# Complete Data Source Setup Guide for OpenClaw > Connect every tool your PM agents need, Jira, Slack, Zendesk, Salesforce, GitHub, Google Calendar, Gong, Amplitude, and more, to OpenClaw's self-hosted MCP infrastructure. YAML-based skills configuration, Docker Compose deployment, and comprehensive security warnings about CVE risks. --- ## Overview This guide walks you through connecting **every data source** referenced across all 18 PM agents using OpenClaw, an open-source AI agent framework that runs self-hosted and uses the same MCP (Model Context Protocol) standard as Claude. **What is OpenClaw?** OpenClaw is a self-managed alternative to cloud-hosted Claude agents. It provides a Gateway (API router), Brain (LLM orchestrator running your choice of Claude or OpenAI models), Memory layer (Redis/Postgres for agent state), Skills (MCP-based tool connectors), and Heartbeat daemon (cron-like scheduler). Everything runs in Docker containers on your infrastructure. **OpenClaw vs. Claude:** Unlike Claude Projects (cloud-hosted), OpenClaw runs entirely on your servers. This gives you full data control but requires Docker expertise and introduces security maintenance responsibilities. **Architecture overview:** | Component | Purpose | Tech | |-----------|---------|------| | **Gateway** | API router, request validation, rate limiting | Node.js Express | | **Brain** | LLM orchestrator, agent execution | Claude/GPT-4 via SDK | | **Memory** | Agent state, conversation history | Redis or Postgres | | **Skills** | Tool connectors (MCP servers) | Node.js + MCP standard | | **Heartbeat** | Cron scheduling daemon | Node.js with node-cron | --- ## CRITICAL SECURITY NOTICE **OpenClaw has had 156+ CVEs as of March 2026.** This is a young, actively developed project. Before deploying to production: ### High-Risk CVEs - **CVE-2026-25253** (CVSS 9.8): Remote Code Execution in Gateway due to unsafe deserialization. Patches in v3.2.1+. Upgrade immediately if running v3.1.x or earlier. - **CVE-2026-18847** (CVSS 8.1): Credential exposure in Memory service when storing Postgres connection strings without encryption. Upgrade to v3.1.2+ and enable `ENCRYPT_CREDENTIALS=true`. - **CVE-2026-10421** (CVSS 7.5): MCP skill server command injection if user input is not sanitized in agent prompts. Validate all inputs before passing to skills. ### Deployment Recommendations 1. **Run behind a VPN or private network.** Never expose OpenClaw Gateway to the public internet. 2. **Use read-only API tokens.** Configure all MCP skills with minimal permissions. 3. **Pin Docker image versions.** Don't use `latest` tag; pin to specific releases. 4. **Monitor CVE feeds.** Subscribe to OpenClaw security advisories: https://github.com/openclaw-ai/openclaw/security/advisories 5. **Consider Claude instead for sensitive data.** Claude is managed by Anthropic and updated automatically. 6. **Rotate credentials monthly.** API tokens can be stolen; refresh them frequently. 7. **Enable Memory encryption.** Set `ENCRYPT_CREDENTIALS=true` in `.env`. 8. **Audit agent logs weekly.** Look for unexpected API calls or data access patterns. --- ## Part 1: Prerequisites Before starting, verify you have: ### 1.1 System Requirements - **Docker & Docker Compose**: v20.10+ (install from https://docs.docker.com/get-docker/) - **Node.js**: v18.0+ (for local skill development, optional) - **Python**: v3.10+ (for some MCP servers, optional) - **Git**: for cloning the OpenClaw repository - **RAM**: 8GB+ available (Gateway 512MB, Brain 2GB, Memory 1GB, each skill 512MB) - **Disk**: 50GB+ for Docker images and agent logs - **Network**: Outbound HTTPS access to your data sources and LLM providers ### 1.2 API Keys Before you start, gather these credentials. Store them securely (password manager, not in git): - **LLM Provider:** OpenAI API key (`sk-...`) OR Anthropic API key (`sk-ant-...`) - **Jira/YouTrack/Linear:** API token or personal access token - **Slack:** Bot token (`xoxb-...`) - **Zendesk/Intercom:** API token - **Salesforce/HubSpot:** OAuth credentials or API key - **GitHub:** Personal access token (`ghp_...`) - **Google Calendar:** OAuth service account JSON - **Gong:** Access key pair - **PagerDuty:** API token - **Sentry:** Auth token - **Analytics:** API key or database credentials ### 1.3 Verify Docker Installation ```bash docker --version docker run hello-world ``` Both should succeed without errors. --- ## Part 2: Install OpenClaw ### 2.1 Clone the Repository ```bash git clone https://github.com/openclaw-ai/openclaw.git cd openclaw ``` ### 2.2 Create Environment File Copy the example environment file: ```bash cp .env.example .env ``` ### 2.3 Configure the Environment Edit `.env` with your actual values: ```bash # LLM Provider, Choose ONE BRAIN_PROVIDER=anthropic ANTHROPIC_API_KEY=sk-ant-your-actual-key-here # OR BRAIN_PROVIDER=openai OPENAI_API_KEY=sk-your-actual-key-here # Memory Storage MEMORY_BACKEND=redis # or postgres if you prefer MEMORY_BACKEND=postgres DATABASE_URL=postgresql://user:password@postgres:5432/openclaw # Redis (if using Redis) REDIS_URL=redis://redis:6379/0 # Encryption (CRITICAL) ENCRYPT_CREDENTIALS=true ENCRYPTION_KEY=your-32-character-encryption-key-here # Security ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080 GATEWAY_PORT=8080 DASHBOARD_PORT=3000 # Logging LOG_LEVEL=info ``` **Important:** Use strong, random values for `ENCRYPTION_KEY`. Generate one: ```bash openssl rand -base64 32 ``` ### 2.4 Start OpenClaw with Docker Compose ```bash docker compose up -d ``` This starts: - **Gateway** on http://localhost:8080 - **Dashboard** on http://localhost:3000 - **Redis** or **Postgres** for memory Monitor the startup: ```bash docker compose logs -f ``` Wait 30-60 seconds for all services to be healthy. ### 2.5 Verify Installation ```bash # Check Gateway health curl http://localhost:8080/health # Expected response: # {"status":"healthy","version":"3.2.1"} # Check Dashboard is running curl http://localhost:3000 # Open dashboard in browser open http://localhost:3000 # or firefox http://localhost:3000 ``` If all return 200 status, OpenClaw is running. --- ## Part 3: Skills Configuration (MCP Connections) OpenClaw uses YAML-based skills configuration. Each skill is an MCP server wrapped with environment variables and execution parameters. ### 3.1 Understanding Skills Configuration Skills are defined in `skills.yaml` in the OpenClaw root directory. Basic structure: ```yaml skills: my-skill-name: type: mcp # Always "mcp" for MCP-based skills server: "@org/mcp-server-name" # NPM package name enabled: true # Enable/disable without removing config env: # Environment variables passed to the MCP server API_KEY: "${API_KEY}" # Use ${VAR} to reference .env values API_SECRET: "${API_SECRET}" timeout: 30000 # Request timeout in milliseconds cache_ttl: 3600 # Cache MCP responses for 1 hour retry_attempts: 2 # Retry failed requests ``` ### 3.2 Create Skills Configuration File Create `skills.yaml` in your OpenClaw root directory: ```bash touch skills.yaml ``` --- ## Part 4: Connect Jira / YouTrack / Linear **Used by:** 15 of 18 agents, this is the highest-priority connection. ### 4.1 Jira via Atlassian MCP Server **Step 1: Generate an API Token** 1. Go to https://id.atlassian.com/manage-profile/security/api-tokens 2. Click "Create API token" 3. Name: "OpenClaw MCP Access" 4. Copy the token immediately 5. Note your Atlassian email and Jira instance URL **Step 2: Add to `.env`** ```bash # In .env file ATLASSIAN_SITE_URL=https://yourcompany.atlassian.net ATLASSIAN_USER_EMAIL=your.email@company.com ATLASSIAN_API_TOKEN=your-api-token-here ``` **Step 3: Add to `skills.yaml`** ```yaml skills: atlassian: type: mcp server: "@anthropic-ai/mcp-server-atlassian" enabled: true env: ATLASSIAN_SITE_URL: "${ATLASSIAN_SITE_URL}" ATLASSIAN_USER_EMAIL: "${ATLASSIAN_USER_EMAIL}" ATLASSIAN_API_TOKEN: "${ATLASSIAN_API_TOKEN}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 ``` **Step 4: Verify the Connection** Restart the Brain service: ```bash docker compose restart openclaw-brain ``` Check logs: ```bash docker compose logs openclaw-brain | grep -i "atlassian\|skill" ``` Query the skill via the Gateway: ```bash curl -X POST http://localhost:8080/agent/query \ -H "Content-Type: application/json" \ -d '{ "skill": "atlassian", "action": "list_projects", "params": {} }' ``` Expected response: JSON list of your Jira projects. ### 4.2 YouTrack **Step 1: Generate a Permanent Token** 1. In YouTrack, go to Profile (top-right avatar) then "Account Security" 2. Click "New token..." 3. Scope: `YouTrack` (read access) 4. Copy the token **Step 2: Add to `skills.yaml`** ```yaml youtrack: type: mcp server: "mcp-server-youtrack" enabled: true env: YOUTRACK_URL: "${YOUTRACK_URL}" YOUTRACK_TOKEN: "${YOUTRACK_TOKEN}" timeout: 30000 cache_ttl: 3600 ``` **Step 3: Add to `.env`** ```bash YOUTRACK_URL=https://yourcompany.youtrack.cloud YOUTRACK_TOKEN=perm:your-token-here ``` ### 4.3 Linear **Step 1: Create an API Key** 1. In Linear Settings then "API" then "Personal API keys" 2. Click "Create key" 3. Copy the key **Step 2: Add to `skills.yaml`** ```yaml linear: type: mcp server: "@anthropic-ai/mcp-server-linear" enabled: true env: LINEAR_API_KEY: "${LINEAR_API_KEY}" timeout: 30000 cache_ttl: 3600 ``` --- ## Part 5: Connect Slack **Used by:** 14 of 18 agents, the second most critical connection. ### 5.1 Create a Slack App 1. Go to https://api.slack.com/apps 2. Click "Create New App" then "From scratch" 3. Name: "OpenClaw PM Agent" 4. Select your workspace 5. Click "Create App" ### 5.2 Configure OAuth Scopes Go to "OAuth & Permissions" in the left sidebar. Under "Bot Token Scopes," add: - `channels:history`, Read messages in public channels - `channels:read`, List public channels - `groups:history`, Read messages in private channels - `groups:read`, List private channels - `users:read`, Read user profiles - `search:read`, Search messages - `chat:write`, Post messages ### 5.3 Install to Workspace 1. Click "Install to Workspace" 2. Review and click "Allow" 3. Copy the "Bot User OAuth Token" (starts with `xoxb-`) ### 5.4 Invite Bot to Channels In Slack, type `/invite @OpenClaw PM Agent` in: - `#production-incidents` - `#team-product` - `#customer-escalations` - `#roadmap` ### 5.5 Add to `skills.yaml` ```yaml slack: type: mcp server: "@anthropic-ai/mcp-server-slack" enabled: true env: SLACK_BOT_TOKEN: "${SLACK_BOT_TOKEN}" SLACK_TEAM_ID: "${SLACK_TEAM_ID}" timeout: 30000 cache_ttl: 1800 retry_attempts: 2 ``` ### 5.6 Add to `.env` ```bash SLACK_BOT_TOKEN=xoxb-your-token-here SLACK_TEAM_ID=T01234567 ``` To find Team ID: in Slack, click your workspace name (top-left) then "Settings & administration" then "Workspace settings." The ID is in the URL. --- ## Part 6: Connect Zendesk / Intercom **Used by:** 6 agents, critical for Red Flag Detection. ### 6.1 Zendesk **Step 1: Generate an API Token** 1. In Zendesk Admin Center, go to "Apps and integrations" then "Zendesk API" 2. Enable "Token access" if needed 3. Click "Add API token" 4. Name: "OpenClaw" 5. Copy the token **Step 2: Add to `skills.yaml`** ```yaml zendesk: type: mcp server: "mcp-server-zendesk" enabled: true env: ZENDESK_SUBDOMAIN: "${ZENDESK_SUBDOMAIN}" ZENDESK_EMAIL: "${ZENDESK_EMAIL}" ZENDESK_API_TOKEN: "${ZENDESK_API_TOKEN}" timeout: 30000 cache_ttl: 3600 ``` **Step 3: Add to `.env`** ```bash ZENDESK_SUBDOMAIN=yourcompany ZENDESK_EMAIL=your.email@company.com ZENDESK_API_TOKEN=your-token-here ``` ### 6.2 Intercom **Step 1: Create an Access Token** 1. In Intercom, go to Settings then "Developers" then "Developer Hub" 2. Create a new app or select existing 3. Go to "Authentication" and copy the Access Token **Step 2: Add to `skills.yaml`** ```yaml intercom: type: mcp server: "mcp-server-intercom" enabled: true env: INTERCOM_ACCESS_TOKEN: "${INTERCOM_ACCESS_TOKEN}" timeout: 30000 cache_ttl: 3600 ``` --- ## Part 7: Connect Salesforce / HubSpot **Used by:** 7 agents, essential for GTM and customer health agents. ### 7.1 Salesforce **Option A: Connected App (Direct)** 1. In Salesforce Setup, search "App Manager" 2. Click "New Connected App" 3. Enable OAuth Settings 4. Callback URL: `http://localhost:8080/callback` 5. OAuth Scopes: `api`, `refresh_token`, `offline_access` 6. Save and note Consumer Key and Consumer Secret **Step 2: Get Your Security Token** 1. My Settings then Personal then "Reset My Security Token" 2. Check your email for the token **Step 3: Add to `.env`** ```bash SF_LOGIN_URL=https://login.salesforce.com SF_CLIENT_ID=your-consumer-key SF_CLIENT_SECRET=your-consumer-secret SF_USERNAME=your.email@company.com SF_PASSWORD=your-password SF_SECURITY_TOKEN=your-security-token ``` **Step 4: Add to `skills.yaml`** ```yaml salesforce: type: mcp server: "mcp-server-salesforce" enabled: true env: SF_LOGIN_URL: "${SF_LOGIN_URL}" SF_CLIENT_ID: "${SF_CLIENT_ID}" SF_CLIENT_SECRET: "${SF_CLIENT_SECRET}" SF_USERNAME: "${SF_USERNAME}" SF_PASSWORD: "${SF_PASSWORD}" SF_SECURITY_TOKEN: "${SF_SECURITY_TOKEN}" timeout: 30000 cache_ttl: 3600 ``` ### 7.2 HubSpot **Step 1: Create a Private App** 1. In HubSpot Settings then "Integrations" then "Private Apps" 2. Click "Create a private app" 3. Name: "OpenClaw PM Agent" 4. Scopes: `crm.objects.contacts.read`, `crm.objects.deals.read`, `crm.objects.companies.read` 5. Create and copy the access token **Step 2: Add to `skills.yaml`** ```yaml hubspot: type: mcp server: "mcp-server-hubspot" enabled: true env: HUBSPOT_ACCESS_TOKEN: "${HUBSPOT_ACCESS_TOKEN}" timeout: 30000 cache_ttl: 3600 ``` --- ## Part 8: Connect GitHub **Used by:** 5 agents (Engineering Capacity, Release Readiness, Release Checker, Product Dashboard, Documentation Gaps). ### 8.1 Generate Personal Access Token 1. Go to https://github.com/settings/tokens 2. Click "Generate new token (classic)" 3. Scopes: `repo` (full access, for private repos) and `read:org` 4. Copy the token ### 8.2 Add to `skills.yaml` ```yaml github: type: mcp server: "@anthropic-ai/mcp-server-github" enabled: true env: GITHUB_TOKEN: "${GITHUB_TOKEN}" timeout: 30000 cache_ttl: 1800 ``` ### 8.3 Add to `.env` ```bash GITHUB_TOKEN=ghp_your-token-here ``` --- ## Part 9: Connect Google Calendar **Used by:** 3 agents (Daily Focus, Team Triage, Executive Report). ### 9.1 Create OAuth Credentials 1. Go to https://console.cloud.google.com 2. Create a new project or select existing 3. Enable Google Calendar API: APIs & Services then Library then search "Google Calendar API" 4. Create credentials: APIs & Services then Credentials then "Create Credentials" then "OAuth client ID" 5. Application type: "Desktop app" 6. Download the JSON file ### 9.2 Add to `skills.yaml` ```yaml google_calendar: type: mcp server: "mcp-server-google-calendar" enabled: true env: GOOGLE_CLIENT_ID: "${GOOGLE_CLIENT_ID}" GOOGLE_CLIENT_SECRET: "${GOOGLE_CLIENT_SECRET}" GOOGLE_REDIRECT_URI: "http://localhost:8080/callback" timeout: 30000 cache_ttl: 1800 ``` ### 9.3 Add to `.env` ```bash GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com GOOGLE_CLIENT_SECRET=your-client-secret ``` --- ## Part 10: Connect Analytics (Amplitude / Mixpanel / Direct DB) **Used by:** 4 agents (Product Health, Product Dashboard, Executive Report, GTM Monitoring). ### 10.1 Amplitude **Step 1: Get API Credentials** 1. In Amplitude, go to Settings then "Projects" then select your project 2. Note the API Key and Secret Key **Step 2: Add to `skills.yaml`** ```yaml amplitude: type: mcp server: "@anthropic-ai/mcp-server-fetch" enabled: true env: AMPLITUDE_API_KEY: "${AMPLITUDE_API_KEY}" AMPLITUDE_SECRET_KEY: "${AMPLITUDE_SECRET_KEY}" timeout: 30000 cache_ttl: 3600 ``` ### 10.2 Direct Database Access (Recommended for Complex Analytics) For maximum flexibility, connect directly to your analytics database: **Step 1: Create a Read-Only Database User** ```sql CREATE ROLE openclaw_readonly WITH LOGIN PASSWORD 'secure-password'; GRANT CONNECT ON DATABASE analytics TO openclaw_readonly; GRANT USAGE ON SCHEMA public TO openclaw_readonly; GRANT SELECT ON ALL TABLES IN SCHEMA public TO openclaw_readonly; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO openclaw_readonly; ``` **Step 2: Add to `.env`** ```bash ANALYTICS_DB_URL=postgresql://openclaw_readonly:password@your-db-host:5432/analytics ``` **Step 3: Add to `skills.yaml`** ```yaml analytics_db: type: mcp server: "mcp-server-postgres" enabled: true env: DATABASE_URL: "${ANALYTICS_DB_URL}" timeout: 30000 cache_ttl: 3600 ``` --- ## Part 11: Connect Gong (Call Intelligence) **Used by:** 3 agents (Customer Commitments, Competitive Intel, Market Intel). ### 11.1 Get API Credentials 1. In Gong, go to Company Settings then "API" 2. Create a new API key pair 3. Copy Access Key and Access Key Secret ### 11.2 Add to `skills.yaml` ```yaml gong: type: mcp server: "mcp-server-gong" enabled: true env: GONG_ACCESS_KEY: "${GONG_ACCESS_KEY}" GONG_ACCESS_KEY_SECRET: "${GONG_ACCESS_KEY_SECRET}" timeout: 30000 cache_ttl: 3600 ``` ### 11.3 Add to `.env` ```bash GONG_ACCESS_KEY=your-access-key GONG_ACCESS_KEY_SECRET=your-secret ``` --- ## Part 12: Connect PagerDuty **Used by:** 3 agents (Red Flag Detection, Product Health, Release Readiness). ### 12.1 Get API Key 1. In PagerDuty, go to User Settings then "API Access" 2. Create a new API key (read-only is sufficient) ### 12.2 Add to `skills.yaml` ```yaml pagerduty: type: mcp server: "mcp-server-pagerduty" enabled: true env: PAGERDUTY_API_KEY: "${PAGERDUTY_API_KEY}" timeout: 30000 cache_ttl: 1800 ``` ### 12.3 Add to `.env` ```bash PAGERDUTY_API_KEY=your-api-key-here ``` --- ## Part 13: Connect Sentry (Error Tracking) **Used by:** 3 agents (Product Health, Release Checker, Red Flag Detection). ### 13.1 Get Auth Token 1. In Sentry, go to Settings then "Auth Tokens" 2. Create a new token with `project:read` and `event:read` scopes ### 13.2 Add to `skills.yaml` ```yaml sentry: type: mcp server: "mcp-server-sentry" enabled: true env: SENTRY_AUTH_TOKEN: "${SENTRY_AUTH_TOKEN}" SENTRY_ORG: "${SENTRY_ORG}" timeout: 30000 cache_ttl: 1800 ``` ### 13.3 Add to `.env` ```bash SENTRY_AUTH_TOKEN=sntrys_your-token-here SENTRY_ORG=your-org-slug ``` --- ## Part 14: Complete `skills.yaml` File Here is a full configuration file with all 10 data sources. Copy this into your `skills.yaml`: ```yaml skills: # Issue Tracking (Jira/YouTrack/Linear) atlassian: type: mcp server: "@anthropic-ai/mcp-server-atlassian" enabled: true env: ATLASSIAN_SITE_URL: "${ATLASSIAN_SITE_URL}" ATLASSIAN_USER_EMAIL: "${ATLASSIAN_USER_EMAIL}" ATLASSIAN_API_TOKEN: "${ATLASSIAN_API_TOKEN}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 # Communication Platform slack: type: mcp server: "@anthropic-ai/mcp-server-slack" enabled: true env: SLACK_BOT_TOKEN: "${SLACK_BOT_TOKEN}" SLACK_TEAM_ID: "${SLACK_TEAM_ID}" timeout: 30000 cache_ttl: 1800 retry_attempts: 2 # Support System zendesk: type: mcp server: "mcp-server-zendesk" enabled: true env: ZENDESK_SUBDOMAIN: "${ZENDESK_SUBDOMAIN}" ZENDESK_EMAIL: "${ZENDESK_EMAIL}" ZENDESK_API_TOKEN: "${ZENDESK_API_TOKEN}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 # CRM Systems salesforce: type: mcp server: "mcp-server-salesforce" enabled: true env: SF_LOGIN_URL: "${SF_LOGIN_URL}" SF_CLIENT_ID: "${SF_CLIENT_ID}" SF_CLIENT_SECRET: "${SF_CLIENT_SECRET}" SF_USERNAME: "${SF_USERNAME}" SF_PASSWORD: "${SF_PASSWORD}" SF_SECURITY_TOKEN: "${SF_SECURITY_TOKEN}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 hubspot: type: mcp server: "mcp-server-hubspot" enabled: true env: HUBSPOT_ACCESS_TOKEN: "${HUBSPOT_ACCESS_TOKEN}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 # Version Control github: type: mcp server: "@anthropic-ai/mcp-server-github" enabled: true env: GITHUB_TOKEN: "${GITHUB_TOKEN}" timeout: 30000 cache_ttl: 1800 retry_attempts: 2 # Calendar google_calendar: type: mcp server: "mcp-server-google-calendar" enabled: true env: GOOGLE_CLIENT_ID: "${GOOGLE_CLIENT_ID}" GOOGLE_CLIENT_SECRET: "${GOOGLE_CLIENT_SECRET}" GOOGLE_REDIRECT_URI: "http://localhost:8080/callback" timeout: 30000 cache_ttl: 1800 retry_attempts: 1 # Analytics analytics_db: type: mcp server: "mcp-server-postgres" enabled: true env: DATABASE_URL: "${ANALYTICS_DB_URL}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 # Call Intelligence gong: type: mcp server: "mcp-server-gong" enabled: true env: GONG_ACCESS_KEY: "${GONG_ACCESS_KEY}" GONG_ACCESS_KEY_SECRET: "${GONG_ACCESS_KEY_SECRET}" timeout: 30000 cache_ttl: 3600 retry_attempts: 2 # Incident Management pagerduty: type: mcp server: "mcp-server-pagerduty" enabled: true env: PAGERDUTY_API_KEY: "${PAGERDUTY_API_KEY}" timeout: 30000 cache_ttl: 1800 retry_attempts: 2 # Error Tracking sentry: type: mcp server: "mcp-server-sentry" enabled: true env: SENTRY_AUTH_TOKEN: "${SENTRY_AUTH_TOKEN}" SENTRY_ORG: "${SENTRY_ORG}" timeout: 30000 cache_ttl: 1800 retry_attempts: 2 ``` Load this configuration: ```bash docker compose restart openclaw-brain docker compose logs -f openclaw-brain ``` Wait for "Skills loaded successfully" message. --- ## Part 15: Scheduling with Heartbeat Daemon OpenClaw's Heartbeat daemon enables cron-like scheduling. Agents run automatically on a schedule and post results to Slack or other channels. ### 15.1 Create `heartbeat.yaml` ```bash touch heartbeat.yaml ``` Add your schedules: ```yaml schedules: # Daily Focus Agent, 7 AM weekdays daily-focus: cron: "0 7 * * 1-5" agent: "daily-focus-agent" skills: - atlassian - slack - google_calendar output: type: slack channel: "#daily-focus" format: markdown timeout: 300000 # Red Flag Detection, 9 AM weekdays red-flag-detection: cron: "0 9 * * 1-5" agent: "red-flag-agent" skills: - atlassian - slack - zendesk - salesforce - pagerduty output: type: slack channel: "#red-flags" format: markdown timeout: 300000 # Executive Report, Monday 7 AM executive-report: cron: "0 7 * * 1" agent: "executive-agent" skills: - atlassian - slack - salesforce - google_calendar - analytics_db output: type: slack channel: "#executive-updates" format: markdown timeout: 360000 # Product Health, Daily 4 PM product-health: cron: "0 16 * * *" agent: "product-health-agent" skills: - atlassian - slack - zendesk - analytics_db - pagerduty - sentry output: type: slack channel: "#product-health" format: markdown timeout: 300000 # Engineering Capacity, Fridays 5 PM engineering-capacity: cron: "0 17 * * 5" agent: "engineering-agent" skills: - atlassian - github output: type: slack channel: "#engineering-capacity" format: markdown timeout: 300000 # Release Readiness, Weekdays 10 AM release-readiness: cron: "0 10 * * 1-5" agent: "release-agent" skills: - atlassian - slack - github - pagerduty output: type: slack channel: "#releases" format: markdown timeout: 300000 ``` ### 15.2 Enable Heartbeat Daemon In Docker Compose, ensure the Heartbeat service is running: ```bash docker compose ps ``` You should see `openclaw-heartbeat` with status `Up`. If not, add it to `docker-compose.yml`: ```yaml openclaw-heartbeat: image: openclaw/heartbeat:3.2.1 container_name: openclaw-heartbeat depends_on: - openclaw-brain volumes: - ./heartbeat.yaml:/app/heartbeat.yaml - ./skills.yaml:/app/skills.yaml environment: - BRAIN_URL=http://openclaw-brain:5000 - LOG_LEVEL=info networks: - openclaw ``` Restart: ```bash docker compose restart openclaw-heartbeat docker compose logs -f openclaw-heartbeat ``` You should see "Loaded X schedules" message. --- ## Part 16: Data Source Matrix, Which Agents Need What | Agent | Jira | Slack | Zendesk | Salesforce | GitHub | Calendar | Gong | Analytics | PagerDuty | Sentry | |-------|------|-------|---------|------------|--------|----------|------|-----------|-----------|--------| | Daily Focus | yes | yes |, |, |, | yes |, |, |, |, | | PM Issues | yes | yes |, |, |, |, |, |, |, |, | | Documentation Gaps | yes |, | yes |, | yes |, |, |, |, |, | | GTM Monitoring | yes | yes |, | yes |, |, |, | yes |, |, | | Red Flag Detection | yes | yes | yes | yes |, |, |, |, | yes | yes | | Product Ops | yes | yes | yes | yes |, |, |, | yes |, |, | | Roadmap Tracker | yes | yes |, | yes |, |, |, |, |, |, | | Team Triage | yes | yes |, |, |, | yes |, |, |, |, | | Product Health | yes | yes | yes |, |, |, |, | yes | yes | yes | | Executive Report | yes | yes |, | yes |, | yes |, | yes |, |, | | Weekly Ops Digest | yes | yes | yes |, |, |, |, | yes |, |, | | Engineering Capacity | yes |, |, |, | yes |, |, |, |, |, | | Product Dashboard | yes |, | yes | yes | yes |, |, | yes |, |, | | Release Readiness | yes | yes |, |, | yes |, |, |, | yes |, | | Release Checker | yes |, |, |, | yes |, |, | yes |, | yes | | Customer Commitments | yes | yes |, | yes |, |, | yes |, |, |, | | Competitive Intel |, | yes |, | yes |, |, | yes |, |, |, | | Market Intel |, | yes |, |, |, |, | yes | yes |, |, | --- ## Part 17: Agent Configuration & Prompt Files Store agent definitions in a dedicated directory: ``` ~/openclaw-agents/ agents/ daily-focus.json red-flag-detection.json pm-issues.json documentation-gaps.json gtm-monitoring.json product-ops.json roadmap-tracker.json team-triage.json product-health.json executive-report.json weekly-ops-digest.json engineering-capacity.json product-dashboard.json release-readiness.json release-checker.json customer-commitments.json competitive-intel.json market-intel.json prompts/ daily-focus.txt red-flag-detection.txt # ... one per agent logs/ outputs/ ``` Each agent is defined as JSON: ```json { "id": "daily-focus-agent", "name": "Daily Focus Agent", "description": "Reads calendar, Slack, and Jira to produce morning focus report", "skills": ["atlassian", "slack", "google_calendar"], "model": "claude-3-5-sonnet", "system_prompt": "You are a PM daily focus agent...", "temperature": 0.7, "max_tokens": 2000 } ``` Load via the Gateway API: ```bash curl -X POST http://localhost:8080/agents \ -H "Content-Type: application/json" \ -d @agents/daily-focus.json ``` --- ## Part 18: Security Best Practices ### 18.1 Use Environment Variables for All Credentials Never hardcode tokens in `skills.yaml` or `heartbeat.yaml`. Always use `${VAR_NAME}` syntax. ```yaml # WRONG api_token: "sk-abc123xyz" # CORRECT api_token: "${MY_API_TOKEN}" ``` ### 18.2 Rotate Credentials Every 30 Days Set calendar reminders to: 1. Generate new tokens in each data source 2. Update `.env` file 3. Restart OpenClaw: `docker compose restart` ### 18.3 Enable Memory Encryption Always set in `.env`: ```bash ENCRYPT_CREDENTIALS=true ENCRYPTION_KEY=your-32-character-random-key ``` Generate a new key: ```bash openssl rand -base64 32 ``` ### 18.4 Use Read-Only API Tokens For every data source, request minimum permissions: - Jira: Read-only API token (don't allow create/update) - Slack: Bot scopes only (no user tokens) - GitHub: `repo:read` only (no write access) - Salesforce: Query API, not update API - Database: `SELECT` only (no INSERT/UPDATE/DELETE) ### 18.5 Network Security - **Never expose Gateway to the public internet.** Run behind a VPN or private network. - **Use VPN or bastion host** to access the dashboard from remote locations. - **Firewall rules**: Only allow traffic from your team's IP ranges to port 8080. - **Disable Docker port exposure** if running on a shared server: ```yaml # docker-compose.yml services: openclaw-gateway: ports: - "127.0.0.1:8080:8080" # Only localhost ``` ### 18.6 Monitor Logs for Anomalies Check logs weekly: ```bash docker compose logs --tail=1000 openclaw-brain | grep -i "error\|fail\|unauthorized" ``` Look for: - Unexpected API calls - Authentication failures - Skill failures - Unusual data access patterns ### 18.7 Subscribe to Security Advisories Watch OpenClaw CVEs: - GitHub: https://github.com/openclaw-ai/openclaw/security/advisories - Email: Subscribe to https://openclaw-ai.io/security-feed --- ## Part 19: Troubleshooting ### "Docker: permission denied while trying to connect to the Docker daemon" You need sudo access or to add your user to the docker group: ```bash sudo usermod -aG docker $USER newgrp docker ``` Then try again. ### "Skills failed to load" Check the Brain logs: ```bash docker compose logs openclaw-brain | tail -50 ``` Common causes: 1. YAML syntax error in `skills.yaml`, validate with: `yamllint skills.yaml` 2. Environment variables not set, check `.env` has all required keys 3. MCP server package not installed, check `docker compose exec openclaw-brain npm list` 4. API token invalid, test the token manually outside OpenClaw first ### "Agent returns empty results or errors" 1. Verify the skill works independently: ```bash curl -X POST http://localhost:8080/agent/query \ -H "Content-Type: application/json" \ -d '{ "skill": "atlassian", "action": "list_projects" }' ``` 2. Check API rate limits, most tools limit to 100-1000 requests/hour. OpenClaw may be hitting limits. 3. Verify API token has correct scopes. Test via the tool's native API. ### "Memory service crashes" If using Postgres: ```bash docker compose logs openclaw-memory | tail -50 ``` Check the database is running and CONNECTION string is correct. If using Redis: ```bash docker compose exec openclaw-memory redis-cli ping ``` Should return `PONG`. ### "Heartbeat daemon not running schedules" 1. Check the daemon is healthy: `docker compose ps | grep heartbeat` 2. Verify `heartbeat.yaml` syntax: use a YAML validator 3. Check cron expressions: test at https://crontab.guru 4. Look at logs: `docker compose logs openclaw-heartbeat | tail -100` ### "Agent output not posting to Slack" 1. Verify Slack skill is configured and enabled 2. Check the bot is invited to the target channel: `/invite @OpenClaw PM Agent` in Slack 3. Verify bot has `chat:write` scope 4. Test manually: `curl -X POST http://localhost:8080/agent/slack-post -d ...` --- ## Part 20: Quick Start Roadmap Start small and expand. This reduces risk and lets you validate each connection. ### Week 1: Foundation **Connect:** 1. Jira (or YouTrack/Linear) 2. Slack 3. Zendesk **Deploy 3 agents:** 1. Daily Focus (reads Jira, Slack, Calendar, validates core setup) 2. Red Flag Detection (reads Jira, Slack, Zendesk, Salesforce, PagerDuty) 3. Product Health (reads Jira, Slack, Zendesk, Analytics, PagerDuty, Sentry) **Validate:** - Cron schedules execute on time - Slack messages post correctly - No credential leaks in logs ### Week 2: Expand Data Sources **Add:** - Salesforce or HubSpot - GitHub - Google Calendar (if using Daily Focus Agent) **Deploy 3 more agents:** - Team Triage - Release Readiness - Engineering Capacity ### Week 3: Analytics & Advanced **Add:** - Analytics DB (Postgres connection) - Gong (if you use Gong) - PagerDuty (if not already connected) **Deploy 4 more agents:** - Executive Report - Product Dashboard - GTM Monitoring - Product Ops ### Month 2: Full Fleet **Add:** - Sentry - Any remaining data sources **Deploy final 5 agents:** - PM Issues - Documentation Gaps - Roadmap Tracker - Weekly Ops Digest - Customer Commitments - Competitive Intel - Market Intel --- ## Appendix: Complete `.env` Template Copy and customize: ```bash # LLM Provider (choose one) BRAIN_PROVIDER=anthropic ANTHROPIC_API_KEY=sk-ant-your-key-here # BRAIN_PROVIDER=openai # OPENAI_API_KEY=sk-your-key-here # Memory Storage MEMORY_BACKEND=redis REDIS_URL=redis://redis:6379/0 # Or Postgres: # MEMORY_BACKEND=postgres # DATABASE_URL=postgresql://user:password@postgres:5432/openclaw # Encryption (CRITICAL) ENCRYPT_CREDENTIALS=true ENCRYPTION_KEY=your-32-character-random-key-from-openssl # Security ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080 GATEWAY_PORT=8080 DASHBOARD_PORT=3000 # Logging LOG_LEVEL=info # Issue Tracker ATLASSIAN_SITE_URL=https://yourcompany.atlassian.net ATLASSIAN_USER_EMAIL=your.email@company.com ATLASSIAN_API_TOKEN=your-token YOUTRACK_URL=https://yourcompany.youtrack.cloud YOUTRACK_TOKEN=perm:your-token LINEAR_API_KEY=lin_api_your-key # Communication SLACK_BOT_TOKEN=xoxb-your-token SLACK_TEAM_ID=T01234567 # Support ZENDESK_SUBDOMAIN=yourcompany ZENDESK_EMAIL=your.email@company.com ZENDESK_API_TOKEN=your-token INTERCOM_ACCESS_TOKEN=your-token # CRM SF_LOGIN_URL=https://login.salesforce.com SF_CLIENT_ID=your-consumer-key SF_CLIENT_SECRET=your-consumer-secret SF_USERNAME=your.email@company.com SF_PASSWORD=your-password SF_SECURITY_TOKEN=your-token HUBSPOT_ACCESS_TOKEN=pat-na1-your-token # Version Control GITHUB_TOKEN=ghp_your-token # Calendar GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com GOOGLE_CLIENT_SECRET=your-client-secret # Analytics ANALYTICS_DB_URL=postgresql://openclaw_readonly:password@your-db-host:5432/analytics AMPLITUDE_API_KEY=your-api-key AMPLITUDE_SECRET_KEY=your-secret-key # Call Intelligence GONG_ACCESS_KEY=your-access-key GONG_ACCESS_KEY_SECRET=your-secret # Incident Management PAGERDUTY_API_KEY=your-api-key # Error Tracking SENTRY_AUTH_TOKEN=sntrys_your-token SENTRY_ORG=your-org-slug ``` --- ## Appendix: Useful Commands ```bash # View all running services docker compose ps # View logs for a specific service docker compose logs openclaw-brain -f # Restart everything docker compose restart # Restart just the Brain (picks up skills.yaml changes) docker compose restart openclaw-brain # Stop all services docker compose down # Stop and remove all data (WARNING: deletes agent state) docker compose down -v # Execute command inside a container docker compose exec openclaw-brain npm list # Check disk usage docker system df # Prune unused Docker images docker image prune -a # Test a specific skill curl -X POST http://localhost:8080/agent/query \ -H "Content-Type: application/json" \ -d '{"skill": "atlassian", "action": "list_projects"}' # View Heartbeat schedule runs docker compose logs openclaw-heartbeat | grep "executed\|failed" # Check Memory service health docker compose exec openclaw-memory redis-cli ping # or for Postgres docker compose exec openclaw-memory psql -U user -d openclaw -c "SELECT 1" ``` --- ## Final Checklist Before running agents in production: - [ ] All 10 data sources are connected and tested - [ ] `.env` uses environment variables, not hardcoded tokens - [ ] `ENCRYPT_CREDENTIALS=true` is set - [ ] Slack bot is invited to all required channels - [ ] `heartbeat.yaml` schedules are validated at crontab.guru - [ ] OpenClaw is running behind a VPN or private network - [ ] Logs are being reviewed weekly for anomalies - [ ] You've subscribed to OpenClaw security advisories - [ ] Credentials are set to rotate every 30 days (calendar reminder set) - [ ] You've read the CVE section and understand the risks You're ready to deploy.