Five things worth knowing

To run your bot, YellowCrab stores three things: your Telegram bot token, your Telegram user ID, and your OpenRouter API key. These are deployed to your dedicated server and are what keep your bot running.

Your OpenRouter key is stored encrypted. YellowCrab staff do not routinely access it, but you should treat it like a password — something only you and your bot need.

How to rotate your OpenRouter key

1. Go to your OpenRouter dashboard and create a new key.
2. Copy the new key.
3. In your YellowCrab dashboard, open Settings and update your API key.
4. Redeploy your instance — the new key will be deployed to your server.
5. Delete the old key from OpenRouter.

Do this any time you suspect your key may have been exposed, or as a routine security practice every few months.

Skills extend what your bot can do — things like searching the web, reading files, or connecting to other services. They run on your server with access to your bot’s environment.

Only install skills from sources you trust. A malicious skill could read your server’s environment variables — including your OpenRouter key and Telegram token — and send them somewhere else.

What to look for before installing a skill

• Does it come from the official OpenClaw repository or a known developer?
• Does the source code look reasonable for what it claims to do?
• Does it ask for more permissions than it needs?

YellowCrab will publish a curated list of reviewed skills. Until then, when in doubt — don’t install it.

YellowCrab never sees or stores your conversations. Messages flow between you, Telegram, your dedicated server, and OpenRouter — none of that passes through YellowCrab’s database.

What YellowCrab does store: your account email, the credentials above, your bot configuration, and operational data needed to keep your instance running (server IP, deployment status, logs). Full details are in the Privacy Policy.

What this means in practice

• Your AI conversations are private — not logged or read by YellowCrab.
• Your bot only responds to your Telegram user ID — no one else can use it.
• Your OpenRouter usage (and its costs) are entirely your own account.

Your bot is designed to only respond to you — but there are a few things to keep in mind to maintain that protection.

Prompt injection via web search

If your bot can browse the web, it may encounter pages that are deliberately crafted to manipulate AI responses — a technique called prompt injection. In rare cases this could cause your bot to behave unexpectedly.

If your bot suddenly changes behaviour, starts producing unusual output, or references things it shouldn’t know — treat it as a signal to investigate.

Signs something may be wrong

• The bot behaves differently than usual without you changing anything.
• It produces responses that reference your credentials or internal config.
• You notice unexpected OpenRouter usage or charges.

If any of these happen: rotate your OpenRouter key immediately (see above), then contact support.

Something not working? Have a question? We’re happy to help.

• Email: support@yellowcrab.ai
• OpenClaw documentation: github.com/openclaw
• OpenRouter support: openrouter.ai

For billing questions or account deletion requests, email support with the subject line Billing or Delete my account and we’ll handle it promptly.