Tools & Permissions

exec, read, write — in that order. And the approval system that keeps you safe.

TL;DR: Enable tools in order: read first, exec second, write last. Without Telegram exec approvals enabled, every shell command times out. The exec-approvals.json allowlist never supports redirections (>, >>) — use tee instead.

The Minimum Authority Principle

Start with read-only. Write access only to its own workspace. Gradually open up as trust builds. The order matters: getting one permission layer right while another is wrong produces confusing, inconsistent behaviour.

Tools in order of enablement

Tool	Use case	When to enable
Read (filesystem)	Memory, file inspection	Day 1
Exec (shell)	Everything useful	Day 1 (after read)
Write (filesystem)	Creating/editing files	Day 2–3
GitHub (gh)	Code management	When you have code
Google Workspace (gog)	Email, calendar	When you have accounts
Coding agents	Building things	When you have a project
Social media	Marketing	When you have something to say

Enabling tools in openclaw.json

The tools section:

"tools": {
  "profile": "coding",
  "allow": ["group:fs", "group:runtime", "read", "write", "exec"],
  "exec": {
    "host": "gateway",
    "security": "full",
    "ask": "off",
    "pathPrepend": ["/opt/homebrew/bin", "/usr/local/bin"]
  },
  "elevated": {
    "enabled": true,
    "allowFrom": { "telegram": ["YOUR_TELEGRAM_ID"] }
  }
}

Note: tools.profile: "coding" unlocks group:fs and group:runtime natively. tools.exec.security: "full" with ask: "off" means no per-command approval prompts.

The exec-approvals.json allowlist

A separate file at ~/.openclaw/exec-approvals.json that explicitly allowlists every binary:

{
  "allowedBinaries": [
    "/bin/bash",
    "/usr/bin/python3",
    "/opt/homebrew/bin/git",
    "/usr/bin/find",
    "/usr/bin/grep"
  ]
}

Redirections (>, >>) NEVER work in allowlist mode, regardless of security settings. This is permanent, not a bug that will be fixed. Use tee instead:

BROKEN: echo "text" >> file.txt
WORKS: echo "text" | tee -a file.txt

Three days of debugging across three AI models to find this. Don't repeat that.

Enabling Telegram exec approvals

This is SEPARATE from the main exec settings. Without it, every shell command times out. Run this on Day 1:

openclaw approvals security set --agent main --level full

The error ❌ Telegram exec approvals are not enabled for this bot account is a separate config from main exec settings. We hit this for two days before finding this command. Run it early and confirm it works by testing echo hello from Telegram.

Keys that DON'T exist (schema errors)

These config keys look plausible but are all invalid in OpenClaw's schema. Don't use them:

tools.elevated.autoApprove — doesn't exist
tools.exec.allowOperators — doesn't exist
tools.exec.shell — doesn't exist
tools.exec.cwd — doesn't exist
channels.telegram.execApprovals — wrong location
hooks.external — not supported in current version

Test for shell execution working:

echo hello

If it returns hello: working. If it returns raw JSON or a timeout: permissions aren't set up. If it outputs JSON like {"tool": "exec", ...}: you're on Gemini — switch to Claude.

The commands section

Required for bash to work:

"commands": {
  "native": "auto",
  "nativeSkills": "auto",
  "bash": true
}

Without "bash": true, bash commands are disabled.

Validating config after every change

Never restart the gateway without validating first:

cat ~/.openclaw/openclaw.json | python3 -m json.tool && openclaw gateway restart

If it prints formatted JSON: valid and restarting. If error: fix before restarting.

← Memory Architecture Safety Rails →

Questions & Suggestions

Have a question about this page? Spotted something wrong? Want to suggest an improvement? We read everything and respond to all paid-tier questions.

✅ Thanks! We got it. Questions from paid users are answered within 24 hours. Suggestions go straight into the queue.