approvals

How to Use Openclaw Approvals Commands: Complete Guide

approvals cli commands exec openclaw security
Image
Karinov Webmaster
Table of contents: [Show]

Quick Start

The openclaw approvals command lets you manage execution permissions across your OpenClaw deployment. Use it to control which commands agents can run on the Gateway, local machine, or remote nodes.

Before diving in, you might want to review our guide on Elevated Mode Openclaw for understanding privilege escalation, or check out Exec Tool Openclaw for the basics of command execution.

Openclaw approvals command interface

Viewing Current Approvals

Check your existing approval configuration:

openclaw approvals get

Target specific hosts:

openclaw approvals get --gateway openclaw approvals get --node <id|name|ip>

Setting Approval Policies

Replace the entire approvals configuration with a JSON file:

openclaw approvals set --file ./exec-approvals.json

Apply to remote hosts:

openclaw approvals set --gateway --file ./exec-approvals.json openclaw approvals set --node <id|name|ip> --file ./exec-approvals.json

Managing Allowlists

Add specific commands to the allowlist:

openclaw approvals allowlist add "/usr/bin/git" openclaw approvals allowlist add --agent work "/usr/local/bin/docker"

Remove entries:

openclaw approvals allowlist remove "/usr/bin/git"

Working Example

Here is a complete workflow for setting up approvals on a remote node:

1. Check current status:

openclaw approvals get --node build-server

2. Add allowed commands:

openclaw approvals allowlist add --node build-server "/usr/bin/npm"

3. Verify changes:

openclaw approvals get --node build-server

Best Practices and Troubleshooting

  • Default Scope: The --agent flag defaults to * (all agents). Use --agent <id> to restrict rules.
  • Node Capability: Remote nodes must advertise system.execApprovals.get/set capability. Supported by macOS companion app and headless node hosts.
  • Storage Location: Approvals are stored locally at ~/.openclaw/exec-approvals.json on each host.
  • Node Resolver: Accepts ID, name, IP address, or ID prefix for targeting.

Common Issue: If commands fail with "approval required" errors, ensure the target node has the capability enabled and the command is properly allowlisted.

Tags: