How to Set Up Webhooks and Cron Jobs in OpenClaw
Webhooks and scheduled tasks let you automate OpenClaw skills without manual intervention. Webhooks trigger skills when external events occur (e.g., new GitHub issue, Stripe payment). Cron jobs trigger skills on a schedule (e.g., daily reports, weekly backups). This guide covers both trigger types with practical examples.
Why This Is Hard to Do Yourself
These are the common pitfalls that trip people up.
Webhook endpoint security
Exposing webhook endpoints requires authentication, signature verification, and replay attack prevention
Cron syntax complexity
Cron expressions are cryptic and easy to misconfigure. Testing requires waiting for the schedule to fire
Retry and idempotency
Webhook deliveries can fail or be duplicated. Skills need retry logic and idempotent handling
Debugging scheduled tasks
When a cron job fails, it happens in the background. Diagnosing issues requires robust logging
Step-by-Step Guide
Understand OpenClaw trigger types
# OpenClaw supports three trigger types:
# 1. Command triggers (manual)
triggers:
- command: /backup
# 2. Schedule triggers (cron)
triggers:
- schedule: "0 9 * * *" # Daily at 9 AM
# 3. Webhook triggers (event-driven)
triggers:
- webhook: /webhook/github-issue
# You can combine multiple triggers in one skillSet up a cron-scheduled skill
# Create a daily report skill:
cat > ~/.openclaw/skills/daily-report/skill.md << 'EOF'
---
name: daily-report
version: 1.0.0
description: Sends daily activity report via email
permissions:
- filesystem:read
- network:outbound
triggers:
- schedule: "0 9 * * 1-5" # 9 AM, Monday-Friday
- command: /daily-report # Also allow manual trigger
---
## Instructions
When triggered, generate a daily activity report:
1. Read activity logs from ~/.openclaw/logs/activity.log
2. Summarize key metrics
3. Send formatted email to configured recipients
EOF
# Cron syntax reference:
# โโโโโโโโโโโโโโ minute (0 - 59)
# โ โโโโโโโโโโโโโโ hour (0 - 23)
# โ โ โโโโโโโโโโโโโโ day of month (1 - 31)
# โ โ โ โโโโโโโโโโโโโโ month (1 - 12)
# โ โ โ โ โโโโโโโโโโโโโโ day of week (0 - 6, Sunday = 0)
# โ โ โ โ โ
# * * * * *Warning: All cron schedules run in UTC by default. Convert your local time to UTC or configure timezone in OpenClaw settings.
Configure webhook endpoints
# Webhooks require OpenClaw server mode:
# In ~/.openclaw/config.json, enable server:
{
"server": {
"enabled": true,
"port": 3000,
"host": "0.0.0.0"
},
"webhooks": {
"enabled": true,
"base_path": "/webhook",
"require_auth": true,
"secret": "your-webhook-secret-here"
}
}
# Restart OpenClaw:
npm restart
# Your webhook endpoint will be:
# http://your-server:3000/webhook/{skill-webhook-path}Create a webhook-triggered skill
# Create a GitHub webhook skill:
cat > ~/.openclaw/skills/github-webhook/skill.md << 'EOF'
---
name: github-webhook
version: 1.0.0
description: Handles GitHub issue webhooks
permissions:
- network:outbound
triggers:
- webhook: /github-issue
---
## Instructions
When triggered by GitHub webhook:
1. Parse the webhook payload (JSON)
2. Extract issue title, body, author
3. Post to Slack #dev-notifications channel
4. Log the event
EOF
# Configure GitHub to send webhooks:
# 1. Go to GitHub repo โ Settings โ Webhooks โ Add webhook
# 2. Payload URL: http://your-server:3000/webhook/github-issue
# 3. Content type: application/json
# 4. Secret: your-webhook-secret-here
# 5. Events: IssuesImplement webhook authentication
# Create webhook handler script:
cat > ~/.openclaw/skills/github-webhook/scripts/verify.js << 'EOF'
import crypto from 'crypto';
export function verifyGitHubSignature(payload, signature, secret) {
const hmac = crypto.createHmac('sha256', secret);
const digest = 'sha256=' + hmac.update(payload).digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(digest)
);
}
export function parseWebhook(req) {
const signature = req.headers['x-hub-signature-256'];
const payload = JSON.stringify(req.body);
if (!verifyGitHubSignature(payload, signature, process.env.WEBHOOK_SECRET)) {
throw new Error('Invalid webhook signature');
}
return req.body;
}
EOFWarning: Always verify webhook signatures. Without verification, anyone who knows your endpoint URL can trigger your skill with malicious payloads.
Handle webhook payloads in skill instructions
# Update skill.md with webhook handling instructions:
## Webhook Payload Handling
When GitHub sends an issue webhook:
1. Verify signature using verify.js
2. Parse JSON payload
3. Extract relevant fields:
- issue.title
- issue.body
- issue.user.login
- issue.html_url
4. Format Slack message:
- Title: "New GitHub Issue"
- Author: @{user.login}
- Link: {html_url}
5. Post to Slack
6. Return 200 OK to GitHub
If signature verification fails, return 401 Unauthorized.
If Slack post fails, return 500 and GitHub will retry.Test and debug triggers
# Test cron schedule (without waiting):
# Temporarily set schedule to "* * * * *" (every minute)
# Watch logs:
tail -f ~/.openclaw/logs/skills.log | grep daily-report
# Test webhook locally:
curl -X POST http://localhost:3000/webhook/github-issue \
-H "Content-Type: application/json" \
-H "X-Hub-Signature-256: sha256=..." \
-d '{"action":"opened","issue":{"title":"Test"}}'
# Debug failed triggers:
# 1. Check skill logs: ~/.openclaw/logs/skills.log
# 2. Check webhook delivery logs (in sender, e.g., GitHub)
# 3. Verify cron schedule: https://crontab.guru
# 4. Test skill manually via command triggerWebhooks and Cron Jobs Need to Be Bulletproof
Scheduled tasks and webhooks run without supervision. One misconfiguration can cause silent failures or security vulnerabilities. Our experts build reliable automation that works 24/7.
Get matched with a specialist who can help.
Sign Up for Expert Help โ