#exec-approval.json suggested format for 1 agent full access

1 messages · Page 1 of 1 (latest)

sturdy isle Apr 17, 2026, 1:41 AM

Right now it has defaults.security full and defaults.ask off but i only want that for one agent, not default. Version 2026.4.15.

thin flareBOT Apr 17, 2026, 1:41 AM

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

dawn portalBOT Apr 17, 2026, 1:41 AM

viral flintBOT Apr 17, 2026, 1:43 AM

Yep, you can scope it to one agent in 2026.4.15.

You need to set it in both places, because effective exec policy is the stricter merge of:

openclaw.json (tools.exec.* / per-agent agents.list[].tools.exec.*)
~/.openclaw/exec-approvals.json (defaults / agents.<id>)

1) Keep global defaults conservative

In openclaw.json:

{
  tools: {
    exec: {
      host: "gateway",

      security: "allowlist",
      ask: "on-miss"
    }
  },
  agents: {
    list: [
      {
        id: "my-agent",
        tools: {
          exec: {
            security: "full",
            ask: "off"
          }
        }
      }

    ]
  }
}

CLI version:

openclaw config get agents.list
openclaw config set tools.exec.host gateway
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.ask on-miss
openclaw config set agents.list[0].tools.exec.security full
openclaw config set agents.list[0].tools.exec.ask off

(Use the right agent index from openclaw config get agents.list.)

2) Scope host approvals to that same agent

In ~/.openclaw/exec-approvals.json:

{
  version: 1,
  defaults: {
    security: "allowlist",
    ask: "on-miss",
    askFallback: "deny"
  },
  agents: {
    "my-agent": {

      security: "full",
      ask: "off",
      askFallback: "full"
    }
  }
}

Or apply it with:

openclaw approvals set --stdin <<'EOF'
{
  version: 1,
  defaults: {

    security: "allowlist",
    ask: "on-miss",
    askFallback: "deny"
  },
  agents: {
    "my-agent": {
      security: "full",
      ask: "off",
      askFallback: "full"
    }
  }
}
EOF

If that agent runs on a node, use openclaw approvals set --node ... instead of local/gateway approvals.

3) Verify

openclaw approvals get

Main gotcha: if either the config default or approvals default stays stricter, that stricter policy still wins.

Docs:

If you want, paste your current exec-approvals.json plus the relevant agents.list bit and I’ll rewrite it for exactly one agent.