#Multi Agent https://github.com/FoundationAgents/MetaGPT

Is anyone know this repo?

Yeah — that’s MetaGPT (now under FoundationAgents/MetaGPT): an open-source multi-agent framework that assigns “roles” (PM / architect / engineer / QA, etc.) to LLMs and runs them as a coordinated team to turn a one-line requirement into specs + docs + code (“AI software company” vibe). Repo is MIT licensed.

Quick pointers:

• What it does: generates user stories/reqs, designs, APIs, and can scaffold a code repo from a prompt.
• How people use it: pip install -U metagpt, then metagpt --init-config to create ~/.metagpt/config2.yaml and set your LLM provider key/base URL.
• Gotchas: it’s powerful but can be token-hungry and results vary a lot with prompts/config; also they recommend Python 3.9–3.11, and some parts expect Node + pnpm.

Repo: https://github.com/FoundationAgents/MetaGPT

What are you trying to do with it (codegen for a project, research/agent workflows, comparing to other agent frameworks)?

how to config openclaw to interact with this repo -> i connected openclaw with telegram, i wanna send a request in telegram ("fix bug in path/to/folder") -> openclaw understand and interact with MetaGPT

OpenClaw doesn’t have a “native MetaGPT integration” toggle — the way you make this work is: OpenClaw receives the Telegram message → runs MetaGPT on a machine that has the repo (via exec) → sends the result back to Telegram.

That means you need (A) filesystem access to the repo and (B) permission to run the metagpt CLI.

0) Two quick questions (so the right setup)

1. What’s your OpenClaw version? openclaw --version
2. Where does the repo live?

• same machine as the Gateway, or
• on your laptop while the Gateway is on a VPS?

Those decide whether you use gateway exec or a node host.

1) Make sure the repo is accessible where MetaGPT will run

If the repo is on the Gateway machine

Easy: just run MetaGPT on the gateway host in that repo directory.

If the repo is on your laptop but Gateway is remote (common w/ Telegram)

Run a node host on the laptop and tell OpenClaw exec to target it:

• Nodes overview: https://docs.openclaw.ai/nodes
• Node host quickstart is basically openclaw node run ... (then approve the device)

Then in OpenClaw you can set exec defaults to node (docs show exact keys):

• tools.exec.host = node
• tools.exec.node = "<id-or-name>"
  Source: https://docs.openclaw.ai/nodes (see “Remote node host (system.run)”)

2) Install MetaGPT where you will execute

MetaGPT is Python; install it on the gateway host or the node host machine.

Important detail: if you install it in a venv, the metagpt binary may not be on the Gateway service PATH. Either:

• install so metagpt is in a standard path, or

• prepend the venv bin dir via tools.exec.pathPrepend
  Source: https://docs.openclaw.ai/tools/exec (PATH handling + tools.exec.pathPrepend)

3) Allow OpenClaw to run metagpt safely (exec approvals)

Don’t run with “full access” first. Use allowlist so only MetaGPT can execute.

• Exec approvals doc: https://docs.openclaw.ai/tools/exec-approvals
• CLI helpers: https://docs.openclaw.ai/cli/approvals

Example (allowlist MetaGPT on the gateway host):

openclaw approvals allowlist add "/full/path/to/metagpt"
openclaw approvals get

If you’re running it on a node host:

openclaw approvals allowlist add --node <id|name|ip> "/full/path/to/metagpt"

4) Teach OpenClaw when/how to call MetaGPT (a simple skill)

Create a small workspace skill that tells the agent “when user asks to use MetaGPT, run it via exec in the repo and then summarize the diff”.

Skill basics: https://docs.openclaw.ai/tools/skills and https://docs.openclaw.ai/tools/creating-skills

Minimal SKILL.md idea (you can tweak later):

• require metagpt binary
• instructions: run MetaGPT, then run git status / git diff and report back

(Exact MetaGPT flags vary by MetaGPT version, so in the skill I’d explicitly tell the agent to run metagpt --help once and then choose the right “existing project path” option.)

Reality check (so you don’t waste time)

MetaGPT is often strongest at generating projects/SOP flows; “fix a bug in an existing repo” can work, but depends on their current CLI/features. If your goal is simply “fix bug in path/to/folder”, OpenClaw can also do that directly without nesting another agent framework.

Reply with:

• openclaw --version
• where your repo is (gateway vs laptop)
• and what OS the repo machine is on (Linux/macOS/Windows)

…and I’ll suggest the cleanest exact config + skill layout for your setup.

I cloned metagpt and test it in python

Nice — if you can already import/run MetaGPT from Python, you’re 80% there. For OpenClaw integration the missing piece is usually just: can OpenClaw’s exec run the MetaGPT CLI (metagpt) on the same machine that has the repo (gateway host or a node host), and is it allowlisted.

Next steps (concrete)

1) Make sure you have a metagpt CLI entrypoint

In your MetaGPT clone:

# inside the metagpt repo
python -m venv .venv
source .venv/bin/activate
pip install -U pip
pip install -e .

which metagpt
metagpt --help | head

If which metagpt doesn’t show a real path, OpenClaw won’t be able to call it reliably.

2) Decide where it runs (gateway vs node)

• If your OpenClaw Gateway runs on the same machine as your code + MetaGPT → easiest.
• If your Gateway is on a VPS but MetaGPT + repo are on your laptop → run a node host on the laptop and set exec to host=node (docs: https://docs.openclaw.ai/nodes).

3) Allowlist MetaGPT for exec (recommended)

Add the resolved metagpt binary path to exec approvals allowlist:

Gateway host:

openclaw approvals allowlist add "/full/path/from/which/metagpt"

Node host:

openclaw approvals allowlist add --node <id|name|ip> "/full/path/from/which/metagpt"

Docs: https://docs.openclaw.ai/tools/exec-approvals + https://docs.openclaw.ai/cli/approvals

4) Create a tiny skill so the agent knows what to do

Create a workspace skill that says “when user asks to use MetaGPT, run metagpt in repo root, then summarize changes”.

Docs: https://docs.openclaw.ai/tools/creating-skills and https://docs.openclaw.ai/tools/skills

(Important: I’d have the skill tell the agent to run metagpt --help once and then use the correct “existing project path” flag for your MetaGPT version, because the exact flag names vary across releases.)

Quick info I need from you to give the exact config/skill snippet

Paste:

1. openclaw --version
2. which metagpt
3. Where is your OpenClaw Gateway running (same machine as MetaGPT repo, or remote VPS)?

Then I’ll tell you the cleanest setup (gateway exec vs node exec) and a minimal SKILL.md tailored to it.

i use conda, conda activate metagpt

Conda is fine — the key is that OpenClaw can’t “conda activate …” (that’s a shell function), so you need to make the actual metagpt executable path visible to exec.

Do this on the machine where MetaGPT will run (gateway or node)

1. Activate + verify the CLI exists:

conda activate metagpt
which metagpt
metagpt --help | head

2. Get the conda base (so we can build a stable absolute path):

conda info --base

Typically your MetaGPT binary will be here:

<conda_base>/envs/metagpt/bin/metagpt

Then pick ONE of these integration styles

Option A (most reliable): allowlist the full path and call it by absolute path

Add that exact path to exec approvals allowlist, then in your OpenClaw skill/tool call use the full path.

Docs: https://docs.openclaw.ai/tools/exec-approvals

Option B (nice UX): add the conda env bin/ to tools.exec.pathPrepend

So the agent can just run metagpt ... without hardcoding paths.

Config key (docs): https://docs.openclaw.ai/tools/exec (tools.exec.pathPrepend)

Example (replace with your real path):

{
  tools: {
    exec: {
      pathPrepend: ["/home/you/miniconda3/envs/metagpt/bin"],
    },
  },
}

Paste these two outputs and I’ll tell you the exact allowlist entry + config line

• conda info --base
• which metagpt

Also: is your OpenClaw Gateway running on the same machine as this conda env, or remote (VPS)? That decides gateway vs node host.

metagpt in window, openclaw wsl 🙂

so i must install openclaw in window ?

Got it — MetaGPT on Windows + OpenClaw Gateway in WSL is exactly the case where you want a Windows node host.

Why

OpenClaw can only exec on:

• the gateway host (your WSL distro), or
• a node host (Windows/Linux/macOS machine you connect)

Since MetaGPT is installed in Windows, let OpenClaw run commands on Windows via a node.

Setup (WSL gateway → Windows node host)

1) Install OpenClaw on Windows (so you have openclaw node run)

Same OpenClaw version as your gateway is ideal.

2) Start the node host on Windows

In PowerShell (on Windows), set your gateway token + run:

$env:OPENCLAW_GATEWAY_TOKEN = "<your-gateway-token>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

(Windows → WSL usually reaches the WSL gateway via 127.0.0.1 thanks to WSL port forwarding. If it doesn’t connect, tell me and we’ll switch to the WSL IP / gateway.bind=lan.)

3) Approve the node on the gateway (in WSL)

openclaw devices list
openclaw devices approve <requestId>
openclaw nodes status

Docs: https://docs.openclaw.ai/nodes and https://docs.openclaw.ai/cli/node

4) Allowlist MetaGPT on the Windows node (important)

On Windows, get the real path:

where metagpt

Then from WSL (or anywhere with gateway access), allowlist it on that node:

openclaw approvals allowlist add --node win-metagpt "C:\\...\\metagpt.exe"

Docs: https://docs.openclaw.ai/tools/exec-approvals + https://docs.openclaw.ai/cli/approvals

5) Tell OpenClaw exec to target that node by default (optional but nice)

On the gateway (WSL):

openclaw config set tools.exec.host node

openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "win-metagpt"

Now any skill/tool call that uses exec will run on Windows.

One more important gotcha: paths

Your Telegram message like fix bug in path/to/folder needs to map to a Windows path (e.g. C:\repo\path\to\folder) if MetaGPT is running on the Windows node. So your skill/instructions should define what “repo root” is and how to translate paths.

If you paste:

• output of where metagpt
• where your target repo lives on Windows (full path)

…I can give you an exact allowlist entry + a minimal SKILL.md that runs MetaGPT in the right working directory and reports back the diff.

If you want OpenClaw (running in WSL) to run MetaGPT that’s installed in Windows, then yes — you need some OpenClaw on Windows so it can act as a node host (openclaw node run). Your gateway can stay in WSL; you’re not “moving” OpenClaw, just adding an execution node.

Option A (recommended for your setup): install OpenClaw CLI on Windows + run a node host

Windows install (docs): https://docs.openclaw.ai/install

PowerShell:

iwr -useb https://openclaw.ai/install.ps1 | iex

Then run the node host:

$env:OPENCLAW_GATEWAY_TOKEN = "<your token>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Then approve it from WSL:

openclaw devices list
openclaw devices approve <requestId>

Option B: don’t install OpenClaw on Windows — instead install MetaGPT inside WSL

If you install MetaGPT in WSL (conda/venv inside WSL), then OpenClaw in WSL can call it directly and you can skip the Windows node host entirely.

If you tell me which option you prefer, I’ll give you the exact next commands (and how to grab the gateway token safely).

but all config in wsl, if install in window, i'll restart 😄

You won’t lose your WSL config, and you don’t need to restart the WSL gateway.

WSL OpenClaw = your Gateway + config (stays as-is).
Windows OpenClaw = just a separate “node host” binary that connects to the WSL gateway over WebSocket. It uses its own config folder on Windows (%USERPROFILE%\.openclaw) and doesn’t touch ~/.openclaw inside WSL.

If you want the minimal Windows install (no onboarding), use the installer’s NoOnboard mode:

& ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard

Then just run the node host (foreground, no services needed):

$env:OPENCLAW_GATEWAY_TOKEN = "<token from your WSL gateway>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Approve it once from WSL (openclaw devices approve …) and you’re done.

If you want, paste your gateway status (openclaw gateway status from WSL) and I’ll tell you the cleanest way to grab the token + confirm the right host/port for Windows→WSL on your machine.

headless node

Yep — in your case “headless node” = headless node host.

It’s a lightweight OpenClaw process you run on Windows that:

• connects to your Gateway (running in WSL) over WebSocket
• exposes system.run / system.which so the agent can execute commands on Windows
• has no UI (that’s why it’s “headless”)
• is still gated by pairing + exec approvals allowlist

Docs: https://docs.openclaw.ai/cli/node

The two common ways to run it on Windows

Foreground (quick test):

$env:OPENCLAW_GATEWAY_TOKEN = "<token>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Background service (set-and-forget):

openclaw node install --host 127.0.0.1 --port 18789 --display-name "win-metagpt"
openclaw node restart

Then approve pairing from WSL:

openclaw devices list
openclaw devices approve <requestId>

If you tell me whether you want “foreground” or “service”, I’ll give you the exact follow-up steps for allowlisting metagpt.exe and setting tools.exec.host=node on the gateway.

first step i must install openclaw in window, huh

If you want to keep MetaGPT on Windows and have OpenClaw (Gateway in WSL) execute it, then yes: first step is installing OpenClaw on Windows so you can run the headless node host (openclaw node run).

It’s a separate install from WSL and won’t touch your WSL config.

Minimal install (skip onboarding) in PowerShell:

& ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard

Then the next steps are:

1. openclaw node run ... on Windows
2. approve the node from WSL (openclaw devices approve ...)
3. allowlist metagpt.exe on that node (openclaw approvals allowlist add --node ...)
4. set tools.exec.host=node on the gateway

Alternative (no Windows OpenClaw install): install MetaGPT inside WSL instead.

how to get token

On the gateway host (your WSL instance), run:

openclaw config get gateway.auth.token

That printed value is your Gateway token. Copy it (don’t paste it into Discord), then on Windows PowerShell set it for the node host:

$env:OPENCLAW_GATEWAY_TOKEN = "<paste-token-here>"

Then you can run the node host.

If the token is empty / not set

Generate one on WSL:

openclaw doctor --generate-gateway-token
openclaw config get gateway.auth.token

Docs reference: https://docs.openclaw.ai/help/faq (Dashboard auth section)

If you want, paste only whether openclaw config get gateway.auth.token returns a value (yes/no) — but please don’t paste the token itself.

openclaw config get gateway.auth.token console dont display token, it's display __openclaw....

That __openclaw… output means your gateway.auth.token is SecretRef-managed (not stored as plaintext in openclaw.json). In that mode, openclaw config get … won’t print the raw token by design.

For your Windows node host, the simplest fix is to set a new known token (plaintext) on the WSL gateway, restart, then use that token on Windows.

On WSL (gateway machine)

1. Pick a new token (example):

python3 - <<'PY'
import secrets
print(secrets.token_hex(32))
PY

2. Set it + restart gateway:

openclaw config set gateway.auth.mode token

openclaw config set gateway.auth.token "<PASTE_TOKEN_HERE>"
openclaw gateway restart

3. Now this should print the real token:

openclaw config get gateway.auth.token

On Windows (PowerShell)

$env:OPENCLAW_GATEWAY_TOKEN = "<same token>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Docs note (why it was hidden): https://docs.openclaw.ai/web/dashboard#token-basics-local-vs-remote

And please don’t paste the token in this thread—treat it like a password.

:OPENCLAW_GATEWAY_TOKEN: command not found

OPENCLAW_GATEWAY_TOKEN is an environment variable, not a command — so :OPENCLAW_GATEWAY_TOKEN: will always fail.

Use the right syntax for your shell:

In WSL / Linux (bash/zsh)

export OPENCLAW_GATEWAY_TOKEN="<token>"
echo "$OPENCLAW_GATEWAY_TOKEN"

In Windows PowerShell

$env:OPENCLAW_GATEWAY_TOKEN = "<token>"
echo $env:OPENCLAW_GATEWAY_TOKEN

In Windows cmd.exe

set OPENCLAW_GATEWAY_TOKEN=<token>
echo %OPENCLAW_GATEWAY_TOKEN%

For your setup, you typically:

• set the token on the WSL gateway via openclaw config set gateway.auth.token "<token>" + openclaw gateway restart
• then set $env:OPENCLAW_GATEWAY_TOKEN=... on Windows PowerShell right before running openclaw node run ...

Which terminal did you run that in (WSL bash, PowerShell, or cmd)?

openclaw nodes status
Known: 1 · Paired: 1 · Connected: 1

Perfect — that means the Windows headless node host is connected and paired. That’s the hard part.

Next steps are:

1) Get the node id/name

Run (on WSL) and paste the output (it should show the node name/id):

openclaw nodes status

2) Allowlist MetaGPT on that Windows node

On Windows, get the MetaGPT executable path:

where metagpt

Then on WSL, allowlist that path for the node (replace placeholders):

openclaw approvals allowlist add --node <node-id-or-name> "C:\\...\\metagpt.exe"
openclaw approvals get --node <node-id-or-name>

3) (Optional but recommended) Make exec default to that node

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "<node-id-or-name>"

4) Quick test

From Telegram, ask OpenClaw to run:

• metagpt --help (or metagpt "<tiny task>")

If you paste:

• the full openclaw nodes status output (with the node name/id)
• and the where metagpt output

…I’ll give you the exact openclaw approvals allowlist add ... line with correct quoting.

node host PATH: C:\Users\Administrator.bun\bin;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Program Files\Python312\Scripts;C:\Program Files\Python312;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\OpenSSH;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn;C:\Program Files\Microsoft SQL Server\160\Tools\Binn;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn;C:\Program Files\Microsoft SQL Server\160\DTS\Binn;C:\Program Files (x86)\Microsoft SQL Server\160\DTS\Binn;D:\XAMPP\php;D:\XAMPP\Composer;C:\Program Files\Python312\Scripts\jupyter-lab.exe;D:\NodeJS;D:\Git\Git\cmd;C:\Program Files\dotnet;D:\Download\php-8.3.19-Win32-vs16-x64;C:\composer;D:\MSYS2\ucrt64\bin;D:\SDK\platform-tools;D:\SDK\emulator;D:\JAVA\java\bin;C:\Program Files\Cloudflare\Cloudflare WARP;C:\Program Files\Java\jdk-21\bin;D:\Document\MATLAB\bin;D:\Document\Postgresql\bin;C:\Users\Administrator\AppData\Local\Pandoc;D:\Document\TagUI_Windows\tagui\src;D:\hadoop-3.3.0\hadoop-3.3.0\sbin;D:\hadoop-3.3.0\hadoop-3.3.0\bin;D:\Tesseract;D:\Tesseract\tessdata;D:\Libre\program;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;E:\VSCode\Microsoft VS Code\bin;C:\Users\Administrator\AppData\Local\Programs\Ollama;D:\DataGrip\bin;C:\Strawberry\perl\bin;C:\Users\Administrator\AppData\Roaming\Composer\vendor\bin;D:\VSCode\Microsoft VS Code\bin;C:\Users\Administrator.lmstudio\bin;C:\Users\Administrator\AppData\Roaming\npm;C:\Users\Administrator\AppData\Local\Microsoft\WinGet\Links;C:\Users\Administrator.dotnet\tools;D:\Antig

it's done, huh

Node connection is done (nice), but MetaGPT is not wired yet.

The PATH you pasted doesn’t include your conda env (no ...\conda...\envs\metagpt\Scripts), so on that node host a plain metagpt command will not be found.

You’ve got two clean options:

Option A (quickest): start the node host from an activated conda prompt

On Windows:

1. Open Anaconda Prompt (or any shell where conda works)
2. Run:

conda activate metagpt
where metagpt
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Now the node host will inherit the conda PATH, and metagpt will be discoverable.

Option B (most robust): call metagpt.exe by full path (no PATH needed)

On Windows (after conda activate metagpt), run:

where metagpt

It will print something like:
C:\...\envs\metagpt\Scripts\metagpt.exe

Then allowlist that exact path for the node:

openclaw approvals allowlist add --node win-metagpt "C:\\...\\envs\\metagpt\\Scripts\\metagpt.exe"

And you can test it from WSL without Telegram:

openclaw nodes run --node win-metagpt "C:\\...\\metagpt.exe" --help

If you paste:

• your openclaw nodes status output (so I know the exact node name/id)
• and the output of where metagpt

…I’ll give you the exact allowlist + test commands with correct Windows quoting.

First: you just pasted your gateway token in a public thread. Rotate it now. Treat it like a password.

1) Rotate the token (WSL gateway)

On WSL:

python3 - <<'PY'
import secrets
print(secrets.token_hex(32))
PY

Copy that new value, then set it + restart:

openclaw config set gateway.auth.token "<NEW_TOKEN>"

openclaw gateway restart

Then update the Windows node host env ($env:OPENCLAW_GATEWAY_TOKEN=...) and reconnect.

2) “Agent doesn’t know metagpt” — what’s actually failing?

There are 3 common causes:

A) metagpt isn’t on the Windows node host PATH (most likely)
Your node host PATH you posted earlier did not include the conda env scripts dir, so metagpt won’t resolve.

Fix: start the Windows node host from an activated conda prompt:

conda activate metagpt
where metagpt
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

B) MetaGPT isn’t allowlisted for that node
You must allowlist the resolved metagpt.exe path:

openclaw approvals allowlist add --node win-metagpt "C:\\...\\envs\\metagpt\\Scripts\\metagpt.exe"

C) Your Telegram session is still executing exec on the gateway (WSL), not the node
Set defaults (WSL):

openclaw config set tools.exec.host node

openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "win-metagpt"

Then start a new Telegram session (/new) so it picks up changes.

Quick sanity test (from WSL, no Telegram needed)

Once the node is connected:

openclaw nodes run --node win-metagpt --raw "where metagpt"

If that returns nothing, the node host still doesn’t see your conda env.

If you paste:

• openclaw nodes status (showing the node name/id)
• result of openclaw nodes run --raw "where metagpt"

…I’ll tell you exactly which of A/B/C you’re hitting.

│
◇
│
◇
│
◇
│
◇
│
◒ Nodes exec.approval.request.

That output means you just hit exec approvals:

Nodes exec.approval.request = “the gateway asked the Windows node to run a command, but the node host requires an approval/allowlist match first”.

On a headless node host, there’s no pop-up UI to click “Allow”, so the practical fix is: add the executable to the node’s allowlist (or avoid the shell wrapper that triggers prompts).

What to do

1. Stop the pending run (Ctrl+C in the terminal where you ran openclaw nodes run).

2. Avoid --raw on Windows in allowlist mode for now.
   --raw uses cmd.exe /c ..., and that often triggers approval prompts.

3. Allowlist the exact binaries you want to run on the Windows node, e.g.:

• If you want to run where metagpt from the gateway, allowlist where.exe:

nodes run failed: Error: exec denied: approval required (approval UI not available)

nodes run failed: Error: exec denied: approval required (approval UI not available)

openclaw approvals allowlist add --node <your-node-name> "C:\\Windows\\System32\\where.exe"

• And (more importantly) allowlist MetaGPT itself (get the real path from Windows, typically inside your conda env):

openclaw approvals allowlist add --node <your-node-name> "C:\\...\\envs\\metagpt\\Scripts\\metagpt.exe"

4. Re-test without --raw, running the binary directly:

openclaw nodes run --node <your-node-name> "C:\\Windows\\System32\\where.exe" metagpt
# and then:
openclaw nodes run --node <your-node-name> "C:\\...\\metagpt.exe" --help

If you paste your node name/id (openclaw nodes status output) and the Windows where metagpt result (path only, no secrets), I’ll give you the exact allowlist commands tailored to your paths.

That error is the expected behavior for a headless node host:

• Your node is configured to require exec approvals
• A command hit an allowlist miss
• The node tried to prompt for approval, but there is no approval UI on a headless node
• So it fails closed: exec denied: approval required (approval UI not available)

Fix: add an allowlist entry on the node host

Do this from WSL (gateway), targeting the node:

1. Get the node id/name:

openclaw nodes status --connected

2. On Windows, find the exact MetaGPT path:

conda activate metagpt
where metagpt

3. Back on WSL, allowlist that exact exe on the node:

openclaw approvals allowlist add --node <node-id-or-name> 'C:\...\envs\metagpt\Scripts\metagpt.exe'
openclaw approvals get --node <node-id-or-name>

4. Re-run using the binary directly (avoid --raw):

openclaw nodes run --node <node-id-or-name> 'C:\...\metagpt.exe' --help

Notes

• Don’t use --raw until things work — on Windows it wraps via cmd.exe /c ..., which tends to trigger extra approvals.
• If you do want --raw, you’ll also need to allowlist C:\Windows\System32\cmd.exe (not recommended unless you really need it).

Paste:

• openclaw nodes status --connected output (so I know the node name)
• your where metagpt output (path only)

…and I’ll format the exact allowlist + test commands for your setup.

That error will keep happening until the Windows node host allowlist matches the exact executable you’re trying to run.

A headless node has no approval UI, so any “prompt me to approve this” path = auto-deny.

Do this as a quick proof it works

1. Get your node name/id:

openclaw nodes status --connected

2. Allowlist a harmless built-in Windows exe on that node (where.exe):

openclaw approvals allowlist add --node <node-id-or-name> 'C:\Windows\System32\where.exe'
openclaw approvals get --node <node-id-or-name>

3. Run it (NO --raw, run the exe directly):

openclaw nodes run --node <node-id-or-name> 'C:\Windows\System32\where.exe' metagpt

• If this works, approvals are configured correctly and you just need to allowlist MetaGPT’s actual path (...\envs\metagpt\Scripts\metagpt.exe).
• If it still fails even after allowlisting where.exe, then your approvals policy is likely set to ask: always on the node (which can never succeed headlessly). In that case, paste the output of:

openclaw approvals get --node <node-id-or-name>

(redact anything secret-looking) and I’ll tell you exactly what field to change.

Also: make sure you’re using --node ... on the approvals allowlist add command — editing the gateway allowlist won’t affect the node.

"contextWindow": 16000,

i modify in vscode but it's overrided 16000

what about create .bat script to exec conda activate and metagpt

contextWindow getting “overridden back to 16000” usually means you’re editing the wrong file (a generated model catalog), not the real config.

OpenClaw can build/refresh a per‑agent catalog at:

• ~/.openclaw/agents/<agentId>/agent/models.json

That file is managed and can be regenerated, so manual edits in VS Code can get overwritten.

Fix: set it in openclaw.json instead

1. Find the real config file:

openclaw config file

2. Put your contextWindow override under:

{
  models: {
    mode: "merge", // usually
    providers: {
      <providerId>: {
        models: [
          { id: "<model-id>", contextWindow: 128000, maxTokens: 8192 },
        ],
      },
    },
  },
}

Docs (local model examples show the exact place): https://docs.openclaw.ai/gateway/local-models

Quick question

Which file are you editing right now — ~/.openclaw/openclaw.json or ~/.openclaw/agents/.../agent/models.json? If you paste the file path (not the contents), I’ll tell you exactly where that contextWindow belongs.

You can make a .bat, but it’s usually the worst path with OpenClaw exec approvals on a headless Windows node:

• .bat/.cmd files run via cmd.exe /c
• in allowlist mode that tends to trigger “approval required” (and headless nodes have no approval UI), so it gets denied
• plus conda activate is shell-stateful and flaky in non-interactive runs

Better options (recommended)

Option 1: Don’t activate conda at all — call MetaGPT’s conda shim exe directly

Conda envs typically have:

C:\...\envs\metagpt\Scripts\metagpt.exe

Allowlist that exact metagpt.exe, then run it directly (no --raw, no cmd.exe wrapper):

openclaw approvals allowlist add --node <node> 'C:\...\envs\metagpt\Scripts\metagpt.exe'
openclaw nodes run --node <node> 'C:\...\envs\metagpt\Scripts\metagpt.exe' --help

Option 2: Start the node host from a conda-activated prompt

If you run openclaw node run after conda activate metagpt, the node host inherits the PATH and metagpt is found normally.

If you really want a wrapper script

Make it a wrapper that calls the absolute metagpt.exe path (no conda activate). But you’ll still likely need to allowlist cmd.exe to run it, so I’d avoid it unless you’re okay loosening approvals.

If you paste the output of conda env list (or just the path to your metagpt env folder), I can give you the exact metagpt.exe path to allowlist.

how to check allowlist

Use the approvals CLI — it shows you the exec approvals + allowlist that the host (gateway or node) is actually using.

Check allowlist on the Windows node host

From WSL (gateway):

openclaw approvals get --node <node-id-or-name>

That prints the node’s ~/.openclaw/exec-approvals.json, including:

• defaults (security/ask/askFallback)
• agents.<agentId>.allowlist (the patterns)

Check allowlist on the gateway host

openclaw approvals get --gateway

# or (local host)
openclaw approvals get

On Windows directly (file location)

The file is here:

• %USERPROFILE%\.openclaw\exec-approvals.json

If you paste your openclaw nodes status --connected output, I can tell you the exact <node-id-or-name> to use.

if not connected

If the node isn’t connected, you generally can’t read its allowlist from the gateway, because the allowlist lives on the node host (~/.openclaw/exec-approvals.json) and openclaw approvals get --node ... needs the node online.

So:

If the node is offline

• Check it on the node machine itself:
  • Windows: %USERPROFILE%\.openclaw\exec-approvals.json
  • macOS/Linux: ~/.openclaw/exec-approvals.json

To confirm connectivity from the gateway

openclaw nodes status
openclaw nodes status --connected

Gateway host allowlist is always readable (even if nodes are offline)

openclaw approvals get --gateway
# or just:
openclaw approvals get

If you tell me what OS your node host is on (Windows/macOS/Linux) I can give you the exact path + quickest way to bring it back online.

gateway wsl
node host window

Showing local approvals.

Approvals
┌───────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Field │ Value │
├───────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Target │ local │
│ Path │ ~/.openclaw/exec-approvals.json │
│ Exists │ yes │
│ Hash │ 07713f53514646a0fc154d8383e981f9b3d4a78b57f379a369008ff9d8fe0542 │
│ Version │ 1 │
│ Socket │ ~/.openclaw/exec-approvals.sock │
│ Defaults │ none │
│ Agents │ 0 │
│ Allowlist │ 0 │
└───────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────┘

No allowlist entries.

Cool — that’s the clean split.

When the Windows node host is connected

From WSL (gateway) you can read it directly:

openclaw approvals get --node <node-id-or-name>

When the Windows node host is NOT connected

You can’t fetch its allowlist from WSL. Check it on Windows:

PowerShell (on the node host):

openclaw approvals get

or open the file directly:

• C:\Users\<YourUser>\.openclaw\exec-approvals.json

(That file contains the agents.*.allowlist entries.)

If you paste your node name from openclaw nodes status, I can give you the exact WSL command line with <node-id-or-name> filled in.

Good — that explains the denials. Right now your node host has zero allowlist entries, so every exec request is an “allowlist miss”, and because there’s no approval UI, it gets denied.

Add MetaGPT to the allowlist (on the Windows node host)

1. In Windows PowerShell, activate your conda env and get the exact exe path:

conda activate metagpt
where metagpt

2. Then allowlist that path (copy/paste the full path that where prints):

openclaw approvals allowlist add "C:\...\envs\metagpt\Scripts\metagpt.exe"

(Optional) also allowlist where.exe for debugging:

openclaw approvals allowlist add "C:\Windows\System32\where.exe"

3. Confirm it’s there:

openclaw approvals get

After that, retry from WSL:

openclaw nodes run --node <node-name> 'C:\...\metagpt.exe' --help

If it still says “approval required”, tell me where you ran openclaw approvals get (WSL or Windows). If that table was from WSL, you were looking at the gateway approvals, not the node’s.

7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341b
node id

Nice — with that node id you can manage the node allowlist directly from WSL.

1) Check the node’s current allowlist (from WSL)

openclaw approvals get --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341b

2) Add MetaGPT to the node allowlist

First, on Windows (in your conda env) get the exact path:

conda activate metagpt
where metagpt

Then on WSL, allowlist that path for the node:

openclaw approvals allowlist add --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341b 'C:\...\envs\metagpt\Scripts\metagpt.exe'

3) Test it (no --raw)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341b 'C:\...\metagpt.exe' --help

If you paste the output of where metagpt, I’ll rewrite the exact allowlist + test command with the correct full Windows path.

if i restart my pc, i must reconnect (wsl, headless in window), pls tell me steps by steps

After a PC restart you usually don’t need to re‑pair — you just need to start the WSL gateway and the Windows headless node host again (with the same token). Here’s the clean step‑by‑step.

A) Start the Gateway (WSL)

1. Open WSL terminal
2. Check gateway:

openclaw gateway status

3. If it’s not running:

openclaw gateway start

(or openclaw gateway restart)

4. (Optional) confirm the gateway is reachable:

openclaw status

B) Start the headless node host (Windows)

1. Open PowerShell on Windows
2. Make sure the node host has the gateway token available (pick ONE):

Option 1 (temporary, this terminal only):

$env:OPENCLAW_GATEWAY_TOKEN = "<your token>"

Option 2 (persist in Windows OpenClaw config so you don’t have to set env each time):

openclaw config set gateway.auth.token "<your token>"

3. Start the node host:

If you run it manually (foreground):

openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

If you installed it as a service earlier:

openclaw node status
openclaw node restart

C) Verify it reconnected (WSL)

Back in WSL:

openclaw nodes status --connected

If it shows “pending pairing” again (rare)

Approve it:

openclaw devices list
openclaw devices approve <requestId>

D) Exec allowlist

Your Windows allowlist lives on the node host in:
%USERPROFILE%\.openclaw\exec-approvals.json

It should persist across restarts (no extra steps unless you changed Windows user / deleted the file).

Two quick questions so I can tailor this to your exact setup:

1. Did you run openclaw onboard --install-daemon in WSL (gateway as a service), or do you start it manually?
2. On Windows, did you use openclaw node install … (service) or do you run openclaw node run … each time?

gateway connect failed: Error: unauthorized: gateway token mismatch (provide gateway auth token)

though i ran openclaw config set gateway.auth.token "token" with my token and restart the gateway

That error almost always means the Windows node host is not using the same token as the WSL gateway (or it’s connecting to the “wrong” gateway on localhost).

Key point: WSL config ≠ Windows config.
Changing gateway.auth.token in WSL does not update what the Windows node host uses.

Fix checklist (do in this order)

1) Confirm the WSL gateway is running

In WSL:

openclaw gateway status

2) Make sure Windows is not running its own gateway on the same port

In Windows PowerShell:

openclaw gateway status

If Windows shows a gateway running, stop it (otherwise your node host may be talking to the Windows gateway on 127.0.0.1:18789):

openclaw gateway stop

3) Set the token on Windows (for the node host)

Pick ONE:

A) For a one-off run (terminal only):

$env:OPENCLAW_GATEWAY_TOKEN = "<same token as WSL gateway>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

B) For persistence (recommended):

openclaw config set gateway.auth.token "<same token as WSL gateway>"
openclaw node restart   # if you installed it as a service
# or run `openclaw node run ...` if you run it manually

4) Re-check from WSL

openclaw nodes status --connected

If it still fails after (2), paste the outputs of:

• openclaw gateway status (WSL)
• openclaw gateway status (Windows)

Don’t paste the token itself.

PS C:\Users\Administrator> openclaw gateway status

🦞 OpenClaw 2026.3.8 (3caab92) — I read logs so you can keep pretending you don't have to.

|
gateway connect failed: Error: unauthorized: gateway token mismatch (set gateway.remote.token to match gateway.auth.token)
o
Service: Scheduled Task (missing)
File logs: C:\Users\ADMINI~1\AppData\Local\Temp\openclaw\openclaw-2026-03-10.log

Config (cli): ~.openclaw\openclaw.json
Config (service): ~.openclaw\openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (env/config)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: stopped (ERROR: The system cannot find the file specified.)
RPC probe: failed
RPC target: ws://127.0.0.1:18789
gateway closed (1008): unauthorized: gateway token mismatch (set gateway.remote.token to match gateway.auth.token)
Gateway target: ws://127.0.0.1:18789
Source: cli --url
Config: C:\Users\Administrator.openclaw\openclaw.json

Service unit not found.
Service not installed. Run: openclaw gateway install
File logs: C:\Users\ADMINI~1\AppData\Local\Temp\openclaw\openclaw-2026-03-10.log
Port 18789 is already in use.

• pid 13632: --mode 2 --vm-id {d661c2ec-aa01-4da6-9fe7-bc77eac71e96} --handle 2108 (127.0.0.1:18789)
• Another process is listening on this port.
  Listening: 127.0.0.1:18789
  Troubles: run openclaw status
  Troubleshooting: https://docs.openclaw.ai/troubleshooting

log in powershell

That log is actually super helpful. A few key takeaways:

• Windows is NOT running a gateway (Service not installed, Runtime: stopped) — good.
• Port 18789 is in use by a --vm-id ... process. That’s the WSL2 port forward, so Windows ws://127.0.0.1:18789 is reaching the WSL gateway.
• The failure is purely auth: Windows is sending a token that doesn’t match what the WSL gateway expects.

What to do

1) On WSL: confirm the gateway token you want to use (don’t paste it)

openclaw config get gateway.auth.token
openclaw gateway restart

2) On Windows: set the client token to match (recommended)

Since Windows is acting as a client, set gateway.remote.token (or use env var):

Option A (quick, per terminal):

$env:OPENCLAW_GATEWAY_TOKEN = "<same token as WSL gateway.auth.token>"

Option B (persist in Windows config):

openclaw config set gateway.remote.token "<same token as WSL gateway.auth.token>"

Now retry:

openclaw gateway status

(it should be able to probe the WSL gateway now)

3) Then start/restart the Windows node host

openclaw node restart
# or: openclaw node run --host 127.0.0.1 --port 18789 ...

Common gotcha

If you run the node host as a service, setting $env:OPENCLAW_GATEWAY_TOKEN=... in your PowerShell won’t affect the service. In that case, using gateway.remote.token in the Windows config is the easiest.

If you paste (redacting tokens):

• openclaw config get gateway.remote.token on Windows
• openclaw config get gateway.auth.token on WSL but replace the token with <redacted>
  …I can tell you exactly which side is still out of sync.

OPENCLAW_REDACTED is alias?

No — __OPENCLAW_REDACTED__ is not an alias/token you can use.

It’s a redaction sentinel OpenClaw prints in place of sensitive values (tokens, API keys, passwords) so they don’t leak into logs/CLI output/UI snapshots.

Important behavior:

• It just means “there is a value here, but we’re hiding it”.
• You cannot authenticate with it.
• If you see it in the Web UI / config snapshots, OpenClaw treats it specially so saving the config doesn’t overwrite your real secret.

So for your node host auth, you still need to set the real gateway token via:

• Windows env: $env:OPENCLAW_GATEWAY_TOKEN="…" (or persistent env/config), and
• WSL gateway config: gateway.auth.token="…".

If you’re stuck because you can’t see the token: the simplest path is to set a new token you choose on the WSL gateway, restart, then set the same token on Windows.

i can get token in openclaw.json

Good — if you can read the token from openclaw.json, you can fix the mismatch easily.

Two important notes first:

1. Don’t paste the token here.
2. You previously posted a token in this thread, so assume it’s compromised and rotate it (set a new one) before you rely on it.

Use the token to connect Windows → WSL

1) WSL (gateway)

Make sure the gateway is using the token from that file:

openclaw gateway restart

2) Windows (node host)

Set the same token for the node host (pick one):

Temporary (this PowerShell only):

$env:OPENCLAW_GATEWAY_TOKEN = "<token from WSL openclaw.json>"
openclaw node run --host 127.0.0.1 --port 18789 --display-name "win-metagpt"

Persistent (recommended):

openclaw config set gateway.remote.token "<token from WSL openclaw.json>"
openclaw node restart

Then verify from WSL:

openclaw nodes status --connected

If you want, tell me whether you’re running the Windows node host as a service (openclaw node install) or manually (openclaw node run) and I’ll give you the “survives reboot” setup with the least fiddling.

connected, next step

Nice — if the node is connected, the next steps are:

1) Make MetaGPT runnable on the Windows node (find the exact exe)

On Windows PowerShell:

conda activate metagpt
where metagpt

Copy the full path it prints (it should end with ...\Scripts\metagpt.exe).

2) Allowlist that metagpt.exe on the node host (so exec won’t be denied)

Run on Windows (simplest):

openclaw approvals allowlist add "C:\...\envs\metagpt\Scripts\metagpt.exe"
openclaw approvals get

(Or from WSL you can do the same with --node <id>.)

3) Test from WSL (no Telegram yet)

openclaw nodes run --node <your-node-id> 'C:\...\metagpt.exe' --help

If that works, approvals + PATH are good.

4) Point OpenClaw exec to the node by default (so Telegram runs on Windows)

On WSL:

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "<your-node-id-or-name>"

Then start a fresh Telegram session (/new) so the session picks up the new defaults.

5) (Optional but recommended) Add a small “metagpt” skill

So the agent consistently uses MetaGPT when you say “use metagpt to…”.

If you paste the output of where metagpt (path only) and your node id/name, I’ll give you the exact allowlist + the exact nodes run test command with correct quoting.

conda : The term 'conda' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

• conda activate metagpt

•   + CategoryInfo          : ObjectNotFound: (conda:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  
  

i use conda activate metagpt in cmd

Yep, that’s normal: conda is set up for cmd.exe (Anaconda Prompt), not PowerShell, unless you explicitly conda init powershell.

Easiest path (no PowerShell conda needed)

1. Open Anaconda Prompt (or plain cmd where conda works)

2. Run:

conda activate metagpt
where metagpt

That where metagpt output is the full path you need (usually ...\envs\metagpt\Scripts\metagpt.exe).

3. Now (in PowerShell or from WSL) allowlist that exe path and run it directly — no conda activation required:

openclaw approvals allowlist add "C:\...\envs\metagpt\Scripts\metagpt.exe"

Then test from WSL:

openclaw nodes run --node <node-id> 'C:\...\metagpt.exe' --help

If you really want conda in PowerShell

Run this once in Anaconda Prompt:

conda init powershell

Then open a new PowerShell and conda activate metagpt should work there too.

If you paste the exact where metagpt line, I’ll format the allowlist + nodes run command with the correct quoting for your path.

PS C:\Users\Administrator> openclaw approvals allowlist add "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe"

🦞 OpenClaw 2026.3.8 (3caab92) — Type the command with confidence—nature will provide the stack trace if needed.

Writing local approvals.
Already allowlisted.

Perfect — that’s exactly what we needed. Now the next step is to prove the gateway can execute MetaGPT on the Windows node.

1) Test MetaGPT from WSL (gateway) via the node (no --raw)

In WSL:

openclaw nodes run --node <your-node-id> \
  'C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe' --help

If that prints the MetaGPT help, exec + allowlist are working end-to-end.

2) Make Telegram use the Windows node by default (optional, but recommended)

On WSL:

openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "<your-node-id-or-name>"

Then in Telegram do /new so the session picks up the new defaults.

3) After that

You can either:

• just tell OpenClaw in Telegram: “run metagpt …”, or
• add a small metagpt skill so it consistently routes those requests to MetaGPT.

If you paste your node id (or openclaw nodes status --connected output), I’ll give you the exact nodes run command with the id filled in.

PS C:\Users\Administrator> openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b023 'C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe' --help

🦞 OpenClaw 2026.3.8 (3caab92) — The only crab in your contacts you actually want to hear from. 🦞

Usage: openclaw nodes run [options] [command...]

Run a shell command on a node (mac only)

Arguments:
command Command and args

Options:
--agent <id> Agent id (default: configured default agent)
--ask <mode> Exec ask mode (off|on-miss|always)
--command-timeout <ms> Command timeout (ms)
--cwd <path> Working directory
--env <key=val> Environment override (repeatable)
-h, --help Display help for command
--invoke-timeout <ms> Node invoke timeout in ms (default 30000) (default: "30000")
--json Output JSON (default: false)
--needs-screen-recording Require screen recording permission
--node <idOrNameOrIp> Node id, name, or IP
--raw <command> Run a raw shell command string (sh -lc / cmd.exe /c)
--security <mode> Exec security mode (deny|allowlist|full)
--timeout <ms> Timeout in ms (default: "35000")
--token <token> Gateway token (if required)
--url <url> Gateway WebSocket URL (defaults to gateway.remote.url when configured)

You did hit the right command — it just didn’t execute because your final --help was parsed as OpenClaw’s --help, so it printed the CLI help instead of running MetaGPT.

Fix: add -- to mark “end of OpenClaw options; everything after this is the command”.

In PowerShell (Windows)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b023 -- `
  "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

In WSL (bash)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b023 -- \
  'C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe' --help

If that prints MetaGPT’s help text, you’re fully wired (node + allowlist + exec). Then the next step is making Telegram route exec to that node by default (tools.exec.host=node, tools.exec.node=<id>).

◇
nodes run failed: Error: exec denied: approval required (approval UI not available)

That error means the gateway still thinks the command needs an interactive approval, but your node host has no approval UI, so it fails closed.

At this point we need to distinguish (1) allowlist not actually applied on the node vs (2) your exec “ask” mode is forcing prompts.

Step 1: Check what the node really has allowlisted (from WSL)

Run this in WSL (gateway) and paste the table:

openclaw approvals get --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b023

Look for:

• Allowlist count > 0
• and that it’s the Windows approvals file (not the WSL one)

Step 2: Force “no prompt” just for this one run (diagnostic)

Run (from WSL or Windows) with --ask off and the -- separator:

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b023 \
  --security allowlist --ask off -- \
  'C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe' --help

Outcomes:

• If it works, your defaults are probably ask=always somewhere → we’ll set them to on-miss.
• If it still fails, then the allowlist isn’t matching (or it’s editing a different user’s approvals file than the node host is using).

Paste the output of Step 1 and the exact error from Step 2 and we’ll zero in fast.

Target │ node:7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 │
│ Path │ C:\Users\Administrator/.openclaw/exec-approvals.json │
│ Exists │ yes │
│ Hash │ b0a8aa4c107d866e3d0a8ff1db1bd8af811fa691dcebf64c74c0673bd3627de1 │
│ Version │ 1 │
│ Socket │ C:\Users\Administrator/.openclaw/exec-approvals.sock │
│ Defaults │ none │
│ Agents │ 1 │
│ Allowlist │ 2

Target │ Agent │ Pattern │ Last Used │
├───────────────────────────────────────────────────────────────────────┼────────┼────────────────────────┼───────────┤
│ node:7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 │ * │ C:\ProgramData\minicon │ 6h ago │
│ │ │ da3\envs\metagpt\Scrip │ │
│ │ │ ts\metagpt.exe │ │
│ node:7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 │ * │ C:\Windows\System32\wh │ 5h ago │
│ │ │ ere.exe │

Great — your node allowlist is correct (MetaGPT + where.exe are both there). So the only reason you’d still see:

exec denied: approval required (approval UI not available)

is that the run is being executed with ask=always (i.e. it tries to prompt every time, even when allowlisted). A headless node can’t show that prompt, so it fails.

Quick fix (override on the command)

Run with an explicit ask mode:

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 `
  --security allowlist --ask on-miss -- `
  "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

(You can also use --ask off since the command is allowlisted.)

Permanent fix (so Telegram/tool calls stop prompting)

Set tools.exec.ask to on-miss in the config that your gateway/agent uses (WSL gateway is the important one):

On WSL:

openclaw config get tools.exec.ask
openclaw config set tools.exec.ask on-miss
openclaw gateway restart

If you paste the output of openclaw config get tools.exec.ask (from WSL), I can confirm if that’s the culprit.

PS C:\Users\Administrator> "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

--security allowlist --ask on-miss -- openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5

At line:1 char:66

• "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

•                                                              ~~~~
  

Unexpected token 'help' in expression or statement.
At line:2 char:5

• --security allowlist --ask on-miss -- `

• ~
  

Missing expression after unary operator '--'.
At line:2 char:5

• --security allowlist --ask on-miss -- `

• ~~~~~~~~
  

Unexpected token 'security' in expression or statement.
At line:1 char:3

• "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

The '--' operator works only on variables or on properties.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

PowerShell is complaining because you accidentally started the line with the quoted path ("C:\...\metagpt.exe" --help) — that makes PowerShell treat --help as its own operator (--), not as an argument to an external command.

Run it as one single command that starts with openclaw:

PowerShell (copy/paste as one line)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

Key points:

• openclaw ... must be first
• the -- is important (everything after it is the remote command + args)

If that still errors, paste the exact output and I’ll adjust for your shell, but that one-liner should work.

PS C:\Users\Administrator> openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --help

🦞 OpenClaw 2026.3.8 (3caab92) — We ship features faster than Apple ships calculator updates.

Usage: openclaw nodes run [options] [command...]

Run a shell command on a node (mac only)

Arguments:
command Command and args

Options:
--agent <id> Agent id (default: configured default agent)
--ask <mode> Exec ask mode (off|on-miss|always)
--command-timeout <ms> Command timeout (ms)
--cwd <path> Working directory
--env <key=val> Environment override (repeatable)
-h, --help Display help for command
--invoke-timeout <ms> Node invoke timeout in ms (default 30000) (default: "30000")
--json Output JSON (default: false)
--needs-screen-recording Require screen recording permission
--node <idOrNameOrIp> Node id, name, or IP
--raw <command> Run a raw shell command string (sh -lc / cmd.exe /c)
--security <mode> Exec security mode (deny|allowlist|full)
--timeout <ms> Timeout in ms (default: "35000")
--token <token> Gateway token (if required)
--url <url> Gateway WebSocket URL (defaults to gateway.remote.url when configured)

hmm

Nothing is “wrong” with your node — you just hit a CLI quirk:

openclaw nodes run will always treat --help as its own help flag (Commander.js intercepts it), even after --. So you can’t easily forward --help to MetaGPT with this CLI command.

Use one of these tests instead

Test 1: run MetaGPT with no args (should print MetaGPT usage/error)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe"

Test 2: try --version (usually supported, and not intercepted like --help)

openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --version

Important: this is only a CLI limitation

Once you route OpenClaw exec to the Windows node (Telegram agent → exec host=node), running metagpt --help will work normally, because that goes through the exec tool, not the CLI parser.

Run Test 1 or 2 and paste the output — then we’ll move to the Telegram “fix bug in …” flow.

PS C:\Users\Administrator> openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe"

🦞 OpenClaw 2026.3.8 (3caab92) — One CLI to rule them all, and one more restart because you changed the port.

|
gateway connect failed: Error: pairing required
o
|
gateway connect failed: Error: pairing required
o
nodes run failed: Error: gateway closed (1008): pairing required
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: C:\Users\Administrator.openclaw\openclaw.json
Bind: loopback

PS C:\Users\Administrator> openclaw nodes run --node 7f43113b86714fc202135f96946bb1328e7c7e9c65998ef67f093b02341bb4b5 --security allowlist --ask on-miss -- "C:\ProgramData\miniconda3\envs\metagpt\Scripts\metagpt.exe" --version
OpenClaw 2026.3.8 (3caab92)

log test 1 and test 2

That error is device pairing, not MetaGPT:

Your Windows CLI is connecting to the WSL gateway as a new operator device, and the gateway is saying: “you’re not approved yet”.

Fix (run on the gateway host = WSL)

In WSL:

openclaw devices list

You should see a pending request from the Windows machine/CLI. Approve it:

openclaw devices approve --latest
# or: openclaw devices approve <requestId>