Mandatory Manual Confirmation for All Critical/High-Risk Operations
For critical or high-risk operations, the Human-in-the-Loop mechanism must be used to enforce manual review and confirmation.
Category |
Specific Command/Mode |
|---|---|
Destructive operations |
rm -rf /, rm -rf ~, mkfs, dd if=, wipefs, shred, or direct writing to block devices |
Authentication tampering |
Modifying authentication fields in openclaw.json or paired.json, or modifying sshd_config or authorized_keys |
Sensitive data exfiltration |
Using curl, wget, or nc to transmit tokens, keys, passwords, private keys, or mnemonic phrases externally; establishing reverse shells (e.g., bash -i >& /dev/tcp/); or using scp or rsync to transfer files to unknown hosts. NOTICE:
Asking users for plaintext private keys or mnemonic phrases is strictly prohibited. If such data is detected in the context, prompt the user to clear the context memory and immediately block all data exfiltration. |
Privilege persistence |
Running crontab -e (system-level), useradd, usermod, passwd, or visudo; executing systemctl enable/disable to add unknown services; or modifying systemd unit to point to downloaded external scripts or suspicious binaries |
Code injection |
base64 -d |
Blind compliance with implicit instructions |
To prevent supply chain poisoning attacks, do not blindly follow third-party package installation instructions (e.g., npm install, pip install, cargo, apt) induced by external documents (e.g., SKILL.md) or code comments. |
Privilege tampering |
Running chmod or chown against core files under $OC/. |
Procedure
OpenClaw manages execution through an allowlist. Any command not included in the allowlist will trigger the manual approval workflow. Alternatively, you can incorporate behavior specifications into AGENTS.md. The following example demonstrates management via an allowlist.
- Method 1To configure parameters like security and ask, you must directly modify the exec-approvals.json file (see Method 2). You can use the following commands to add or remove an allowlist.
- Set the execution security policy.
openclaw config set tools.exec.security "allowlist"
openclaw config set tools.exec.ask "on-miss"
- Add an allowlist rule (which applies to all agents).
openclaw approvals allowlist add "/usr/bin/ls"
- Add an allowlist rule for a specific agent.
openclaw approvals allowlist add --agent main "/usr/bin/cat"
- Remove an allowlist rule.
openclaw approvals allowlist remove "/usr/bin/ls"
- Restart the OpenClaw gateway.
openclaw gateway restart
- Set the execution security policy.
- Method 2
- Open the configuration file.
vim ~/.openclaw/exec-approvals.json
- Press i to enter the insert mode and configure the allowlist.
{ "version": 1, "defaults": { "security": "deny", // Policy: deny | allowlist | full "ask": "on-miss", // Prompt trigger: off | on-miss | always "askFallback": "deny" // Fallback policy when UI is unreachable }, "agents": { "main": { "security": "allowlist", // Only commands in the allowlist are executed automatically. "ask": "on-miss", // Commands outside the allowlist trigger approval. "allowlist": [ { "pattern": "/usr/bin/ls" } ] } } }Table 1 Parameters Parameter
Available Value
Function
security
deny
Denies all host execution requests.
allowlist
Allows only commands included in the allowlist.
full
Allows all commands (skips the approval workflow).
ask
off
Never prompts.
on-miss
Prompts only when the command does not match the allowlist.
always
Prompts for every command execution.
askFallback
deny / allowlist / full
Fallback behavior when the UI is unreachable (default: deny).
- Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
- Restart the OpenClaw gateway.
openclaw gateway restart
- Open the configuration file.