Configuration

Using Exec Approvals in Openclaw

Configuration Exec Approvals Openclaw Security
Image
Karinov Webmaster
Table of contents: [Show]

Quick Start

Exec approvals in Openclaw provide granular control over command execution, letting you define exactly when and how your agent interacts with your system.

  • Fine-tuned security policies prevent unauthorized commands while enabling legitimate automation.
  • Developers often struggle to balance security with convenience, either locking down too tight or leaving systems exposed.
  • A configured approval workflow that matches your risk tolerance and operational needs.
Exec Approvals Configuration

Understanding the Policy Knobs

Openclaw controls exec access through three interconnected settings that define your security posture.

1. Security Level

Determines the baseline execution policy:

  • deny — Blocks all host exec requests
  • allowlist — Allows only commands matching your allowlist
  • full — Allows everything, skips all approvals

2. Ask Mode

Controls when user approval is required:

  • off — Never prompts for approval
  • on-miss — Prompts only if command does not match allowlist
  • always — Prompts for every single command

3. Ask Fallback

Determines behavior when prompts cannot be delivered (UI offline/unreachable):

  • deny — Reject the command
  • allowlist — Execute if in allowlist
  • full — Execute anyway

Working Example

Balanced security configuration in ~/.openclaw/openclaw.json:

{ "tools": { "exec": { "security": "allowlist", "ask": "on-miss", "askFallback": "deny" } } }

This setup allows pre-approved commands automatically while requiring confirmation for anything else.

Step-by-Step Configuration

Step 1: Choose Your Security Level

Start with allowlist for production environments. Use deny for high-security setups or full only in trusted development environments.

Step 2: Set Ask Mode

on-miss provides the best balance—uninterrupted workflow for routine commands, confirmation for unknowns.

Step 3: Configure Fallback

Set askFallback to deny for safety. This prevents accidental execution when you are not available to approve.

Troubleshooting & Best Practices

  • Start restrictive: Begin with deny or allowlist, then relax as needed.
  • Build your allowlist gradually: Add commands as you use them, not preemptively.
  • Monitor logs: Review denied commands to identify legitimate needs or security concerns.
  • Test fallback behavior: Simulate offline scenarios to ensure askFallback behaves as expected.

Exec approvals give you surgical control over agent capabilities—configure them thoughtfully to match your security requirements.

Tags: