#Exec approvals and allowlist for Sandbox

Current tools.exec approval is applied for host or for sandboxes evlevate commands in host. Is it possible to apply security=allowlist inside the sandbox? For example, I want to exec only allow python3 inside sandbox.

Short answer: not as a command-level allowlist inside the sandbox, from what the current docs/source show.

There are three separate layers here:

• tools.sandbox.tools.allow/deny controls which OpenClaw tools are available while sandboxed. So you can allow or deny the exec tool itself.
• tools.exec.security=allowlist / exec approvals are for host execution targets (gateway / node), especially sandbox escape/elevated runs. The allowlist lives in ~/.openclaw/exec-approvals.json on the execution host and matches executable paths.
• The sandbox runtime controls where the command runs, but there isn’t currently a documented exec argv/binary allowlist for sandbox commands like “only allow python3 inside Docker”.

So if you want “sandboxed agent can run commands, but only python3”, OpenClaw config alone currently does not appear to express that. The closest built-in options are:

1. Allow/deny the whole exec tool in sandbox:
   tools.sandbox.tools.allow: ["exec"] or deny it entirely.

2. For host/node exec, use security: "allowlist" plus an approval allowlist entry for the actual binary path, e.g. /usr/bin/python3 or /opt/homebrew/bin/python3. Basename-only entries like python3 are ignored for approval allowlists.

3. For true sandbox-only command restriction, enforce it at the sandbox/container layer for now: custom image, restricted PATH, wrapper executable, shell policy, AppArmor/seccomp, etc. Be careful with Python specifically: allowing python3 is effectively allowing file reads/writes and subprocess execution unless you also constrain the environment/container hard.

Docs I checked: https://docs.openclaw.ai/gateway/sandbox-vs-tool-policy-vs-elevated and https://docs.openclaw.ai/tools/exec-approvals. If your local behavior differs, first thing I’d check is openclaw --version because this area has moved around.