docs/tools/exec-approvals.md
Exec approvals are the companion app / node host guardrail for letting a
sandboxed agent run commands on a real host (gateway or node). Commands
run only when policy + allowlist + (optional) user approval all agree.
Approvals stack on top of tool policy and elevated gating (elevated
full skips them).
For a mode-first overview of deny, allowlist, ask, auto, full,
Codex Guardian mapping, and ACPX harness permissions, see
Permission modes.
Exec approvals are enforced locally on the execution host:
openclaw process on the gateway machine.system.run to the macOS app over local IPC.| Command | What it shows |
|---|---|
openclaw approvals get / --gateway / --node <id|name|ip> | Requested policy, host policy sources, and the effective result. |
openclaw exec-policy show | Local-machine merged view. |
openclaw exec-policy set / preset | Synchronize the local requested policy with the local host approvals file in one step. |
Full CLI reference (flags, JSON output, allowlist add/remove): Approvals CLI.
When a local scope requests host=node, exec-policy show reports that
scope as node-managed at runtime instead of treating the local approvals
file as the source of truth.
If the companion app UI is not available, any request that would
normally prompt is resolved by the ask fallback (default: deny).
Approvals live in a local JSON file on the execution host. When
OPENCLAW_STATE_DIR is set, the file follows that state directory;
otherwise it uses the default OpenClaw state directory:
$OPENCLAW_STATE_DIR/exec-approvals.json
# otherwise
~/.openclaw/exec-approvals.json
The default approval socket follows the same root:
$OPENCLAW_STATE_DIR/exec-approvals.sock, or
~/.openclaw/exec-approvals.sock when the variable is unset.
Example schema:
{
"version": 1,
"socket": {
"path": "~/.openclaw/exec-approvals.sock",
"token": "base64url-token"
},
"defaults": {
"security": "deny",
"ask": "on-miss",
"askFallback": "deny",
"autoAllowSkills": false
},
"agents": {
"main": {
"security": "allowlist",
"ask": "on-miss",
"askFallback": "deny",
"autoAllowSkills": true,
"allowlist": [
{
"id": "B0C8C0B3-2C2D-4F8A-9A3C-5A4B3C2D1E0F",
"pattern": "~/Projects/**/bin/rg",
"source": "allow-always",
"commandText": "rg -n TODO",
"lastUsedAt": 1737150000000,
"lastUsedCommand": "rg -n TODO",
"lastResolvedPath": "/Users/user/Projects/.../bin/rg"
}
]
}
}
}
tools.exec.modetools.exec.mode is the preferred normalized policy surface for host exec:
| Value | Behavior |
|---|---|
deny | Block host exec. |
allowlist | Run only allowlisted commands without asking. |
ask | Use allowlist policy and ask on misses. |
auto | Use allowlist policy, run deterministic matches directly, and send approval misses through OpenClaw's native auto reviewer before falling back to a human approval route. |
full | Run host exec without approval prompts. |
Legacy tools.exec.security / tools.exec.ask remain supported and still
apply wherever mode is unset at that scope.
exec.securityDefault is full for gateway/node hosts; a sandbox host defaults to
deny instead.
</ParamField>
exec.askoff - never prompt.on-miss - prompt only when the allowlist does not match.always - prompt on every command. allow-always durable trust does not suppress prompts when effective ask mode is always.askFallbackdeny - block.allowlist - allow only if allowlist matches.full - allow.tools.exec.strictInlineEvalExamples that strict mode catches: python -c, node -e/--eval/-p,
ruby -e, perl -e/-E, php -r, lua -e, osascript -e (also awk,
sed, make, find -exec, and xargs inline forms).
In strict mode these commands still need explicit approval, and
allow-always does not persist new allowlist entries for them
automatically.
tools.exec.commandHighlightingSet globally under tools.exec.commandHighlighting or per agent under
agents.list[].tools.exec.commandHighlighting.
To run host exec without approval prompts, open both policy layers:
requested exec policy in OpenClaw config (tools.exec.*) and
host-local approvals policy in the execution host approvals file.
Omitted askFallback defaults to deny. Set host askFallback to full
explicitly when a no-UI approval prompt should fall back to allow.
| Layer | YOLO setting |
|---|---|
tools.exec.security | full on gateway/node |
tools.exec.ask | off |
Host askFallback | full |
tools.exec.host=auto chooses where exec runs: sandbox when available, otherwise gateway.security=full plus ask=off.auto does not make gateway routing a free override from a sandboxed session. A per-call host=node request is allowed from auto; host=gateway is only allowed from auto when no sandbox runtime is active. For a stable non-auto default, set tools.exec.host or use /exec host=... explicitly.CLI-backed providers that expose their own noninteractive permission mode
can follow this policy. Claude CLI adds
--permission-mode bypassPermissions when OpenClaw's effective exec
policy is YOLO. For OpenClaw-managed Claude live sessions, OpenClaw's
effective exec policy is authoritative over Claude's native permission mode:
YOLO normalizes live launches to --permission-mode bypassPermissions, and
restrictive effective exec policy normalizes live launches to
--permission-mode default, even if raw Claude backend args specify another
mode.
If you want a more conservative setup, tighten OpenClaw exec policy back to
allowlist / on-miss or deny.
openclaw exec-policy preset yolo
Updates both local tools.exec.host/security/ask and the local approvals
file defaults (including askFallback: "full"). It is intentionally
local-only. To change gateway-host or node-host approvals remotely, use
openclaw approvals set --gateway or openclaw approvals set --node <id|name|ip>.
Other built-in presets: cautious (host=gateway, security=allowlist,
ask=on-miss, askFallback=deny) and deny-all (host=gateway,
security=deny, ask=off, askFallback=deny). Apply the same way:
openclaw exec-policy preset cautious.
To set individual fields instead of a full preset, use
openclaw exec-policy set --host <auto|sandbox|gateway|node> --security <deny|allowlist|full> --ask <off|on-miss|always> --ask-fallback <deny|allowlist|full> with any subset of those flags.
Apply the same approvals file on the node instead:
openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
{
version: 1,
defaults: {
security: "full",
ask: "off",
askFallback: "full"
}
}
EOF
openclaw exec-policy does not synchronize node approvals.openclaw exec-policy set --host node is rejected.openclaw approvals --node ..../exec security=full ask=off changes only the current session./elevated full is a break-glass shortcut that skips exec approvals only
when both the requested policy and the host approvals file resolve to
security: "full" and ask: "off". A stricter host file, such as ask: "always", still prompts.If the host approvals file stays stricter than config, the stricter host policy still wins.
Allowlists are per agent. If multiple agents exist, switch which agent you are editing in the macOS app. Patterns are glob matches.
Patterns can be resolved binary path globs or bare command-name globs.
Bare names match only commands invoked through PATH, so rg can match
/opt/homebrew/bin/rg when the command is rg, but not ./rg or
/tmp/rg. Use a path glob to trust one specific binary location.
Legacy agents.default entries are migrated to agents.main on load.
Shell chains such as echo ok && pwd still need every top-level segment
to satisfy allowlist rules.
Examples:
rg~/Projects/**/bin/peekaboo~/.local/bin/*/opt/homebrew/bin/rgAdd argPattern when an allowlist entry should match a binary and a
specific argument shape. OpenClaw evaluates the regular expression against
the parsed command arguments, excluding the executable token (argv[0]).
For hand-authored entries, arguments are joined with a single space, so
anchor the pattern when you need an exact match.
{
"version": 1,
"agents": {
"main": {
"allowlist": [
{
"pattern": "python3",
"argPattern": "^safe\\.py$"
}
]
}
}
}
That entry allows python3 safe.py; python3 other.py is an allowlist
miss. If a path-only entry for the same binary is also present, unmatched
arguments can still fall back to that path-only entry. Omit the path-only
entry when the goal is to restrict the binary to the declared arguments.
Entries saved by approval flows use an internal separator format for exact
argv matching. Prefer the UI or approval flow to regenerate those entries
instead of hand-editing the encoded value. If OpenClaw cannot parse argv
for a command segment, entries with argPattern do not match.
Each allowlist entry supports:
| Field | Meaning |
|---|---|
pattern | Resolved binary path glob or bare command-name glob |
argPattern | Optional argv regex; omitted entries are path-only |
id | Stable UUID used for UI identity |
source | Entry source, such as allow-always |
commandText | Command text captured when an approval flow created the entry |
lastUsedAt | Last-used timestamp |
lastUsedCommand | Last command that matched |
lastResolvedPath | Last resolved binary path |
When Auto-allow skill CLIs (autoAllowSkills) is enabled, executables
referenced by known skills are treated as allowlisted on nodes (macOS node
or headless node host). This uses skills.bins over the Gateway RPC to
fetch the skill bin list. Disable this if you want strict manual
allowlists.
For safe bins (the stdin-only fast-path), interpreter binding details, and how to forward approval prompts to Slack/Discord/Telegram (or run them as native approval clients), see Exec approvals - advanced.
Use the Control UI -> Nodes -> Exec approvals card to edit defaults, per-agent overrides, and allowlists. Pick a scope (Defaults or an agent), tweak the policy, add/remove allowlist patterns, then Save. The UI shows last-used metadata per pattern so you can keep the list tidy.
The target selector chooses Gateway (local approvals) or a Node.
Nodes must advertise system.execApprovals.get/set (macOS app or headless
node host). If a node does not advertise exec approvals yet, edit its
local approvals file directly.
Some node hosts, including the Windows companion, own a different approval
policy format. Control UI shows these host-native policies read-only. Use the
companion app or openclaw approvals set --node <id|name|ip> with the native
policy shape to edit them; see Approvals CLI.
CLI: openclaw approvals supports gateway or node editing - see
Approvals CLI.
When a prompt is required, the gateway broadcasts
exec.approval.requested to operator clients. The Control UI and macOS
app resolve it via exec.approval.resolve, then the gateway forwards the
approved request to the node host.
For host=node, approval requests include a canonical systemRunPlan
payload. The gateway uses that plan as the authoritative command/cwd/session
context when forwarding approved system.run requests:
system.run call reuses the stored plan instead of trusting later caller edits.command, rawCommand, cwd, agentId, or sessionKey after the approval request was created, the gateway rejects the forwarded run as an approval mismatch.Exec lifecycle posts an Exec finished system message to the agent's
session after the node reports completion. OpenClaw can also emit an
in-progress notice once an approval is granted, after
tools.exec.approvalRunningNoticeMs elapses (default 10000, 0 disables
it). Denied exec approvals are terminal for the host command: the command
does not run.
Gateway-host exec approvals emit the same completion lifecycle event.
Approval-gated execs reuse the approval id to correlate the pending
request with its completion/denial message (Exec finished (gateway id=...) / Exec denied (gateway id=...)).
full is powerful; prefer allowlists when possible.ask keeps you in the loop while still allowing fast approvals./exec./exec security=full is a session-level convenience for authorized operators and skips approvals by design. To hard-block host exec, set approvals security to deny or deny the exec tool via tool policy.