🦞OpenClaw Guide
Security

Permissions, Sandbox & Security Settings

Configure sandbox isolation, tool permissions, exec security policies, and macOS permission grants for secure OpenClaw operation.

⚠️ The Problem

Users encounter various permission and security issues when running OpenClaw agents: sandboxed agents can't access web_search or web_fetch tools, exec commands fail silently or require constant approval dialogs, iMessage integration returns 'authorization denied' errors, and agents are either too restricted or have concerning levels of access to host systems.

🔍 Why This Happens

OpenClaw has a multi-layered security model that can be confusing: 1. Sandbox tool policy is separate from agent tool allow/deny - Even if you add web_search to agents.list[].tools.allow, the sandbox has its OWN tool filter at tools.sandbox.tools that must also permit the tool. 2. Sandbox network is disabled by default - Docker containers run with network: 'none' unless explicitly configured, so even allowed web tools will fail. 3. Environment variables don't inherit into sandbox - API keys like BRAVE_API_KEY set on the host are invisible inside the sandboxed container. 4. Exec security defaults to 'allowlist' mode - Commands require explicit approval unless security policy is changed. 5. macOS Full Disk Access required for iMessage - The chat.db file is protected by macOS security and requires Terminal/IDE to have Full Disk Access. 6. Exec approvals UI prompts on every command - The Allow Once / Always Allow / Don't Allow dialog appears for each new command pattern until allowlisted.

The Fix

## Understanding the Security Layers OpenClaw has THREE permission gates for sandboxed agents: 1. agents.list[].tools.allow/deny - Agent-level tool permissions 2. tools.sandbox.tools.allow - Sandbox-level tool filter 3. sandbox.docker.network - Network access for the container

## Enable Web Search in Sandboxed Agents You need to configure ALL layers. Here's a complete working config:

json5
{  agents: {    list: [      {        id: "research",        sandbox: {          mode: "all",          scope: "agent",          workspaceAccess: "rw",          docker: {            network: "bridge"  // REQUIRED - 'none' blocks all network          }        },        tools: {          allow: ["read", "write", "web_search", "web_fetch"],          deny: ["exec", "edit", "apply_patch", "process"]        }      }    ]  },  tools: {    sandbox: {      tools: {        // Add web tools here - default only includes fs/sessions        allow: ["group:fs", "group:sessions", "group:web"]      }    },    web: {      search: {        enabled: true,        apiKey: "YOUR_BRAVE_API_KEY"  // Must be in config, not env var!      },      fetch: { enabled: true }    }  }}

Common error when sandbox network is disabled: `` Error: web_search failed: getaddrinfo ENOTFOUND api.search.brave.com

Common error when sandbox tools not configured: `` I don't have access to the web_search tool.

## Fix Exec Permission Issues If exec commands fail silently or aren't working, check your security mode:

json5
// In your clawdbot.json or config:{  tools: {    exec: {      host: "sandbox",      // or "node" for host execution      security: "allowlist"  // Options: "deny", "allowlist", "full"    }  }}

Security modes explained: - deny - No exec allowed at all - allowlist - Only pre-approved commands work (requires approval UI) - full - All commands allowed (USE WITH CAUTION)

For development/trusted environments where you want exec to just work:

json5
{  tools: {    exec: {      host: "sandbox",      security: "full"    }  }}

⚠️ Warning: Only use security: "full" if you understand the risks. The agent can run ANY shell command.

## Stop Exec Approval Dialogs The 'Allow Once / Always Allow / Don't Allow' popup appears when exec security is set to allowlist mode. Option 1: Pre-approve commands in the UI 1. Open OpenClaw Control UI (or macOS menu bar app) 2. Navigate to Nodes → Exec approvals 3. Add command patterns to the allowlist 4. Use wildcards: git *, npm *, brew *

Option 2: Switch to full security (trusted environments only)

json5
{  tools: {    exec: {      security: "full"    }  }}

Option 3: Use a command allowlist in config

json5
{  tools: {    exec: {      security: "allowlist",      allowlist: [        "git *",        "npm *",        "ls *",        "cat *",        "echo *"      ]    }  }}

## Fix iMessage Permission Denied Errors Error message: `` imsg rpc: failed to parse permissionDenied(path: "/Users/username/Library/Messages/chat.db", underlying: authorization denied (code: 23))

This is a macOS security issue. The process running OpenClaw needs Full Disk Access: 1. Open System Settings → Privacy & Security → Full Disk Access 2. Click the + button 3. Add the application running OpenClaw: - If running from Terminal: Add Terminal.app - If running from VS Code: Add Visual Studio Code - If running from iTerm: Add iTerm.app 4. Restart the application after granting access 5. Restart OpenClaw gateway

bash
# After granting Full Disk Access:openclaw gateway restart

## Secure Setup for Trading/Sensitive Environments If you have sensitive data on your machine (trading software, credentials, financial data):

1. Run OpenClaw in Docker with minimal mounts:

bash
docker run -d --name openclaw \  -v ~/openclaw/data:/data \  -v ~/openclaw/config:/config:ro \  --network bridge \  openclaw/openclaw:latest

2. Never mount your home directory or sensitive paths

3. Use read-only filesystem where possible:

json5
{  sandbox: {    workspaceAccess: "ro"  // Read-only workspace  }}

4. Block local network access: Use firewall rules to prevent the container from accessing local IPs (192.168.x.x, 10.x.x.x).

5. Create a dedicated user with minimal permissions:

bash
sudo useradd -r -s /bin/false openclawsudo chown -R openclaw:openclaw /opt/openclaw

## Debug Permission Issues Run the status command to see effective permissions:

bash
openclaw status --all

This shows: - Effective tool policy - Sandbox configuration - Which config keys are blocking access

## Disable Write Tool While Keeping Web Search You CAN use web search without write access:

json5
{  agents: {    list: [{      id: "readonly-researcher",      tools: {        allow: ["read", "web_search", "web_fetch"],        deny: ["write", "edit", "exec"]      }    }]  }}

🔥 Your AI should run your business, not just answer questions.

We'll show you how.$97/mo (going to $197 soon)

Join Vibe Combinator →

📋 Quick Commands

CommandDescription
openclaw status --allShow effective tool policy, sandbox config, and permission status
openclaw gateway restartRestart gateway after changing permissions or config
openclaw logs --followWatch logs to debug permission errors in real-time
openclaw config validateValidate your configuration file for errors

Related Issues

    📚 You Might Also Like

    Integration

    SharePoint & OneDrive

    Enterprise document management through conversation. Search across SharePoint sites and OneDrive, share files via chat, and work with enterprise content — all with proper permissions and compliance.

    Guide

    How to Automate Your Calendar with AI

    Never miss a meeting or double-book again. Let AI manage your schedule.

    Use Case

    AI Assistant for Realtors

    Never miss a lead again

    Guide

    OpenClaw Enterprise Security & Compliance Guide (SOC 2, HIPAA, GDPR)

    Complete security and compliance guide for deploying OpenClaw in enterprise environments. Data privacy, on-premise deployment, audit logging, RBAC, and regulatory compliance.

    🐙 Your AI should run your business.

    Weekly live builds + template vault. We'll show you how to make AI actually work.$97/mo (going to $197 soon)

    Join Vibe Combinator →

    Still stuck?

    Join our Discord community for real-time help.

    Join Discord