Rate This Document
Findability
Accuracy
Completeness
Readability

Manage the Tool Allowlist to Prohibit High-Risk Tools

A tool allowlist is the core method to harden OpenClaw security. By limiting the system capabilities that an agent can invoke, it prevents high-risk operations (such as file deletion, arbitrary command execution, and permission modification) from being maliciously exploited or accidentally executed.

Tool Description

Table 1 Tool group description

Tool Group

Included Tool

Risk Level

group:runtime

exec, bash, and process

Critical

group:fs

read, write, edit, and apply_patch

High

group:web

web_search and web_fetch

Medium

group:ui

browser and canvas

Medium

group:sessions

sessions_list, sessions_history, sessions_send, sessions_spawn, and session_status

Low

group:memory

memory_search and memory_get

Low

Table 2 High-risk tools

Tool

Risk Description

Enforcement Level

exec

Executes arbitrary shell commands. It can lead to database deletion and system tampering.

Mandatory

process

Manages background processes. It can terminate critical services.

Mandatory

write / edit / apply_patch

Writes or modifies files. It can overwrite sensitive configurations.

Strongly recommended

browser

It may access sensitive websites, scrape authenticated pages, or be manipulated by attackers into performing malicious operations.

Recommended

nodes

Node scheduling, which is typically unused by default

Recommended

canvas

Drawing function, which is rarely used.

Recommended

Procedure

  • Method 1
    1. You can run commands to disable tools as required.
      • Disabling all high-risk tools
        The following command disables all runtime, file system, network, UI interaction, node, canvas drawing, and patching tools/operations.
        openclaw config set tools.deny '["group:runtime","group:fs","group:web","group:ui","nodes","canvas","apply_patch"]' --json
      • Minimum restriction
        The following command disables only runtime operation tools, such as exec, bash, and process.
        openclaw config set tools.deny '["group:runtime"]' --json
      • Using preset profiles

        Allows for quick configuration. Select a profile that matches your scenario.

        openclaw config set tools.profile "minimal"
        openclaw config set tools.profile "messaging"
        openclaw config set tools.profile "coding"
        Profile matrix:

        Profile

        Included Tool

        Application Scenario

        minimal

        Only session_status

        Read-only chat scenarios (most secure)

        messaging

        Message tool group

        Chatbots

        coding

        Grants development-related permissions: file system (group:fs, e.g., read/write), runtime (group:runtime, e.g., exec/process), sessions (group:sessions), network (group:web), memory (group:memory), and images (image).

        Development/Coding

        full

        No permission restrictions

        Local development, function testing, and scenarios requiring unrestricted AI capabilities

    2. Set security hardening baselines for fs and exec.
      openclaw config set tools.fs.workspaceOnly true
      openclaw config set tools.exec.security "deny"
      openclaw config set tools.exec.ask "always"
    3. Restart the OpenClaw gateway.
      openclaw gateway restart
  • Method 2
    1. Open the configuration file.
      vim ~/.openclaw/openclaw.json
    2. Press i to enter the insert mode. Modify the file as follows. If the items do not exist, add them manually. The example below demonstrates disabling all high-risk tools. You can disable tools as required.
      {
        "tools": {
          "deny": [
            "group:runtime",   // Runtime tool group (exec, bash, and process) – Critical!
            "group:ui",        // Disables UI interaction tools; this will affect TUI functionality.
            "group:fs",        // Disables file system operations (read/write/delete, and directory traversal)
            "group:web",       // Disables network tools (and their operations such as HTTP requests and web scraping)
            "nodes",           // Disables node operations (related to node management tools)
            "canvas",          // Disables canvas/drawing tools.
            "apply_patch"      // Disables patching tools (to prohibit code modifications)
          ]
        }
      }

      Alternatively, you can implement granular restriction by explicitly listing the tools to be disabled. See the following example.

      {
        "tools": {
          "allow": [
            "read",
            "web_search",
            "web_fetch",
            "sessions_list",
            "session_status",
            "memory_search",
            "memory_get"
          ],
          "deny": [
            "exec",
            "process",
            "write",
            "edit",
            "apply_patch",
            "nodes",
            "canvas",
            "cron",
            "gateway"
          ]
        }
      }

      You can also use the preset profile. See the following example.

      {

      tools: {

      profile: "messaging",

      deny: ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],

      fs: { workspaceOnly: true },

      exec: { security: "deny", ask: "always" },

      elevated: { enabled: false }

      },

      }

    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
    4. Restart the OpenClaw gateway.
      openclaw gateway restart