OpenClaw CMD One-Click Install in Practice: install.cmd Script Analysis, Onboard 2026.2.25 New Features & Gateway Foreground Mode Complete Record

I. Why Choose CMD Installation

OpenClaw provides three installation paths on Windows: PowerShell one-liner (iwr | iex), CMD script, and Shell installation under WSL2. We have previously documented the PowerShell installation path and the WSL2 deployment guide. This article focuses on the second path -- CMD script installation.

Three practical scenarios for choosing CMD installation:

1. Restricted PowerShell Execution Policy: Many enterprise environments set PowerShell's ExecutionPolicy to Restricted or AllSigned via Group Policy, prohibiting execution of unsigned scripts. install.cmd bypasses this restriction through the -ExecutionPolicy Bypass parameter, which is the most straightforward solution
2. Non-PowerShell terminal environments: In third-party terminals such as Git Bash, MSYS2, or ConEmu, CMD scripts are easier to execute directly than PowerShell commands
3. CI/CD pipeline requirements: Some Windows CI runners (such as Jenkins agents) default to CMD rather than PowerShell, and install.cmd can be directly embedded into build scripts

How install.cmd Works Internally

The official install.cmd is 102 lines long and is essentially a lean PowerShell wrapper^[1]. Its core logic can be broken down into four stages:

1. Parameter parsing: Supports --git, --npm (default), --tag <ver>, --no-onboard, --no-git-update, --dry-run
2. Pre-flight checks: Verifies whether curl and powershell are available
3. Download install.ps1: Downloads from https://openclaw.ai/install.ps1 to %TEMP%\openclaw-install.ps1
4. Delegated execution: Executes with powershell -NoProfile -ExecutionPolicy Bypass -File "%TMP%" %PS_ARGS%, then automatically deletes the temporary file

Key design decision: -ExecutionPolicy Bypass ensures the installation script can execute even when the system ExecutionPolicy is set to Restricted. This is the core advantage of the CMD installation path over directly running iwr | iex in PowerShell -- the latter will be blocked under strict policies.

II. Installation Process

2.1 One-Line Install Command

Open CMD or any terminal that supports CMD commands, then execute^[1]:

curl -fsSL https://openclaw.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

This command has three steps: download install.cmd -> execute installation -> delete the installation script. In our testing, we first ran with the --no-onboard parameter to record the onboard steps separately:

D:\Projects> install.cmd --no-onboard

  OpenClaw Installer

[OK] Windows detected
[OK] Node.js v24.13.1 found
[*] Installing OpenClaw (openclaw@latest)...
[OK] OpenClaw installed

OpenClaw installed successfully (2026.2.25)!

Home sweet home. Don't worry, I won't rearrange the furniture.

Skipping onboard (requested). Run openclaw onboard later.

The installer automatically detected that Node.js v24.13.1 was already installed on the system, skipped the Node.js installation step, and proceeded directly with global installation via npm install -g openclaw@latest. The entire process took approximately 30 seconds.

2.2 install.cmd Script Parameters Overview

2.3 Post-Installation Doctor Diagnostic Report

After installation, run openclaw doctor to verify the system status:

C:\Users\HYC> openclaw doctor

┌  OpenClaw doctor
│
◇  Gateway ─────────────────────────────────────────────
│  gateway.mode is unset; gateway start will be blocked.
│  Fix: run openclaw configure and set Gateway mode.
│  Missing config: run openclaw setup first.
├───────────────────────────────────────────────────────

◇  Gateway auth ────────────────────────────────────────
│  Gateway auth is off or missing a token. Token auth
│  is now the recommended default (including loopback).
├───────────────────────────────────────────────────────

◇  State integrity ────────────────────────────────────────────
│  - OAuth dir not present (~\.openclaw\credentials).
│  - CRITICAL: Session store dir missing
│    (~\.openclaw\agents\main\sessions).
├──────────────────────────────────────────────────────────────

◇  Skills status ──────────
│  Eligible: 9
│  Missing requirements: 43
│  Blocked by allowlist: 0
├──────────────────────────

◇  Plugins ────────
│  Loaded: 4
│  Disabled: 32
│  Errors: 0
├──────────────────

◇  Gateway ─────────────────
│  Gateway not running.
│  Gateway service not installed.
├───────────────────────────

◇  Memory search ──────────────────────────────────────────
│  Memory search is enabled but no embedding provider
│  is configured. Semantic recall will not work.
├──────────────────────────────────────────────────────────

└  Doctor complete.

This is the typical state for a fresh installation: Gateway not yet configured, service not registered, OAuth and Session directories not created. The subsequent openclaw onboard will address each of these items.

III. Onboard Interactive Setup Complete Record

The onboard wizard in OpenClaw 2026.2.25 has undergone significant changes compared to previous versions. Below is a step-by-step record of the complete interactive flow.

3.1 Security Disclaimer and Confirmation

The onboard begins with a security warning^[4]:

C:\Users\HYC> openclaw onboard

🦞 OpenClaw 2026.2.25 (4b5d4a4)

┌  OpenClaw onboarding
│
◇  Security ──────────────────────────────────────────────
│  Security warning — please read.
│
│  OpenClaw is a hobby project and still in beta.
│  By default, OpenClaw is a personal agent: one trusted
│  operator boundary.
│  This bot can read files and run actions if tools
│  are enabled.
│
│  Recommended baseline:
│  - Pairing/allowlists + mention gating.
│  - Multi-user/shared inbox: split trust boundaries.
│  - Sandbox + least-privilege tools.
│  - Keep secrets out of the agent's reachable filesystem.
│
│  Must read: https://docs.openclaw.ai/gateway/security
├─────────────────────────────────────────────────────────
│
◇  Continue? Yes

This security disclaimer is a notable improvement in version 2026.2.25 -- it explicitly informs users that OpenClaw defaults to a "single trusted operator boundary" and provides specific security hardening recommendations.

3.2 QuickStart Mode

After confirming the security disclaimer, the wizard asks about the onboarding mode. QuickStart is a new mode introduced in version 2026.2.25, completing Gateway basic setup with one click:

◇  Onboarding mode
│  QuickStart
│
◇  QuickStart ─────────────────────────╮
│                                      │
│  Gateway port: 18789                 │
│  Gateway bind: Loopback (127.0.0.1)  │
│  Gateway auth: Token (default)       │
│  Tailscale exposure: Off             │
│  Direct to chat channels.            │
│                                      │
├──────────────────────────────────────╯

QuickStart automatically configures four key settings:

• Port 18789: The default WebSocket port for OpenClaw Gateway
• Loopback binding: Listens only on 127.0.0.1, external networks cannot access directly
• Token Auth: Gateway connections require Token authentication, even for local loopback -- this was a security feature that needed to be manually enabled in older versions, now it's the default
• Tailscale off: Does not expose the Gateway through Tailscale VPN

3.3 Qwen OAuth Authorization Flow

After selecting Qwen as the model provider, the wizard initiates Device Code Flow authorization^[10]:

◇  Model/auth provider
│  Qwen
│
◓  Starting Qwen OAuth…
│
◇  Qwen OAuth ──────────────────────────────────────────────
│  Open https://chat.qwen.ai/authorize?user_code=-DPGH765
│  &client=qwen-code to approve access.
│  If prompted, enter the code -DPGH765.
├───────────────────────────────────────────────────────────

◇  Qwen OAuth complete
│
◇  Model configured ─────────────────────────────╮
│  Default model set to qwen-portal/coder-model  │
├────────────────────────────────────────────────╯
│
◇  Provider notes ─────────────────────────────────────────
│  Qwen OAuth tokens auto-refresh. Re-run login if
│  refresh fails or access is revoked.
│  Base URL defaults to https://portal.qwen.ai/v1.
├──────────────────────────────────────────────────────────

How Device Code Flow works: the wizard displays an authorization URL and verification code. The user opens that URL in a browser, logs in to their Qwen account, and enters the verification code to complete authorization. There is absolutely no need to manually copy an API Key -- the token is automatically written to the configuration file and supports automatic refresh. This is the most painless way for OpenClaw to integrate free AI models.

3.4 Telegram Bot Token Setup

The wizard displays all available communication channels (Telegram, WhatsApp, Discord, Slack, Signal, and 23 other channels). We selected Telegram^[5]:

◇  Select channel (QuickStart)
│  Telegram (Bot API)
│
◇  Telegram bot token ──────────────────────────────────
│  1) Open Telegram and chat with @BotFather
│  2) Run /newbot (or /mybots)
│  3) Copy the token (looks like 123456:ABC...)
│  Docs: https://docs.openclaw.ai/telegram
├───────────────────────────────────────────────────────
│
◇  Enter Telegram bot token
│  <YOUR_BOT_TOKEN>

Enter the Bot Token obtained from @BotFather^[11], and the wizard automatically writes it to %USERPROFILE%\.openclaw\openclaw.json and enables the Telegram plugin.

Updated ~\.openclaw\openclaw.json
Workspace OK: ~\.openclaw\workspace
Sessions OK: ~\.openclaw\agents\main\sessions

3.5 Skills Detection and Installation

The wizard detects installable Skills and attempts to install missing dependencies^[6]:

◇  Skills status ─────────────╮
│  Eligible: 9                │
│  Missing requirements: 35   │
│  Unsupported on this OS: 8  │
│  Blocked by allowlist: 0    │
├─────────────────────────────╯
│
◇  Install missing skill dependencies
│  🎮 gog, 🎙️ openai-whisper, 🗣️ sag
│
◇  Install failed: gog — brew not installed
◇  Install failed: sag — brew not installed
◇  Install failed: openai-whisper — brew not installed

Three Skills (gog, openai-whisper, sag) failed to install because their package manager dependency is Homebrew, and Homebrew is not available in native Windows environments. This is a known limitation of native Windows installation -- these Skills require WSL2 or macOS/Linux environments.

The wizard then asks for API Keys required by each Skill (Gemini, Notion, OpenAI, ElevenLabs), which we configured one by one.

3.6 Hooks Setup

Hooks are OpenClaw's automation mechanism -- executing predefined actions when specific events are triggered^[7]:

◇  Hooks ──────────────────────────────────────────────────
│  Hooks let you automate actions when agent commands
│  are issued.
│  Example: Save session context to memory when you
│  issue /new or /reset.
│  Learn more: https://docs.openclaw.ai/automation/hooks
├──────────────────────────────────────────────────────────
│
◇  Enable hooks?
│  📝 command-logger, 💾 session-memory
│
◇  Hooks Configured ────────────────────────────────
│  Enabled 2 hooks: session-memory, command-logger  │
├───────────────────────────────────────────────────╯

We enabled two Hooks:

• session-memory: Automatically saves the current session context to Memory when executing /new or /reset commands
• command-logger: Logs all commands issued through channels, useful for post-hoc auditing

3.7 Gateway Service Installation (Fails Without Admin)

This is the only failure point in the onboard flow. The wizard attempts to register the Gateway as a Windows service:

◇  Gateway service runtime ────────────────────────────────
│  QuickStart uses Node for the Gateway service
│  (stable + supported).
├──────────────────────────────────────────────────────────
│
◇  Gateway service install failed.
│
◇  Gateway ───────────────────────────────────────────────────
│  Run PowerShell as Administrator or rerun without
│  installing the daemon.
├─────────────────────────────────────────────────────────────
│
◇  Gateway ────────────────────────────────────────────────────
│  Tip: rerun from an elevated PowerShell (Start → type
│  PowerShell → right-click → Run as administrator) or
│  skip service install.
├──────────────────────────────────────────────────────────────

Gateway service installation relies on the Windows schtasks tool under the hood^[3], and schtasks /Create requires system administrator privileges. Our CMD was not running as administrator, so the installation was denied.

Solution: Skip the service installation and use foreground mode instead. Run openclaw gateway in another terminal window to start the Gateway:

C:\Users\HYC> openclaw gateway

🦞 OpenClaw 2026.2.25 (4b5d4a4)

23:26:11 [canvas] host mounted at http://127.0.0.1:18789/__openclaw__/canvas/
23:26:11 [heartbeat] started
23:26:11 [health-monitor] started (interval: 300s, grace: 60s)
23:26:11 [gateway] agent model: qwen-portal/coder-model
23:26:11 [gateway] listening on ws://127.0.0.1:18789, ws://[::1]:18789 (PID 17284)
23:26:11 [gateway] log file: \tmp\openclaw\openclaw-2026-02-27.log
23:26:11 [browser/server] Browser control listening on http://127.0.0.1:18791/ (auth=token)
23:26:12 [hooks:loader] Registered hook: boot-md -> gateway:startup
23:26:12 [hooks:loader] Registered hook: bootstrap-extra-files -> agent:bootstrap
23:26:12 [hooks:loader] Registered hook: command-logger -> command
23:26:12 [hooks:loader] Registered hook: session-memory -> command:new, command:reset
23:26:12 [hooks] loaded 4 internal hook handlers
23:26:14 [telegram] [default] starting provider (@openclaw4_1989_bot)
23:26:16 [gateway] device pairing auto-approved
23:26:16 [ws] webchat connected

The Gateway started successfully, listening on ws://127.0.0.1:18789, with the Telegram provider started and Dashboard WebSocket connection established. The only limitation of foreground mode is that closing the terminal window stops the service -- perfectly adequate for testing and feature verification. For persistence, refer to the three Gateway startup paths in the PowerShell installation article.

3.8 Telegram Pairing

After the Gateway starts, send any message to your Bot in Telegram, and the Bot will reply with pairing information:

OpenClaw: access not configured.

Your Telegram user id: 1186367637

Pairing code: WR8XRQQA

Ask the bot owner to approve with:
openclaw pairing approve telegram WR8XRQQA

Execute the approval command in another terminal window:

C:\Users\HYC> openclaw pairing approve telegram WR8XRQQA

Approved telegram sender 1186367637.

Once pairing is complete, your Telegram account can communicate normally with the OpenClaw Bot. The pairing mechanism is OpenClaw's default security policy -- unapproved Telegram users cannot interact with the Bot, preventing unauthorized access^[4].

3.9 Health Check and Dashboard

Before the Gateway starts, the onboard's Health Check will fail (because the Gateway is not yet running):

Health check failed: gateway closed (1006 abnormal closure
  (no close frame)): no close reason
  Gateway target: ws://127.0.0.1:18789
  Source: local loopback

After manually starting openclaw gateway, the Dashboard can connect normally:

◇  Dashboard ready ──────────────────────────────────────────────
│  Dashboard link (with token):
│  http://127.0.0.1:18789/#token=c64c519ab77de4e0c14584ea...
│  Opened in your browser.
├────────────────────────────────────────────────────────────────

IV. CMD vs PowerShell vs WSL2 Installation Comparison

The three installation paths on Windows each have their suitable scenarios^[8]:

Conclusion: CMD and PowerShell installations produce identical end results (both are npm install -g openclaw@latest); the only difference is that the CMD script provides the ability to bypass ExecutionPolicy. If your environment has no PowerShell restrictions, either option works. For complete Skills support and the Homebrew ecosystem, WSL2 remains the best choice.

V. Post-Onboard Doctor Report Analysis

Running openclaw doctor again after completing onboard reveals the changes from the initial post-installation state:

C:\Users\HYC> openclaw doctor

┌  OpenClaw doctor
│
◇  State integrity ────────────────────────────────────────
│  - CRITICAL: OAuth dir missing
│    (~\.openclaw\credentials).
├──────────────────────────────────────────────────────────

◇  Skills status ──────────
│  Eligible: 13
│  Missing requirements: 39
│  Blocked by allowlist: 0
├──────────────────────────

◇  Plugins ────────
│  Loaded: 6
│  Disabled: 30
│  Errors: 0
├──────────────────

◇  Gateway ─────────────────
│  Gateway not running.
├───────────────────────────

◇  Gateway connection ──────────────────────────
│  Gateway target: ws://127.0.0.1:18789
│  Source: local loopback
│  Config: C:\Users\HYC\.openclaw\openclaw.json
│  Bind: loopback
├───────────────────────────────────────────────

◇  Memory search ──────────────────────────────────────────
│  Memory search is enabled but no embedding provider
│  is configured.
├──────────────────────────────────────────────────────────

◇  Gateway ──────────────────────
│  Gateway service not installed.
├────────────────────────────────

└  Doctor complete.

Before vs. After Onboard Comparison:

Remaining items:

• OAuth dir missing (CRITICAL): The OAuth credentials directory was not created. Since we used Qwen OAuth rather than WhatsApp pairing, this does not affect core functionality. Running openclaw doctor --fix can automatically create it
• Gateway not running / not installed: In foreground mode, the Gateway must be started manually and will not be detected by doctor as "installed." This is expected behavior
• Memory search with no embedding provider: Semantic search requires an additional embedding API Key. You can set environment variables such as OPENAI_API_KEY or GEMINI_API_KEY to enable this^[9]

Conclusion

The CMD installation path fills the last piece of the puzzle for OpenClaw on Windows. For enterprise environments with restricted PowerShell execution policies, install.cmd provides a zero-friction installation experience. Moreover, the 2026.2.25 onboard wizard -- particularly QuickStart mode and Qwen OAuth integration -- significantly reduces the complexity of first-time setup.

All three Windows installation paths are now fully documented: the PowerShell version, this article's CMD version, and the WSL2 deployment guide. To remove OpenClaw, refer to the Windows Complete Removal in Practice.