2026 OpenClaw: MCP Tooling, ClawHub Skills Install/Verify & Gateway Triage Runbook

Why does Gateway act like MCP is missing?

MCP is a JSON-RPC session between Gateway and a child process or remote endpoint. Config entries exist ≠ child starts; child starts ≠ schemas returned. Six frequent misreads follow.

1. Environment only in interactive shells: daemons, systemd, launchd, or Compose never see PATH or API keys from ~/.zshrc.
2. ClawHub Skills on read-only or anonymous volumes: downloads look fine until the container recreates—see the volumes article.
3. Stale tool caches: configs changed but UI/CLI lists stay old; reload per docs instead of assuming failure.
4. Timeouts too tight: first cold calls across RTT need different thresholds than steady state.
5. Overlapping AGENTS.md / bootstrap text: duplicate instructions across MCP and Skills inflate context; split boundaries per the Skills tuning checklist.
6. Channel issues mistaken for MCP: fix Slack/Telegram OAuth paths before blaming tools.

Run openclaw doctor using the order in the post-install doctor guide; this article adds the tool-registration evidence chain, not another install tutorial.

Keep a one-page “minimum repro card” per MCP server: one read query, one negative test that must be denied, and three expected log tokens—on-call can compare cards to spot config regressions without rereading giant prompts. Note allowed egress and data classification on the card so incidents never widen tokens without a record.

Table 1: MCP symptom → evidence → action

Field names vary by OpenClaw version; this table locks order of operations.

Table 2: ClawHub Skills vs in-repo Skills vs MCP

Publish a capability matrix so one workflow is not described three different ways.

Six steps: from “chat works” to “tool calls are replayable”

1. Freeze topology: bare metal, remote Mac, or container—document user, PATH, cwd, and bind mounts.
2. Register MCP: fill command/args/env per docs; manually launch the child as the same identity as Gateway and confirm handshake logs.
3. Install ClawHub Skills: land on persistent storage; record version and checksum—never only the ephemeral layer.
4. Trim overlapping Skills text: move long retrieval to memory_search or doc tools to curb context growth.
5. Automate three checks: cold start, steady call, and a deliberate failure (e.g., disconnect) to validate timeouts and degradation.
6. Update the ops guide: reload order, rollback (remove server + restart Gateway), owners—same page as on-call.

Three KPIs worth weekly review

1. Registration coverage: declared MCP servers vs tools actually listed, sliced by release.
2. First-call P95 vs steady P95: treat warm-up separately from steady state.
3. Duplicate capability count: actions described in MCP, ClawHub, and AGENTS.md—anything >1 needs a signed waiver.

On remote Macs or cloud hosts, disk and log rotation affect MCP children that spill temp files to small system volumes—timeouts may look random though the model config is unchanged. Review host ops alongside tool config.

For HTTP/SSE MCP fronts, include reverse-proxy idle timeouts, Upgrade handling, and TLS termination: Gateway may log a successful handshake while the edge proxy returns 499/504. Cross-check the Nginx/Caddy reverse-proxy guide before only raising OpenClaw timeouts.

Directional community note (not a benchmark): three heavy MCP servers plus wide retrieval often produces minute-scale queue jitter—capability matrices and allowlists beat infinite plugins for SLA.

Why laptops and ad-hoc hosts struggle with long-lived tool governance

Sleep, VPN flaps, and path drift make child processes and skill indexes unpredictable. Connecting real business data demands 24/7 uptime, persistent paths, and auditable permissions.

Self-managed boxes without multi-region choice or flexible terms encourage shared hosts where cold starts and log IO contend. Placing Gateway on dedicated Apple Silicon with predictable disks and egress—typical of a professional Mac cloud—usually makes MCP and Skills policies enforceable in contracts. MACCOME offers multi-region Mac Mini M4 / M4 Pro with flexible rental terms as a stable base for Gateway and build farms; confirm public rates and help-center SLAs before ordering.

Pilot the three checks from this runbook on a remote Mac before promoting one image fleet-wide—avoid “works locally, times out in prod” loops. If Gateway is internet-facing, ship TLS, rate limits, and IP allowlists in the same change, not as a later patch.