OpenClaw Config Doctor
Paste your OpenClaw config (JSON or YAML) and get instant diagnostics. Validates against the real schema, detects stale plugins, unsafe token limits across 27+ models, legacy keys, shell injection, and hardcoded secrets — then fixes them with one click.
What the Config Doctor Catches
Validated against the real OpenClaw Zod schema and codebase — PRs #53187, #53054, #53133, and the actual doctor repair sequencing.
Real Parsing & Schema Validation
Auto-detects JSON or YAML format, parses with a real parser (not regex), reports syntax errors with line numbers, and validates all top-level keys against the actual OpenClaw Zod schema.
Stale Plugin Detection
Compares plugins.allow and plugins.entries against the real OpenClaw plugin manifest registry. Flags removed, renamed, or unknown plugin IDs — matching the doctor command from PR #53187.
Multi-Provider maxTokens Guardrails
Validates maxTokens for 27+ models across Mistral, OpenAI, Anthropic, Google, xAI, DeepSeek, and more. Catches context-window-sized values that cause 422 errors (PR #53054).
Shell & Secret Security Audit
Flags unsafe shell-wrapper $0 patterns matching the real exec-approvals-allowlist (PR #53133), plus detects hardcoded API keys from 6 providers that should use environment variables.
One-Click Fixes via Parsed AST
Fixes operate on the parsed config object, not fragile string replacement. Fix individual issues or click "Fix all", then copy the corrected JSON output.
Legacy Key & Channel Migration
Detects real deprecated keys: routing.* subkey splits, identity migration, agent→agents rename, browser driver renames. Plus Telegram @username and Discord snowflake ID repairs.
Cross-Field Consistency Checks
Validates relationships between config sections — duplicate agent names, empty allow lists with entries, providers missing auth, wrong plugins.entries type, and gateway port ranges.
Run the Config Doctor
Paste your openclaw.json (or YAML) below. All checks run locally in your browser — nothing is sent to any server.
Paste Your OpenClaw Config
What the Config Doctor Checks
Format & parse validation
CoreAuto-detects JSON/YAML, parses with a real parser, and reports syntax errors with line numbers
Schema validation
CoreValidates top-level keys against the real OpenClaw Zod schema. Flags unknown or mistyped keys
Stale plugin references
PR #53187Compares plugins.allow and plugins.entries against the known OpenClaw plugin registry
Model maxTokens guardrails
PR #53054Validates maxTokens for Mistral (PR #53054) plus 20+ models from OpenAI, Anthropic, Google, xAI, and more
Shell wrapper security
PR #53133Matches the real exec-approvals-allowlist validation — flags unsafe $0 patterns and eval usage
Legacy key migration
PR #53187Detects real deprecated keys: routing.*, identity, agent (singular), browser driver renames
Secret detection
SecurityFlags hardcoded API keys (OpenAI, Anthropic, OpenRouter, Groq, xAI, Google) that should use env vars
Channel policy checks
VariousWarns about open DM policies, Telegram @username issues, and Discord non-numeric IDs
Cross-field consistency
VariousChecks for duplicate agent names, empty allow lists with entries, and providers missing auth
Gateway validation
CoreValidates port ranges and warns about privileged ports requiring root access
Frequently Asked Questions
What is the OpenClaw Config Doctor?
The Config Doctor is a browser-based version of the openclaw doctor command. It validates your OpenClaw configuration against real issues from the codebase — stale plugin references, dangerous max-token defaults, legacy keys, shell security patterns, hardcoded secrets, and structural problems — then offers one-click fixes. All checks are based on actual OpenClaw PRs and the Zod config schema.
What format does OpenClaw use?
OpenClaw natively uses JSON, stored at ~/.openclaw/openclaw.json. The Config Doctor auto-detects both JSON and YAML and parses with a real parser (not regex), so you can paste either format. If you paste YAML, it will parse correctly and flag that OpenClaw expects JSON for production.
What issues does it detect?
It runs 10 categories of checks: JSON/YAML parse errors with line numbers, unknown top-level keys against the real Zod schema, stale plugin references (PR #53187), maxTokens validation for 27+ models across Mistral/OpenAI/Anthropic/Google/xAI/DeepSeek (PR #53054), shell wrapper security (PR #53133), legacy key migrations (routing.*, identity, agent singular, browser driver), hardcoded API keys for 6 providers, channel policy issues (open DM, Telegram @usernames, Discord IDs), duplicate agent names, and gateway port validation.
Is my config sent to any server?
No. All diagnostics run entirely in your browser using client-side JavaScript. Your configuration never leaves your machine — there are no API calls, no server-side processing, and no data collection. You can verify this in your browser's network tab.
What are the safe Mistral maxTokens values?
Based on PR #53054: mistral-large-latest → 16,384 (not 262,144), devstral-medium-latest → 32,768 (not 262,144), magistral-small → 40,000 (not 128,000), mistral-medium-2508 → 8,192 (not 262,144), mistral-small-latest → 16,384, pixtral-large-latest → 32,768 (not 128,000), codestral-latest → 4,096 (not 32,768). Setting maxTokens to the full context window causes Mistral to interpret it as the output budget, triggering 422 errors.
Can I use this with Docker or self-hosted OpenClaw configs?
Yes. The Config Doctor works with any OpenClaw configuration regardless of deployment method — Docker, Mac Mini, VPS, or cloud. Paste the contents of your openclaw.json (or YAML equivalent) and the tool will identify issues specific to your setup. Fixes are applied to the parsed config object and re-serialized as clean JSON.