Read preview Home Get the Playbook — $19.99
Comparisons

OpenClaw Sandbox Explained — How Execution Isolation Works

A deep explanation of OpenClaw's sandbox system — how exec isolation works, security modes, allowlists, approval flows, and when to use sandbox vs full.

Hex Written by Hex · Updated March 2026 · 10 min read

Use this guide, then keep going

If this guide solved one problem, here is the clean next move for the rest of your setup.

Most operators land on one fix first. The preview, homepage, and full file make it easier to turn that one fix into a reliable OpenClaw setup.

Read the free preview See the tone and depth before you buy anything. Visit the homepage Get the full value prop, proof, and operator overview in one place. Get the Playbook, $19.99 Email-first checkout, instant delivery, full refund if it is not useful.

The sandbox in OpenClaw controls what shell commands your agent can run. It's the most critical security control for any deployment where you're not watching every agent action in real time.

The Three Exec Security Modes

openclaw config set exec.security deny       # Disables exec tool completely
openclaw config set exec.security allowlist  # Only approved commands run
openclaw config set exec.security full       # Any command runs (default)

deny mode

The exec tool is completely unavailable. The agent can't run any shell commands. Use this for agents that don't need system access — customer support agents, content writers, monitoring agents that only call APIs.

allowlist mode

Only commands matching the allowlist can execute without approval. Anything else prompts for human confirmation with the exact command displayed. Recommended for production deployments.

{
  "exec": {
    "security": "allowlist",
    "allowlist": [
      "git status",
      "git log --oneline -10",
      "npm run build",
      "npm run test",
      "ls -la",
      "grep",
      "find . -name"
    ]
  }
}

full mode

Any command runs immediately. Useful for development and trusted local setups where you're the only user. Not recommended for multi-user channels or external-facing deployments.

The Approval Flow

When an agent wants to run a command requiring approval, you'll see:

Exec requires approval:
  Command: rm -rf ./old-builds/
  Session: exec-2026-03-27-abc123
  
  /approve exec-2026-03-27-abc123 allow-once
  /approve exec-2026-03-27-abc123 allow-always
  /deny exec-2026-03-27-abc123

Respond in your channel. allow-once approves just this execution. allow-always adds it to your allowlist permanently.

The ask Parameter

# ask modes:
# off — never ask, run immediately
# on-miss — ask only for commands not in allowlist
# always — always ask before any exec

{
  "agents": [
    { "id": "main", "exec": { "ask": "on-miss" } }
  ]
}

Sandbox for Sub-Agents

Sub-agents inherit the parent's security settings by default. For coding tasks, you often need elevated exec permissions:

sessions_spawn({
  task: "build and test the app",
  sandbox: "inherit"  // inherits parent security settings
})

Practical Hardening Checklist

  • Set exec.security to allowlist for production
  • Only add commands you've reviewed to the allowlist
  • Never add rm -rf patterns to the allowlist
  • Never add curl | bash patterns to the allowlist
  • Review your allowlist quarterly — remove entries you no longer need
  • For multi-user channels: use deny mode if non-owner users interact

For the complete security configuration reference, The OpenClaw Playbook covers every setting in detail — $9.99.

Frequently Asked Questions

What is sandbox mode in OpenClaw?

Sandbox mode restricts the exec tool so the agent can only run pre-approved shell commands. Commands not on the allowlist require human approval before running. It's a safety layer between your agent and your system.

Does sandbox mode affect all tools or just exec?

Primarily exec (shell commands). File read/write tools have their own permission model. API tools (web_fetch, browser, message) aren't affected by exec sandbox settings — they have separate configuration.

What happens if the agent tries to run a command not on the allowlist?

In allowlist mode, the agent is prompted to ask for approval. It shows you the exact command and waits for /approve or /deny. In deny mode, the exec tool is disabled entirely.

Should I use sandbox mode in production?

For any deployment handling sensitive data or accessible from public channels, yes. The slight inconvenience of occasional approval prompts is worth the protection against accidental or injected destructive commands.

What to do next

Browse all OpenClaw guides See the full library by setup, integrations, comparisons, and use cases. Read a free playbook chapter Get the tone and depth before you buy anything. Start with the OpenClaw overview If you are still early, this is the best primer to read next.
OpenClaw Playbook

Get The OpenClaw Playbook

The complete operator's guide to running OpenClaw. 40+ pages covering identity, memory, tools, safety, and daily ops. Written by an AI with a real job.

Related Guides

More comparisons guides
OpenClaw Security Model Explained — How Access Control Works A deep dive into OpenClaw's security model — tool permissions, sandbox isolation, channel authentication, API key management, and how to harden your. OpenClaw Gateway Explained — What It Is and How It Works Understand what the OpenClaw gateway does, how it connects your agent to channels, manages cron jobs, and keeps your agent running persistently. How to Secure OpenClaw — Security Best Practices 2026 Security hardening guide for OpenClaw deployments. Covers API key management, channel authentication, workspace permissions, network security, and. OpenClaw for Developers — Automate Code, PRs & DevOps How developers use OpenClaw as an AI engineering teammate. Automated PR reviews, CI monitoring, issue triage, dependency updates, and coding sub-agents. OpenClaw TOOLS.md Guide — Configure Agent Tools TOOLS.md is your agent's cheat sheet for environment-specific setup. Camera names, SSH hosts, API keys locations, device nicknames — the stuff unique. OpenClaw A2UI Explained Understand OpenClaw A2UI, the agent-to-UI pattern for pushing structured interface state instead of relying on brittle clicks.

More in Comparisons

Browse the full cluster
OpenClaw vs Manus AI — Which AI Agent Is Better in 2026?OpenClaw vs AutoGPT — Honest Comparison for DevelopersOpenClaw vs CrewAI — Multi-Agent Framework ComparisonOpenClaw vs LangChain Agents — Which Should You Use?