Where to get OpenClaw: the official site, docs, and downloads
openclaw.ai, docs.openclaw.ai, the GitHub org, and ClawHub are the real sources — and a crowd of lookalike sites isn't. How to verify what you're installing.
The official sources are: openclaw.ai (the project site), docs.openclaw.ai (documentation), the openclaw organization on GitHub (source code and releases), ghcr.io/openclaw/openclaw (Docker images), the openclaw package on npm, and clawhub.ai (the skill registry). Anything else — however official it looks — is a third party.
Why this question is worth a page
Search for OpenClaw documentation and you’ll find a crowd of lookalike sites — “openclaw docs” mirrors, skill directories, install guides on domains that sound plausibly official. Most are SEO plays; some are harmless fan sites; any of them could serve you a modified install command. For ordinary software that’s an annoyance. For an agent that will hold your model key, read your messages, and run commands on a machine, the difference between the real artifact and a tampered one is the whole security story — trust starts at the download.
The real sources, and what each is for
- openclaw.ai — the project’s home: positioning, quick-start, links onward. Started by Peter Steinberger; governed by the non-profit OpenClaw Foundation.
- docs.openclaw.ai — the documentation. When any guide (including ours) disagrees with it, the docs win; the project moves fast and the docs move with it.
- github.com/openclaw — source code, releases, and security advisories. The repository is the ground truth for what the software is.
- npm (
openclaw) andghcr.io/openclaw/openclaw— the install artifacts: the npm package and the container images published from that GitHub organization. - clawhub.ai — the official registry for skills and plugins. Official registry, community-published contents — a distinction with real security weight.
Three habits that make verification automatic
- Install from the artifact, not from a blog. Type
npm install -g openclaw@latestyourself rather than pasting a command block from a third-party tutorial — the command is short precisely so you can. If a guide’s install line differs from the official docs’ line, believe the docs. - Check the publisher, not the look. Docker images should come from the
openclaworganization on ghcr.io (or its Docker Hub mirror), npm packages from theopenclawname — a convincing website can’t fake the registry namespace. - Let the address bar be the test. openclaw.ai, docs.openclaw.ai, github.com/openclaw, clawhub.ai. Hyphenated variants, different TLDs, and “openclaw something” domains are not the project — including, we should say plainly, everpod.ai: we’re an independent hosting company that runs OpenClaw for people, not the OpenClaw project.
None of this requires cryptographic ceremony — the namespace checks above are thirty seconds of attention, once. They’re the same checks we make before anything lands on a customer pod: pinned official images, from the official registry, verified against the official docs.