#plugins

@pop-os:~$ openclaw help
[openclaw] Failed to start CLI: Error: The openclaw help command is unavailable because plugins.allow excludes "help". Add "help" to plugins.allow if you want that bundled plugin CLI surface.
at runCli (file:///h_/de_modules/openclaw/dist/run-main-BBeVm29G.js:458:45)

i cant figure it out nor does the mainagent..
anyone a clue?

yep, this looks like a restrictive plugins.allow issue.

Two quick things:

• openclaw --help should still work
• openclaw <command> --help should work for subcommands

openclaw help is getting blocked because your config says only allowed plugins may load, and "help" is not in that allowlist.

If you want that command back, add it in your JSON5 config, for example:

plugins: {
  allow: ["help", /* your other plugin ids */]
}

Or, if you do not actually need a restrictive allowlist, remove plugins.allow entirely.

Also, what does this print?

openclaw --version

If you paste that plus your plugins.allow block, I can sanity-check it. Docs: https://docs.openclaw.ai/help/faq and https://docs.openclaw.ai/gateway/troubleshooting

OpenClaw 2026.4.15 (041266a)

nice, that version is recent enough, so this is probably not a version mismatch.

This looks like config, not the agent being dumb 😅

Try this:

1. Find your config file:

openclaw config file

2. Open it and look for plugins.allow

If you see something like this:

plugins: {

  allow: ["browser", "discord", "telegram"]
}

then either:

• add "help" to that list, or
• remove plugins.allow entirely if you do not want a restrictive allowlist

Example fix:

plugins: {
  allow: ["help", "browser", "discord", "telegram"]
}

Meanwhile, root help should still work with:

openclaw --help

So the short version is:

• openclaw --help = works
• openclaw help = blocked by your plugins.allow

If you want, paste just your plugins.allow block here and I can tell you exactly what to change. Docs: https://docs.openclaw.ai/help/faq https://docs.openclaw.ai/gateway/troubleshooting

i see this:

nova@pop-os:~$ openclaw config file

🦞 OpenClaw 2026.4.15 (041266a) — Powered by open source, sustained by spite and good documentation.

~/.openclaw/openclaw.json
nova@pop-os:~$

yep, that’s the right file.

Next step, open ~/.openclaw/openclaw.json and look for a plugins section with an allow list.

You’re looking for something like:

{
  plugins: {
    allow: ["browser", "discord"]
  }
}

If you find that, either:

• add "help" to the list, or

• remove the allow list entirely if you do not need it

Example:

{
  plugins: {
    allow: ["help", "browser", "discord"]
  }
}

Quick way to inspect just that area:

grep -n 'plugins\|allow' ~/.openclaw/openclaw.json

If you want, paste only the plugins section here, not the whole file, since config files can contain secrets.
And in the meantime, openclaw --help should still work.

},
"plugins": {
"allow": [
"telegram",
"minimax",
"memory-core"
],
"entries": {
"minimax": {
"enabled": true
}

this?

yep, that’s the culprit.

Right now your allowlist only permits:

• telegram
• minimax
• memory-core

So help is excluded.

Change it to:

"plugins": {
  "allow": [
    "help",

    "telegram",
    "minimax",
    "memory-core"
  ],
  "entries": {
    "minimax": {
      "enabled": true
    }
  }
}

Then save and run:

openclaw help

That should fix it. For this specific CLI command, you should not need a gateway restart.

If you want, paste the next output and I’ll sanity-check it.

no. other commads in terminal like "openclaw plugins list" arent working too

ah, then that’s probably two separate issues.

1. openclaw help
   That one really is your plugins.allow blocking "help".

2. openclaw plugins list
   That is a real built-in CLI command on 2026.4.x, so if that also fails, I need the exact error text for that one too.

Can you paste the output of:

openclaw plugins list

If you want to be extra thorough, also:

openclaw --help
openclaw plugins --help

openclaw plugins list should exist, per the CLI docs: https://docs.openclaw.ai/cli/plugins
So if it fails, we’re looking at something beyond just the help allowlist.

iots the same output like threadbegin

got it. Let’s verify the effective config, not just the file snippet.

Please run these two:

openclaw config get plugins.allow --json
openclaw config validate

What I’m looking for:

• if plugins.allow does not include "help", then the edit did not actually land in the active config
• if it does include "help" and openclaw help still throws the same error, then this is starting to smell like a real bug/regression

If you paste those two outputs, we can narrow it down fast.
And no need to paste the whole config file.

nova@pop-os:~$ openclaw config get plugins.allow --json
openclaw config validate
[
"telegram",
"minimax",
"memory-core"
]

Why is it back in there?

that output is the smoking gun.

openclaw config get is showing the active config still does not contain "help". So your manual edit did not stick.

Most likely causes:

• the file was not saved
• you edited the wrong spot
• there is a duplicate plugins block later in the file and the later one wins

Fastest fix is to let OpenClaw write the config itself:

openclaw config set plugins.allow '["help","telegram","minimax","memory-core"]' --strict-json
openclaw config get plugins.allow --json
openclaw help

If that still does something weird, then check for duplicate blocks:

grep -n '"plugins"\|"allow"' ~/.openclaw/openclaw.json

Docs for the config command: https://docs.openclaw.ai/cli/config

nooo i want the entire list deletet and allow everthing

yep, then do this, not set:

openclaw config unset plugins.allow
openclaw config get plugins.allow --json
openclaw help

That removes the allowlist entirely.

A couple of notes:

• plugins.entries can stay, that is fine
• removing plugins.allow means OpenClaw is no longer restricted to just that small approved list

So after unsetting it, openclaw help and openclaw plugins list should come back.

If this fixes it, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow can index it for the next person 🎉

nova@pop-os:~$ openclaw config unset plugins.allow
openclaw config get plugins.allow --json
openclaw help

🦞 OpenClaw 2026.4.15 (041266a) — No $999 stand required.

Config overwrite: /home/nova/.openclaw/openclaw.json (sha256 61026eab326a3de9b143bae558cc898ca7cc007e6ba915136dae1e6b587519ed -> 29fedcfc4379c797ef2d9cbd84ccc7f6ac08493c742e14e9173d4facd164eaf1, backup=/home/nova/.openclaw/openclaw.json.bak)
Removed plugins.allow. Restart the gateway to apply.
Config path not found: plugins.allow

yep, that is actually good 🎉

This part means it was removed successfully:

• Removed plugins.allow. Restart the gateway to apply.
• Config path not found: plugins.allow

That second line is from config get, and it means the key is gone now.

Now run these again as fresh commands:

openclaw help
openclaw plugins list

The “restart the gateway” note is mainly for the running gateway process.

For plain CLI commands, the next invocation should usually pick up the change already.

If either one still fails, paste just that exact output and we’ll do one more round.

okay.. i saw some of "sha256 61026eab326a3de9b143bae558cc898ca7cc007e6ba915136dae1e6b587519ed -> 29fedcfc4379c797ef2d9cbd" this in my message to you... is this a security risk? this thread is open to all people. or is anything here a security risk, that i didnt realized and posted is?

short answer: no, that SHA256 line is not a meaningful security risk by itself.

What you’ve posted so far looks low risk:

• OpenClaw version
• config file path (/home/nova/.openclaw/openclaw.json)
• plugin names like telegram, minimax, memory-core
• SHA256 hashes of the file before/after

That hash is just a fingerprint of the file contents. People cannot turn it back into your config from the hash alone.

The only mildly sensitive thing you exposed is your local username/path (/home/nova/...), which is usually not a big deal, just a little bit of personal system info.

What would be risky to post:

• API keys
• bot tokens

• gateway.auth.token or gateway.auth.password
• full openclaw.json
• QR pairing codes
• .env contents
• auth/session files

So, I would not panic about what you posted here.
If you want to be extra tidy, you could edit out the home path, but the important part is: do not paste the full config file or any token values.

did i done anything of that you mentioned now?

no, based on what you pasted in this thread, you did not post any of the dangerous stuff I listed.

What you shared was basically:

• version info
• local file path
• plugin names
• SHA256 file fingerprints
• command output/errors

So, from what I can see here:

• no API keys
• no bot tokens
• no gateway password/token
• no QR codes
• no full config contents

• no auth/session secrets

So you’re okay. I would not rotate anything based on this thread alone.

ok thanks. last command solved my problem so far. i will mark as solved and leave this thread here.

perfect, glad we caught it 🙂

Yep, the issue was that restrictive plugins.allow block, and openclaw config unset plugins.allow cleaned it up.

Thanks for marking it solved, that helps future folks a lot.

still think its a bug.. openclaw help is for everything. if i set an allowlist again. this will happen again?