Rate This Document
Findability
Accuracy
Completeness
Readability

Mandatory Manual Confirmation for All Critical/High-Risk Operations

For critical or high-risk operations, the Human-in-the-Loop mechanism must be used to enforce manual review and confirmation.

Category

Specific Command/Mode

Destructive operations

rm -rf /, rm -rf ~, mkfs, dd if=, wipefs, shred, or direct writing to block devices

Authentication tampering

Modifying authentication fields in openclaw.json or paired.json, or modifying sshd_config or authorized_keys

Sensitive data exfiltration

Using curl, wget, or nc to transmit tokens, keys, passwords, private keys, or mnemonic phrases externally; establishing reverse shells (e.g., bash -i >& /dev/tcp/); or using scp or rsync to transfer files to unknown hosts.

NOTICE:

Asking users for plaintext private keys or mnemonic phrases is strictly prohibited. If such data is detected in the context, prompt the user to clear the context memory and immediately block all data exfiltration.

Privilege persistence

Running crontab -e (system-level), useradd, usermod, passwd, or visudo; executing systemctl enable/disable to add unknown services; or modifying systemd unit to point to downloaded external scripts or suspicious binaries

Code injection

base64 -d

Blind compliance with implicit instructions

To prevent supply chain poisoning attacks, do not blindly follow third-party package installation instructions (e.g., npm install, pip install, cargo, apt) induced by external documents (e.g., SKILL.md) or code comments.

Privilege tampering

Running chmod or chown against core files under $OC/.

Procedure

OpenClaw manages execution through an allowlist. Any command not included in the allowlist will trigger the manual approval workflow. Alternatively, you can incorporate behavior specifications into AGENTS.md. The following example demonstrates management via an allowlist.

  • Method 1
    To configure parameters like security and ask, you must directly modify the exec-approvals.json file (see Method 2). You can use the following commands to add or remove an allowlist.
    1. Set the execution security policy.

      openclaw config set tools.exec.security "allowlist"

      openclaw config set tools.exec.ask "on-miss"

    2. Add an allowlist rule (which applies to all agents).
      openclaw approvals allowlist add "/usr/bin/ls"
    3. Add an allowlist rule for a specific agent.
      openclaw approvals allowlist add --agent main "/usr/bin/cat"
    4. Remove an allowlist rule.
      openclaw approvals allowlist remove "/usr/bin/ls"
    5. Restart the OpenClaw gateway.
      openclaw gateway restart
  • Method 2
    1. Open the configuration file.
      vim ~/.openclaw/exec-approvals.json
    2. Press i to enter the insert mode and configure the allowlist.
      {
        "version": 1,
        "defaults": {
          "security": "deny",        // Policy: deny | allowlist | full
          "ask": "on-miss",          // Prompt trigger: off | on-miss | always
          "askFallback": "deny"      // Fallback policy when UI is unreachable
         },
        "agents": {
          "main": {
            "security": "allowlist", // Only commands in the allowlist are executed automatically.
            "ask": "on-miss", // Commands outside the allowlist trigger approval.
            "allowlist": [
              {
                "pattern": "/usr/bin/ls"
              }
            ]
          }
        }
      }
      Table 1 Parameters

      Parameter

      Available Value

      Function

      security

      deny

      Denies all host execution requests.

      allowlist

      Allows only commands included in the allowlist.

      full

      Allows all commands (skips the approval workflow).

      ask

      off

      Never prompts.

      on-miss

      Prompts only when the command does not match the allowlist.

      always

      Prompts for every command execution.

      askFallback

      deny / allowlist / full

      Fallback behavior when the UI is unreachable (default: deny).

    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
    4. Restart the OpenClaw gateway.
      openclaw gateway restart