Exec Approvals Guide

Safe command approval policy for OpenClaw

Page scope (exec-approvals niche): This page focuses on command approval policy behavior (security, ask, trusted approvals) and related troubleshooting. For general security model use Security Guide. For release history use Releases.

Policy concepts

  • security controls execution trust level (for example sandboxed vs broader host access).
  • ask controls when user approval is required.
  • allow-always should persist as durable trust for approved patterns.

After upgrades, verify effective policy sources and fallback behavior, especially if legacy or malformed values existed previously.

Baseline validation commands

Validation sequence
openclaw doctor
openclaw doctor --fix
openclaw gateway restart
openclaw doctor

Use this sequence after changing approval policy or after major updates.

Common issues

  • Unexpected approval prompts: check if effective policy falls back due to invalid enums in approvals config.
  • Approvals not appearing in expected channel: verify native approval routing support and current channel context.
  • Cron or background jobs stuck on approvals: verify host fallback policy and approvals file alignment.

If issues started after upgrade, cross-check Upgrading / Migrating and latest breaking changes.

Operational guardrails

  • Do not use broad trust settings unless you control all message entry points.
  • Prefer explicit approval boundaries for high-risk commands.
  • Re-run security checks after approval-policy edits.

Related

Documentation

Ecosystem

Community

漏 2026 OpenClaw. Open source software licensed under MIT License. Developed by the OpenClaw community. This site (openclaw-ai.online) is an independent, unofficial resource and is not affiliated with the OpenClaw project. PrivacyDisclosure