kind juniper
exec denied: allowlist miss β approvals are set to security=full, ask=off (confirmed via openclaw approvals set) but exec is still blocked on gateway host after multiple restarts and a fresh kickstart -k.
Running v2026.3.31 on macOS.
What controls the allowlist check that produces this error?
hexed cosmosBOT
mighty ridge
Try the new release. It should be fixed
dusty ridge
Try the new release. It should be fixed
I have also the same problem after the Update
kind juniper
Quick follow up gents. Got it resolved. Here's my bot's report below:
π§ Exec "allowlist miss" β Root Cause & Fix (April 1, 2026)
The symptom:
Every exec call returned "exec denied: allowlist miss" β Luna couldn't run any shell commands.
What we chased first (red herrings):
β’ exec-approvals.json config file
β’ Socket file (accidentally deleted during debugging, then had to recover)
β’ Telegram execApprovals setting in openclaw.json
β’ UI-level approval settings
None of those were the actual problem.
Actual root cause:
The tools.exec and tools.profile keys were missing entirely from openclaw.json. Without them, OpenClaw has no security profile to evaluate exec commands against β so it denies everything with "allowlist miss."
This was likely silently wiped by openclaw doctor or an update script at some point.
The fix:
Add these two keys to the tools section of ~/.openclaw/openclaw.json:
"tools": {
"exec": {
"security": "full",
"ask": "off"
},
"profile": "full"
}
Then restart the gateway:
launchctl kickstart -k gui/501/ai.openclaw.gateway
PID changed, exec confirmed working immediately after.
TL;DR: If you ever see exec denied: allowlist miss β check openclaw.json for missing tools.exec and tools.profile before anything else. That's the fix.
βββ
Worth flagging to the OpenClaw team that openclaw doctor may be silently removing those keys β that's probably catching other people too.