[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74758":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":16,"starSnapshotCount":16,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},74758,"moltworker","cloudflare\u002Fmoltworker","cloudflare","Run OpenClaw, (formerly Moltbot, formerly Clawdbot) on Cloudflare Workers","https:\u002F\u002Fblog.cloudflare.com\u002Fmoltworker-self-hosted-ai-agent\u002F",null,"TypeScript",9909,1773,47,63,0,3,23,69.55,"Apache License 2.0",false,"main",[24,25],"ai-agents","cloudflare-workers","2026-06-12 04:01:15","# OpenClaw on Cloudflare Workers\n\nRun [OpenClaw](https:\u002F\u002Fgithub.com\u002Fopenclaw\u002Fopenclaw) (formerly Moltbot, formerly Clawdbot) personal AI assistant in a [Cloudflare Sandbox](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fsandbox\u002F).\n\n![moltworker architecture](.\u002Fassets\u002Flogo.png)\n\n> **Experimental:** This is a proof of concept demonstrating that OpenClaw can run in Cloudflare Sandbox. It is not officially supported and may break without notice. Use at your own risk.\n\n[![Deploy to Cloudflare](https:\u002F\u002Fdeploy.workers.cloudflare.com\u002Fbutton)](https:\u002F\u002Fdeploy.workers.cloudflare.com\u002F?url=https:\u002F\u002Fgithub.com\u002Fcloudflare\u002Fmoltworker)\n\n## Requirements\n\n- [Workers Paid plan](https:\u002F\u002Fwww.cloudflare.com\u002Fplans\u002Fdeveloper-platform\u002F) ($5 USD\u002Fmonth) — required for Cloudflare Sandbox containers. Running the container incurs additional compute costs; see [Container Cost Estimate](#container-cost-estimate) below for details.\n- [Anthropic API key](https:\u002F\u002Fconsole.anthropic.com\u002F) — for Claude access, or you can use AI Gateway's [Unified Billing](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fai-gateway\u002Ffeatures\u002Funified-billing\u002F)\n\nThe following Cloudflare features used by this project have free tiers:\n- Cloudflare Access (authentication)\n- Browser Rendering (for browser navigation)\n- AI Gateway (optional, for API routing\u002Fanalytics)\n- R2 Storage (optional, for persistence)\n\n## Container Cost Estimate\n\nThis project uses a `standard-1` Cloudflare Container instance (1\u002F2 vCPU, 4 GiB memory, 8 GB disk). Below are approximate monthly costs assuming the container runs 24\u002F7, based on [Cloudflare Containers pricing](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fcontainers\u002Fpricing\u002F):\n\n| Resource | Provisioned | Monthly Usage | Included Free | Overage | Approx. Cost |\n|----------|-------------|---------------|---------------|---------|--------------|\n| Memory | 4 GiB | 2,920 GiB-hrs | 25 GiB-hrs | 2,895 GiB-hrs | ~$26\u002Fmo |\n| CPU (at ~10% utilization) | 1\u002F2 vCPU | ~2,190 vCPU-min | 375 vCPU-min | ~1,815 vCPU-min | ~$2\u002Fmo |\n| Disk | 8 GB | 5,840 GB-hrs | 200 GB-hrs | 5,640 GB-hrs | ~$1.50\u002Fmo |\n| Workers Paid plan | | | | | $5\u002Fmo |\n| **Total** | | | | | **~$34.50\u002Fmo** |\n\nNotes:\n- CPU is billed on **active usage only**, not provisioned capacity. The 10% utilization estimate is a rough baseline for a lightly-used personal assistant; your actual cost will vary with usage.\n- Memory and disk are billed on **provisioned capacity** for the full time the container is running.\n- To reduce costs, configure `SANDBOX_SLEEP_AFTER` (e.g., `10m`) so the container sleeps when idle. A container that only runs 4 hours\u002Fday would cost roughly ~$5-6\u002Fmo in compute on top of the $5 plan fee.\n- Network egress, Workers\u002FDurable Objects requests, and logs are additional but typically minimal for personal use.\n- See the [instance types table](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fcontainers\u002Fpricing\u002F) for other options (e.g., `lite` at 256 MiB\u002F$0.50\u002Fmo memory or `standard-4` at 12 GiB for heavier workloads).\n\n## What is OpenClaw?\n\n[OpenClaw](https:\u002F\u002Fgithub.com\u002Fopenclaw\u002Fopenclaw) (formerly Moltbot, formerly Clawdbot) is a personal AI assistant with a gateway architecture that connects to multiple chat platforms. Key features:\n\n- **Control UI** - Web-based chat interface at the gateway\n- **Multi-channel support** - Telegram, Discord, Slack\n- **Device pairing** - Secure DM authentication requiring explicit approval\n- **Persistent conversations** - Chat history and context across sessions\n- **Agent runtime** - Extensible AI capabilities with workspace and skills\n\nThis project packages OpenClaw to run in a [Cloudflare Sandbox](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fsandbox\u002F) container, providing a fully managed, always-on deployment without needing to self-host. Optional R2 storage enables persistence across container restarts.\n\n## Architecture\n\n![moltworker architecture](.\u002Fassets\u002Farchitecture.png)\n\n## Quick Start\n\n_Cloudflare Sandboxes are available on the [Workers Paid plan](https:\u002F\u002Fdash.cloudflare.com\u002F?to=\u002F:account\u002Fworkers\u002Fplans)._\n\n```bash\n# Install dependencies\nnpm install\n\n# Set your API key (direct Anthropic access)\nnpx wrangler secret put ANTHROPIC_API_KEY\n\n# Or use Cloudflare AI Gateway instead (see \"Optional: Cloudflare AI Gateway\" below)\n# npx wrangler secret put CLOUDFLARE_AI_GATEWAY_API_KEY\n# npx wrangler secret put CF_AI_GATEWAY_ACCOUNT_ID\n# npx wrangler secret put CF_AI_GATEWAY_GATEWAY_ID\n\n# Generate and set a gateway token (required for remote access)\n# Save this token - you'll need it to access the Control UI\nexport MOLTBOT_GATEWAY_TOKEN=$(openssl rand -hex 32)\necho \"Your gateway token: $MOLTBOT_GATEWAY_TOKEN\"\necho \"$MOLTBOT_GATEWAY_TOKEN\" | npx wrangler secret put MOLTBOT_GATEWAY_TOKEN\n\n# Deploy\nnpm run deploy\n```\n\nAfter deploying, open the Control UI with your token:\n\n```\nhttps:\u002F\u002Fyour-worker.workers.dev\u002F?token=YOUR_GATEWAY_TOKEN\n```\n\nReplace `your-worker` with your actual worker subdomain and `YOUR_GATEWAY_TOKEN` with the token you generated above.\n\n**Note:** The first request may take 1-2 minutes while the container starts.\n\n> **Important:** You will not be able to use the Control UI until you complete the following steps. You MUST:\n> 1. [Set up Cloudflare Access](#setting-up-the-admin-ui) to protect the admin UI\n> 2. [Pair your device](#device-pairing) via the admin UI at `\u002F_admin\u002F`\n\nYou'll also likely want to [enable R2 storage](#persistent-storage-r2) so your paired devices and conversation history persist across container restarts (optional but recommended).\n\n## Setting Up the Admin UI\n\nTo use the admin UI at `\u002F_admin\u002F` for device management, you need to:\n1. Enable Cloudflare Access on your worker\n2. Set the Access secrets so the worker can validate JWTs\n\n### 1. Enable Cloudflare Access on workers.dev\n\nThe easiest way to protect your worker is using the built-in Cloudflare Access integration for workers.dev:\n\n1. Go to the [Workers & Pages dashboard](https:\u002F\u002Fdash.cloudflare.com\u002F?to=\u002F:account\u002Fworkers-and-pages)\n2. Select your Worker (e.g., `moltbot-sandbox`)\n3. In **Settings**, under **Domains & Routes**, in the `workers.dev` row, click the meatballs menu (`...`)\n4. Click **Enable Cloudflare Access**\n5. Copy the values shown in the dialog (you'll need the AUD tag later). **Note:** The \"Manage Cloudflare Access\" link in the dialog may 404 — ignore it.\n6. To configure who can access, go to **Zero Trust** in the Cloudflare dashboard sidebar → **Access** → **Applications**, and find your worker's application:\n   - Add your email address to the allow list\n   - Or configure other identity providers (Google, GitHub, etc.)\n7. Copy the **Application Audience (AUD)** tag from the Access application settings. This will be your `CF_ACCESS_AUD` in Step 2 below\n\n### 2. Set Access Secrets\n\nAfter enabling Cloudflare Access, set the secrets so the worker can validate JWTs:\n\n```bash\n# Your Cloudflare Access team domain (e.g., \"myteam.cloudflareaccess.com\")\nnpx wrangler secret put CF_ACCESS_TEAM_DOMAIN\n\n# The Application Audience (AUD) tag from your Access application that you copied in the step above\nnpx wrangler secret put CF_ACCESS_AUD\n```\n\nYou can find your team domain in the [Zero Trust Dashboard](https:\u002F\u002Fone.dash.cloudflare.com\u002F) under **Settings** > **Custom Pages** (it's the subdomain before `.cloudflareaccess.com`).\n\n### 3. Redeploy\n\n```bash\nnpm run deploy\n```\n\nNow visit `\u002F_admin\u002F` and you'll be prompted to authenticate via Cloudflare Access before accessing the admin UI.\n\n### Alternative: Manual Access Application\n\nIf you prefer more control, you can manually create an Access application:\n\n1. Go to [Cloudflare Zero Trust Dashboard](https:\u002F\u002Fone.dash.cloudflare.com\u002F)\n2. Navigate to **Access** > **Applications**\n3. Create a new **Self-hosted** application\n4. Set the application domain to your Worker URL (e.g., `moltbot-sandbox.your-subdomain.workers.dev`)\n5. Add paths to protect: `\u002F_admin\u002F*`, `\u002Fapi\u002F*`, `\u002Fdebug\u002F*`\n6. Configure your desired identity providers (e.g., email OTP, Google, GitHub)\n7. Copy the **Application Audience (AUD)** tag and set the secrets as shown above\n\n### Local Development\n\nFor local development, create a `.dev.vars` file with:\n\n```bash\nDEV_MODE=true               # Skip Cloudflare Access auth + bypass device pairing\nDEBUG_ROUTES=true           # Enable \u002Fdebug\u002F* routes (optional)\n```\n\n## Authentication\n\nBy default, moltbot uses **device pairing** for authentication. When a new device (browser, CLI, etc.) connects, it must be approved via the admin UI at `\u002F_admin\u002F`.\n\n### Device Pairing\n\n1. A device connects to the gateway\n2. The connection is held pending until approved\n3. An admin approves the device via `\u002F_admin\u002F`\n4. The device is now paired and can connect freely\n\nThis is the most secure option as it requires explicit approval for each device.\n\n### Gateway Token (Required)\n\nA gateway token is required to access the Control UI when hosted remotely. Pass it as a query parameter:\n\n```\nhttps:\u002F\u002Fyour-worker.workers.dev\u002F?token=YOUR_TOKEN\nwss:\u002F\u002Fyour-worker.workers.dev\u002Fws?token=YOUR_TOKEN\n```\n\n**Note:** Even with a valid token, new devices still require approval via the admin UI at `\u002F_admin\u002F` (see Device Pairing above).\n\nFor local development only, set `DEV_MODE=true` in `.dev.vars` to skip Cloudflare Access authentication and enable `allowInsecureAuth` (bypasses device pairing entirely).\n\n## Persistent Storage (R2)\n\nBy default, moltbot data (configs, paired devices, conversation history) is lost when the container restarts. To enable persistent storage across sessions, configure R2:\n\n### 1. Create R2 API Token\n\n1. Go to **R2** > **Overview** in the [Cloudflare Dashboard](https:\u002F\u002Fdash.cloudflare.com\u002F)\n2. Click **Manage R2 API Tokens**\n3. Create a new token with **Object Read & Write** permissions\n4. Select the `moltbot-data` bucket (created automatically on first deploy)\n5. Copy the **Access Key ID** and **Secret Access Key**\n\n### 2. Set Secrets\n\n```bash\n# R2 Access Key ID\nnpx wrangler secret put R2_ACCESS_KEY_ID\n\n# R2 Secret Access Key\nnpx wrangler secret put R2_SECRET_ACCESS_KEY\n\n# Your Cloudflare Account ID\nnpx wrangler secret put CF_ACCOUNT_ID\n```\n\nTo find your Account ID: Go to the [Cloudflare Dashboard](https:\u002F\u002Fdash.cloudflare.com\u002F), click the three dots menu next to your account name, and select \"Copy Account ID\".\n\n### How It Works\n\nR2 storage uses a backup\u002Frestore approach for simplicity:\n\n**On container startup:**\n- If R2 is mounted and contains backup data, it's restored to the moltbot config directory\n- OpenClaw uses its default paths (no special configuration needed)\n\n**During operation:**\n- A cron job runs every 5 minutes to sync the moltbot config to R2\n- You can also trigger a manual backup from the admin UI at `\u002F_admin\u002F`\n\n**In the admin UI:**\n- When R2 is configured, you'll see \"Last backup: [timestamp]\"\n- Click \"Backup Now\" to trigger an immediate sync\n\nWithout R2 credentials, moltbot still works but uses ephemeral storage (data lost on container restart).\n\n## Container Lifecycle\n\nBy default, the sandbox container stays alive indefinitely (`SANDBOX_SLEEP_AFTER=never`). This is recommended because cold starts take 1-2 minutes.\n\nTo reduce costs for infrequently used deployments, you can configure the container to sleep after a period of inactivity:\n\n```bash\nnpx wrangler secret put SANDBOX_SLEEP_AFTER\n# Enter: 10m (or 1h, 30m, etc.)\n```\n\nWhen the container sleeps, the next request will trigger a cold start. If you have R2 storage configured, your paired devices and data will persist across restarts.\n\n## Admin UI\n\n![admin ui](.\u002Fassets\u002Fadminui.png)\n\nAccess the admin UI at `\u002F_admin\u002F` to:\n- **R2 Storage Status** - Shows if R2 is configured, last backup time, and a \"Backup Now\" button\n- **Restart Gateway** - Kill and restart the moltbot gateway process\n- **Device Pairing** - View pending requests, approve devices individually or all at once, view paired devices\n\nThe admin UI requires Cloudflare Access authentication (or `DEV_MODE=true` for local development).\n\n## Debug Endpoints\n\nDebug endpoints are available at `\u002Fdebug\u002F*` when enabled (requires `DEBUG_ROUTES=true` and Cloudflare Access):\n\n- `GET \u002Fdebug\u002Fprocesses` - List all container processes\n- `GET \u002Fdebug\u002Flogs?id=\u003Cprocess_id>` - Get logs for a specific process\n- `GET \u002Fdebug\u002Fversion` - Get container and moltbot version info\n\n## Optional: Chat Channels\n\n### Telegram\n\n```bash\nnpx wrangler secret put TELEGRAM_BOT_TOKEN\nnpm run deploy\n```\n\n### Discord\n\n```bash\nnpx wrangler secret put DISCORD_BOT_TOKEN\nnpm run deploy\n```\n\n### Slack\n\n```bash\nnpx wrangler secret put SLACK_BOT_TOKEN\nnpx wrangler secret put SLACK_APP_TOKEN\nnpm run deploy\n```\n\n## Optional: Browser Automation (CDP)\n\nThis worker includes a Chrome DevTools Protocol (CDP) shim that enables browser automation capabilities. This allows OpenClaw to control a headless browser for tasks like web scraping, screenshots, and automated testing.\n\n### Setup\n\n1. Set a shared secret for authentication:\n\n```bash\nnpx wrangler secret put CDP_SECRET\n# Enter a secure random string\n```\n\n2. Set your worker's public URL:\n\n```bash\nnpx wrangler secret put WORKER_URL\n# Enter: https:\u002F\u002Fyour-worker.workers.dev\n```\n\n3. Redeploy:\n\n```bash\nnpm run deploy\n```\n\n### Endpoints\n\n| Endpoint | Description |\n|----------|-------------|\n| `GET \u002Fcdp\u002Fjson\u002Fversion` | Browser version information |\n| `GET \u002Fcdp\u002Fjson\u002Flist` | List available browser targets |\n| `GET \u002Fcdp\u002Fjson\u002Fnew` | Create a new browser target |\n| `WS \u002Fcdp\u002Fdevtools\u002Fbrowser\u002F{id}` | WebSocket connection for CDP commands |\n\nAll endpoints require authentication via the `?secret=\u003CCDP_SECRET>` query parameter.\n\n## Built-in Skills\n\nThe container includes pre-installed skills in `\u002Froot\u002Fclawd\u002Fskills\u002F`:\n\n### cloudflare-browser\n\nBrowser automation via the CDP shim. Requires `CDP_SECRET` and `WORKER_URL` to be set (see [Browser Automation](#optional-browser-automation-cdp) above).\n\n**Scripts:**\n- `screenshot.js` - Capture a screenshot of a URL\n- `video.js` - Create a video from multiple URLs\n- `cdp-client.js` - Reusable CDP client library\n\n**Usage:**\n```bash\n# Screenshot\nnode \u002Froot\u002Fclawd\u002Fskills\u002Fcloudflare-browser\u002Fscripts\u002Fscreenshot.js https:\u002F\u002Fexample.com output.png\n\n# Video from multiple URLs\nnode \u002Froot\u002Fclawd\u002Fskills\u002Fcloudflare-browser\u002Fscripts\u002Fvideo.js \"https:\u002F\u002Fsite1.com,https:\u002F\u002Fsite2.com\" output.mp4 --scroll\n```\n\nSee `skills\u002Fcloudflare-browser\u002FSKILL.md` for full documentation.\n\n## Optional: Cloudflare AI Gateway\n\nYou can route API requests through [Cloudflare AI Gateway](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fai-gateway\u002F) for caching, rate limiting, analytics, and cost tracking. OpenClaw has native support for Cloudflare AI Gateway as a first-class provider.\n\nAI Gateway acts as a proxy between OpenClaw and your AI provider (e.g., Anthropic). Requests are sent to `https:\u002F\u002Fgateway.ai.cloudflare.com\u002Fv1\u002F{account_id}\u002F{gateway_id}\u002Fanthropic` instead of directly to `api.anthropic.com`, giving you Cloudflare's analytics, caching, and rate limiting. You still need a provider API key (e.g., your Anthropic API key) — the gateway forwards it to the upstream provider.\n\n### Setup\n\n1. Create an AI Gateway in the [AI Gateway section](https:\u002F\u002Fdash.cloudflare.com\u002F?to=\u002F:account\u002Fai\u002Fai-gateway\u002Fcreate-gateway) of the Cloudflare Dashboard.\n2. Set the three required secrets:\n\n```bash\n# Your AI provider's API key (e.g., your Anthropic API key).\n# This is passed through the gateway to the upstream provider.\nnpx wrangler secret put CLOUDFLARE_AI_GATEWAY_API_KEY\n\n# Your Cloudflare account ID\nnpx wrangler secret put CF_AI_GATEWAY_ACCOUNT_ID\n\n# Your AI Gateway ID (from the gateway overview page)\nnpx wrangler secret put CF_AI_GATEWAY_GATEWAY_ID\n```\n\nAll three are required. OpenClaw constructs the gateway URL from the account ID and gateway ID, and passes the API key to the upstream provider through the gateway.\n\n3. Redeploy:\n\n```bash\nnpm run deploy\n```\n\nWhen Cloudflare AI Gateway is configured, it takes precedence over direct `ANTHROPIC_API_KEY` or `OPENAI_API_KEY`.\n\n### Choosing a Model\n\nBy default, AI Gateway uses Anthropic's Claude Sonnet 4.5. To use a different model or provider, set `CF_AI_GATEWAY_MODEL` with the format `provider\u002Fmodel-id`:\n\n```bash\nnpx wrangler secret put CF_AI_GATEWAY_MODEL\n# Enter: workers-ai\u002F@cf\u002Fmeta\u002Fllama-3.3-70b-instruct-fp8-fast\n```\n\nThis works with any [AI Gateway provider](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fai-gateway\u002Fusage\u002Fproviders\u002F):\n\n| Provider | Example `CF_AI_GATEWAY_MODEL` value | API key is... |\n|----------|-------------------------------------|---------------|\n| Workers AI | `workers-ai\u002F@cf\u002Fmeta\u002Fllama-3.3-70b-instruct-fp8-fast` | Cloudflare API token |\n| OpenAI | `openai\u002Fgpt-4o` | OpenAI API key |\n| Anthropic | `anthropic\u002Fclaude-sonnet-4-5` | Anthropic API key |\n| Groq | `groq\u002Fllama-3.3-70b` | Groq API key |\n\n**Note:** `CLOUDFLARE_AI_GATEWAY_API_KEY` must match the provider you're using — it's your provider's API key, forwarded through the gateway. You can only use one provider at a time through the gateway. For multiple providers, use direct keys (`ANTHROPIC_API_KEY`, `OPENAI_API_KEY`) alongside the gateway config.\n\n#### Workers AI with Unified Billing\n\nWith [Unified Billing](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fai-gateway\u002Ffeatures\u002Funified-billing\u002F), you can use Workers AI models without a separate provider API key — Cloudflare bills you directly. Set `CLOUDFLARE_AI_GATEWAY_API_KEY` to your [AI Gateway authentication token](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fai-gateway\u002Fconfiguration\u002Fauthentication\u002F) (the `cf-aig-authorization` token).\n\n### Legacy AI Gateway Configuration\n\nThe previous `AI_GATEWAY_API_KEY` + `AI_GATEWAY_BASE_URL` approach is still supported for backward compatibility but is deprecated in favor of the native configuration above.\n\n## All Secrets Reference\n\n| Secret | Required | Description |\n|--------|----------|-------------|\n| `CLOUDFLARE_AI_GATEWAY_API_KEY` | Yes* | Your AI provider's API key, passed through the gateway (e.g., your Anthropic API key). Requires `CF_AI_GATEWAY_ACCOUNT_ID` and `CF_AI_GATEWAY_GATEWAY_ID` |\n| `CF_AI_GATEWAY_ACCOUNT_ID` | Yes* | Your Cloudflare account ID (used to construct the gateway URL) |\n| `CF_AI_GATEWAY_GATEWAY_ID` | Yes* | Your AI Gateway ID (used to construct the gateway URL) |\n| `CF_AI_GATEWAY_MODEL` | No | Override default model: `provider\u002Fmodel-id` (e.g. `workers-ai\u002F@cf\u002Fmeta\u002Fllama-3.3-70b-instruct-fp8-fast`). See [Choosing a Model](#choosing-a-model) |\n| `ANTHROPIC_API_KEY` | Yes* | Direct Anthropic API key (alternative to AI Gateway) |\n| `ANTHROPIC_BASE_URL` | No | Direct Anthropic API base URL |\n| `OPENAI_API_KEY` | No | OpenAI API key (alternative provider) |\n| `AI_GATEWAY_API_KEY` | No | Legacy AI Gateway API key (deprecated, use `CLOUDFLARE_AI_GATEWAY_API_KEY` instead) |\n| `AI_GATEWAY_BASE_URL` | No | Legacy AI Gateway endpoint URL (deprecated) |\n| `CF_ACCESS_TEAM_DOMAIN` | Yes* | Cloudflare Access team domain (required for admin UI) |\n| `CF_ACCESS_AUD` | Yes* | Cloudflare Access application audience (required for admin UI) |\n| `MOLTBOT_GATEWAY_TOKEN` | Yes | Gateway token for authentication (pass via `?token=` query param) |\n| `DEV_MODE` | No | Set to `true` to skip CF Access auth + device pairing (local dev only) |\n| `DEBUG_ROUTES` | No | Set to `true` to enable `\u002Fdebug\u002F*` routes |\n| `SANDBOX_SLEEP_AFTER` | No | Container sleep timeout: `never` (default) or duration like `10m`, `1h` |\n| `R2_ACCESS_KEY_ID` | No | R2 access key for persistent storage |\n| `R2_SECRET_ACCESS_KEY` | No | R2 secret key for persistent storage |\n| `CF_ACCOUNT_ID` | No | Cloudflare account ID (required for R2 storage) |\n| `TELEGRAM_BOT_TOKEN` | No | Telegram bot token |\n| `TELEGRAM_DM_POLICY` | No | Telegram DM policy: `pairing` (default) or `open` |\n| `DISCORD_BOT_TOKEN` | No | Discord bot token |\n| `DISCORD_DM_POLICY` | No | Discord DM policy: `pairing` (default) or `open` |\n| `SLACK_BOT_TOKEN` | No | Slack bot token |\n| `SLACK_APP_TOKEN` | No | Slack app token |\n| `CDP_SECRET` | No | Shared secret for CDP endpoint authentication (see [Browser Automation](#optional-browser-automation-cdp)) |\n| `WORKER_URL` | No | Public URL of the worker (required for CDP) |\n\n## Security Considerations\n\n### Authentication Layers\n\nOpenClaw in Cloudflare Sandbox uses multiple authentication layers:\n\n1. **Cloudflare Access** - Protects admin routes (`\u002F_admin\u002F`, `\u002Fapi\u002F*`, `\u002Fdebug\u002F*`). Only authenticated users can manage devices.\n\n2. **Gateway Token** - Required to access the Control UI. Pass via `?token=` query parameter. Keep this secret.\n\n3. **Device Pairing** - Each device (browser, CLI, chat platform DM) must be explicitly approved via the admin UI before it can interact with the assistant. This is the default \"pairing\" DM policy.\n\n## Troubleshooting\n\n**`npm run dev` fails with an `Unauthorized` error:** You need to enable Cloudflare Containers in the [Containers dashboard](https:\u002F\u002Fdash.cloudflare.com\u002F?to=\u002F:account\u002Fworkers\u002Fcontainers)\n\n**Gateway fails to start:** Check `npx wrangler secret list` and `npx wrangler tail`\n\n**Config changes not working:** Edit the `# Build cache bust:` comment in `Dockerfile` and redeploy\n\n**Slow first request:** Cold starts take 1-2 minutes. Subsequent requests are faster.\n\n**R2 not mounting:** Check that all three R2 secrets are set (`R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `CF_ACCOUNT_ID`). Note: R2 mounting only works in production, not with `wrangler dev`.\n\n**Access denied on admin routes:** Ensure `CF_ACCESS_TEAM_DOMAIN` and `CF_ACCESS_AUD` are set, and that your Cloudflare Access application is configured correctly.\n\n**Devices not appearing in admin UI:** Device list commands take 10-15 seconds due to WebSocket connection overhead. Wait and refresh.\n\n**WebSocket issues in local development:** `wrangler dev` has known limitations with WebSocket proxying through the sandbox. HTTP requests work but WebSocket connections may fail. Deploy to Cloudflare for full functionality.\n\n## Known Issues\n\n### Windows: Gateway fails to start with exit code 126 (permission denied)\n\nOn Windows, Git may check out shell scripts with CRLF line endings instead of LF. This causes `start-openclaw.sh` to fail with exit code 126 inside the Linux container. Ensure your repository uses LF line endings — configure Git with `git config --global core.autocrlf input` or add a `.gitattributes` file with `* text=auto eol=lf`. See [#64](https:\u002F\u002Fgithub.com\u002Fcloudflare\u002Fmoltworker\u002Fissues\u002F64) for details.\n\n## Links\n\n- [OpenClaw](https:\u002F\u002Fgithub.com\u002Fopenclaw\u002Fopenclaw)\n- [OpenClaw Docs](https:\u002F\u002Fdocs.openclaw.ai\u002F)\n- [Cloudflare Sandbox Docs](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fsandbox\u002F)\n- [Cloudflare Access Docs](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fcloudflare-one\u002Fpolicies\u002Faccess\u002F)\n","该项目实现了在Cloudflare Workers上运行OpenClaw（原名Moltbot，再之前为Clawdbot）个人AI助手。其核心功能是利用Cloudflare的沙箱环境部署和运行一个轻量级的AI代理，并支持通过Anthropic API访问Claude等AI服务。技术特点包括使用TypeScript编写，以及集成Cloudflare的多种免费服务如Access、Browser Rendering、AI Gateway和R2 Storage以增强功能。适合对成本敏感但又希望拥有个性化AI助手的开发者或小型团队使用，在确保安全性和隐私性的同时，能够灵活地进行自定义配置与扩展。",2,"2026-06-11 03:50:42","high_star"]