What I'm trying to do:
Run a remote node host on my NixOS PC and execute commands from my Raspberry Pi Gateway. I want to allow commands without interactive prompts.

Environment:
Gateway: Raspberry Pi, OpenClaw 2026.1.30, Tailscale (serving HTTPS)
Node: NixOS PC, OpenClaw 2026.1.30, Node v22.x (via nix shell with nodejs_latest)
Connection: Node connects via wss://<tailscale-url> (using Tailscale Serve)
What happened:
The node connects and pairs successfully (openclaw nodes status confirms connected: true).
However, executing any command (uname -a) fails with SYSTEM_RUN_DENIED.

Default behavior: error: SYSTEM_RUN_DENIED: approval required

Issue: No interactive prompt appears on the Node host terminal (using npx openclaw node run ...).
lastUsedAt in exec-approvals.json updates, proving the match logic runs, but it still demands approval.
With explicit allowlist: Even with "" allowlisted for agent "" in ~/.openclaw/exec-approvals.json, it still demands approval.

With ask: "off": I manually edited exec-approvals.json to set defaults: { "ask": "off", "security": "allowlist" }.

Result: error: SYSTEM_RUN_DENIED: allowlist miss
Even with pattern: "*" present, it claims a miss.
What I ran:
Node command on NixOS:

OPENCLAW_GATEWAY_TOKEN=<token> npx openclaw node run
--host <tailscale-ip> --port 18789 --display-name "NixPC"

Config (~/.openclaw/exec-approvals.json on Node):

{
"defaults": { "ask": "off" },
"agents": {
"": {
"allowlist": [ { "pattern": "" }, { "pattern": "uname -a" } ]
}
}
}

⁩⁩
Gateway execution attempt:

exec("uname -a", host="node", node="NixPC")

Logs (Gateway):

⁨Exec denied (node=... approval-required): uname -a

or with security=allowlist:

Exec denied (node=... allowlist-miss): uname -a

Suspected Issue:
The node host execution policy seems to ignore the allowlist or ask: off settings, or fails to present the approval prompt in the npx environment. Is there a way to force a "trust-all" mode via env var or correct the defaults schema?