs via openclaw cron run reuse the same sessionId. OpenClaw deduplicates delivery within the same session.

Fix: Only scheduled runs reliably prove end-to-end Telegram delivery. Manual test runs are unreliable for this — check openclaw cron runs --id <job-id> to confirm the job actually executed.

08

FAQ — What's Next?

Common questions once your agent is up and running.

Your instance defaults to Claude Sonnet 4.6 via Bedrock. To switch the default model:

terminal

# See what's currently configured
openclaw models list

# Change the default model
openclaw config set models.default bedrock/global.anthropic.claude-sonnet-4-6

# Restart to apply
openclaw gateway restart

You can use any model available in your Bedrock region — just make sure you've requested access to it in the Bedrock Model catalog first.

Use model aliases to register alternate models, then assign them to specific cron jobs. This is how you keep Sonnet for complex work and route simple tasks to Haiku (~10x cheaper).

terminal

# Register Haiku as an alias (note the us. prefix — required)
openclaw models aliases add haiku bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0

# Route a specific cron job to Haiku
openclaw cron list                         # get job IDs
openclaw cron edit <job-id> --model haiku  # apply override

# In Telegram, you can also switch on the fly:
/model haiku     # switch this chat to Haiku
/model default   # switch back to Sonnet

Rule of thumb: Use Sonnet for main chat, news analysis, and reasoning. Use Haiku for stock lookups, structured summaries, and simple cron tasks.

Browser control is off by default on the Lightsail pre-baked image. Enabling it lets your agent open web pages, click buttons, fill forms, and take screenshots — essentially computer use.

terminal

# Install Chrome (headless)
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome-stable_current_amd64.deb
sudo apt --fix-broken install -y

# Enable browser in OpenClaw config
openclaw config set browser.enabled true
openclaw config set browser.defaultProfile openclaw
openclaw config set browser.headless true

# Restart gateway
openclaw gateway restart

# Start the managed browser
openclaw browser start

This increases your attack surface. The agent can now interact with the web as you. Don't log into sensitive accounts in the managed browser. Treat it as a separate, agent-only browser — not your daily driver.

Cron jobs let your agent do things on a schedule — send morning briefings, check stock prices, summarize your calendar. The easiest way is to just ask your agent in Telegram:

Send via Telegram

"Every weekday at 8am ET, check my calendar and send me a summary of today's meetings."

The agent will create the cron job for you. You can also manage them from the CLI:

terminal

openclaw cron list                         # See all scheduled jobs
openclaw cron runs --id <job-id>           # Check run history
openclaw cron edit <job-id> --model haiku  # Route to cheaper model
openclaw cron delete <job-id>              # Remove a job

Watch the costs. Each cron run uses tokens. A Sonnet cron job running 5x/day can cost ~$1/day. Route simple jobs to Haiku to cut costs ~10x.

Stop (pauses billing for compute, keeps your data):

Lightsail Console → your instance → Stop. You can start it again later — everything is preserved.

Delete (permanent — removes everything):

Lightsail Console → your instance → Delete. This is irreversible. Your agent, config, SOUL.md, and all data are gone.

Stopped instances still incur a small storage charge for the disk. To fully stop all charges, you need to delete the instance. If you want to keep it, enable automatic snapshots first ($2.50/month) so you can restore later.

Yes — OpenClaw supports multiple providers. On this Lightsail setup, you're using Bedrock, which gives you access to Claude models (Sonnet, Haiku, Opus) plus others like Meta Llama, Mistral, and Amazon Titan — all on the same AWS bill.

You can also configure OpenClaw to use the Anthropic API directly, OpenAI, or local models via Ollama. Check the OpenClaw docs for provider setup instructions.

Recommendation: Stick with Claude Sonnet 4.6 via Bedrock for now. It has the best prompt injection resistance of any Sonnet-class model, and Bedrock keeps everything on one AWS bill.

09

Essential Commands

Gateway service management (native install — no Docker)

openclaw gateway restart                   # Restart after config changes
openclaw gateway stop                      # Stop
openclaw gateway start                     # Start
# Fallback (if openclaw CLI is unresponsive):
sudo systemctl restart openclaw-gateway    # systemctl direct restart

OpenClaw CLI

openclaw security audit --fix              # Audit + auto-remediate
openclaw config get tools.profile          # Check current tools profile
openclaw config set tools.profile full     # Set full tools
openclaw channels list                     # List connected channels
openclaw channels add                      # Add a channel (interactive wizard)
openclaw logs                              # View recent logs
openclaw sandbox explain                   # Show sandbox config details
openclaw cron list                         # List cron jobs
openclaw models list                       # List configured models

10

Resources

Resource	URL
AWS Blog — OpenClaw on Lightsail	aws.amazon.com/blogs/aws/introducing-openclaw-on-amazon-lightsail…
OpenClaw Docs	docs.openclaw.ai
OpenClaw GitHub	github.com/openclaw/openclaw
Security Reference	docs.openclaw.ai/gateway/security
Lightsail Pricing	aws.amazon.com/lightsail/pricing
AWS Budgets	console.aws.amazon.com/billing
Tavily (web search)	tavily.com
ElevenLabs (voice)	elevenlabs.io
ElevenLabs Premade Voices	elevenlabs.io/app/voice-library
Contact the lab author	linkedin.com/in/jorge-rodriguez