Skip to main content
OpenClaw is optional. If you want to run a repo-local harness or your own local agent command, see harness configuration.

Local OpenClaw sandbox

--sandbox runs your agent inside an isolated container. A TLS proxy reroutes supported service domains (GitHub, Slack, Stripe, Jira, Linear, Supabase) to hosted twins, so an existing OpenClaw agent works against twins without code changes. 
archal login
archal run scenarios/security-suite/exec-impersonation.md --sandbox -n 3
Full setup, flags, and supported domains live in Sandbox mode.

Remote OpenClaw gateway

If your agent already runs behind an OpenClaw-compatible /v1/responses endpoint, point archal run at it with --engine-endpoint. You’ll also need --engine-token (or ARCHAL_ENGINE_TOKEN) — API-mode runs without engine auth fail at startup. When your gateway can’t reach the default hosted twin URLs, override them with --engine-twin-urls; use --api-base-urls / --api-proxy-url for non-MCP HTTP paths. Archal stays responsible for hosted twins and evaluation; your gateway stays responsible for execution.