Skip to content
nacre.sh
All posts
OpenClaw Setup

OpenClaw tools.allow File: What to Enable and What to Lock Down

nacre.sh TeamMay 6, 20268 min read

How to configure OpenClaw's tools.allow file for security. What permissions to enable, what to lock down, and why it matters for preventing misuse.

openclaw tools allow configurationopenclaw securityopenclaw permissionsopenclaw config

The openclaw tools.allow configuration is one of the most important security controls in OpenClaw. It defines a whitelist (and optional blacklist) of operations that skills and the agent itself can perform. Getting this configuration right is the difference between a powerful-but-safe agent and one that could be manipulated into harmful actions.

Why tools.allow Matters

OpenClaw skills can request permissions to read files, write files, execute shell commands, make network requests, and access environment variables. Without restrictions, a compromised skill or successful prompt injection attack could use these capabilities maliciously. The tools.allow configuration lets you enforce least privilege.

The Configuration

In ~/.openclaw/openclaw.json:

{
  "security": {
    "tools": {
      "allow": [
        "read_file",
        "write_file",
        "web_search",
        "network_access"
      ],
      "deny": [
        "execute_command",
        "read_env",
        "write_env"
      ],
      "require_confirmation": [
        "send_email",
        "delete_file",
        "calendar_write"
      ]
    }
  }
}

Permission Categories Explained

Always Safe to Enable

  • read_file — limited to configured directories; needed for document processing
  • web_search — browsing the web; standard for research agents
  • calendar_read — reading your calendar without writing; safe for scheduling assistance

Enable Only If Needed

  • network_access — general HTTP requests; needed for most API-based skills
  • write_file — writing files; set to specific directories only
  • calendar_write — can book appointments; use require_confirmation
  • send_email — can send emails on your behalf; always require confirmation
  • database_query — can query databases; restrict to specific databases

Lock Down By Default (Require Strong Justification)

  • execute_command — runs arbitrary shell commands. This is the most dangerous permission. Only enable for specific trusted skills with explicit command patterns.
  • read_env — can read all environment variables including API keys. If enabled, restrict to specific variable names: read_env:SPECIFIC_VAR
  • web_browse — can browse the web autonomously (vs. just search). More injection risk than web_search.

Per-Skill Permission Overrides

You can grant additional permissions to specific trusted skills while keeping defaults tight:

{
  "skills": {
    "permissions_override": {
      "github-skill": {
        "allow": ["execute_command:git *"]
      }
    }
  }
}

The execute_command:git * pattern allows only git commands, not arbitrary shell execution.

require_confirmation: The Safest Middle Ground

Instead of fully denying sensitive operations, require_confirmation prompts you on the connected channel before the agent executes the action:

Your agent wants to send an email to boss@example.com with subject "Meeting Request"
Reply 'yes' to confirm, 'no' to cancel

This lets you maintain agent autonomy while retaining a human checkpoint for high-stakes actions.

Recommended Starting Configuration

For a personal agent with general productivity skills:

"tools": {
  "allow": ["read_file", "web_search", "network_access", "calendar_read"],
  "deny": ["execute_command", "read_env"],
  "require_confirmation": ["write_file", "send_email", "calendar_write", "delete_file"]
}

Frequently Asked Questions

What happens when a skill tries to use a denied permission?

OpenClaw blocks the operation and returns an error to the LLM, which then informs the user that it couldn't complete the action due to permission restrictions.

Can I set different permissions for different channels?

Not directly in the core config. Some advanced setups use separate OpenClaw instances for different contexts (one for personal use with broader permissions, one for team use with stricter limits).

Does require_confirmation work when I'm asleep?

The confirmation request is sent to your channel (Telegram, Discord, etc.) and waits for your response. If you don't respond within a timeout period, the action is cancelled. Configure confirmation_timeout_minutes in your security config.

nacre.sh

Run OpenClaw without the server headaches

Dedicated instance, automatic TLS, nightly backups, and 290+ LLM integrations. Live in under 90 seconds from $12/month.

Deploy your agent →

Related posts

OpenClaw SetupOpenClaw Debugging Guide: Reading Logs and Fixing IssuesHow to read OpenClaw debug logs and troubleshoot common issues. Covers log levels, log locations, reading LLM errors, skill failures, and channel problems.8 min readOpenClaw SetupHow to Fix Common OpenClaw Installation ErrorsTroubleshooting guide for the most common OpenClaw installation errors: dependency conflicts, Python version issues, API key errors, and channel connection failures.8 min readOpenClaw SetupOpenClaw Prompt Injection Attacks: What You Need to KnowWhat are prompt injection attacks against OpenClaw? Real examples, how they work, and how to configure OpenClaw to reduce the risk.9 min read