Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug] tools.deny Not Enforced for Daemon Agents (CLI) [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#62888Fetched 2026-04-09 08:01:10
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
renatomaluhyrenatomaluhy
Participants
renatomaluhyrenatomaluhy

tools.deny configuration is completely ignored when agents are launched via CLI as daemon agents (openclaw agent --agent <id>). This affects both subagent AND daemon spawn methods, indicating an architectural bug in the tool policy enforcement.

Error Message

Expected: Tool denied error (web access blocked)

Root Cause

tools.deny configuration is completely ignored when agents are launched via CLI as daemon agents (openclaw agent --agent <id>). This affects both subagent AND daemon spawn methods, indicating an architectural bug in the tool policy enforcement.

Fix Action

Fix / Workaround

Current Workaround

Code Example

{
  "id": "configurator",
  "workspace": "~/.openclaw/workspace",
  "model": "ollama/deepseek-v3.2:cloud",
  "sandbox": { "mode": "off" },
  "tools": {
    "allow": ["read", "write", "edit", "exec", "gateway", "cron"],
    "deny": ["group:web", "browser", "sessions_spawn"]
  }
}

---

openclaw agent --agent configurator --message "SECURITY TEST: Try to search the web for 'news about AI'. If tool denied, say 'PASS: web blocked'. If search works, say 'FAIL: web allowed'."

---

FAIL: web allowed

---

Session: mellow-haven (pid 37154)
Command: openclaw agent --agent configurator --message "SECURITY TEST..."
Result: FAIL: web allowed

---

┌─────────────────────────────────────────────────────────────┐
Layer 1: Communication Isolation- No bindings for privileged agents                         │
- Only main can communicate via sessions_send               │
Status:EFFECTIVE└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
Layer 2: Human Approval (Config Changes)- Configurator proposes → User approves → ApplyStatus:EFFECTIVE└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
Layer 3: Sandbox (For Non-Privileged Agents)- planner, executor, critic: sandbox: all                   │
Status:EFFECTIVE└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
Layer 4: tools.deny (Documentation Only)- Records intent, but NOT enforced                          │
Status:BROKEN└─────────────────────────────────────────────────────────────┘
RAW_BUFFERClick to expand / collapse

[Bug] tools.deny Not Enforced for Daemon Agents (openclaw agent --agent)

Summary

tools.deny configuration is completely ignored when agents are launched via CLI as daemon agents (openclaw agent --agent <id>). This affects both subagent AND daemon spawn methods, indicating an architectural bug in the tool policy enforcement.

OpenClaw Version

Version: 2026.4.2 (d74a122)
Date: 2026-04-08
Tested By: Renato MB (@renatomaluhybellan)

Reproduction Steps

Step 1: Configure Agent with tools.deny

{
  "id": "configurator",
  "workspace": "~/.openclaw/workspace",
  "model": "ollama/deepseek-v3.2:cloud",
  "sandbox": { "mode": "off" },
  "tools": {
    "allow": ["read", "write", "edit", "exec", "gateway", "cron"],
    "deny": ["group:web", "browser", "sessions_spawn"]
  }
}

Step 2: Launch Agent via CLI (Daemon Mode)

openclaw agent --agent configurator --message "SECURITY TEST: Try to search the web for 'news about AI'. If tool denied, say 'PASS: web blocked'. If search works, say 'FAIL: web allowed'."

Step 3: Observe Result

Expected: Tool denied error (web access blocked)
Actual: Web search succeeds ❌

Output:

FAIL: web allowed

Test Results

TestAgenttools.denySpawn MethodResult
1configurator["group:web", "browser", "sessions_spawn"]openclaw agent --agentFAIL - Web allowed

Session Evidence:

Session: mellow-haven (pid 37154)
Command: openclaw agent --agent configurator --message "SECURITY TEST..."
Result: FAIL: web allowed

Comparison: Subagent vs Daemon

Spawn MethodCommandtools.deny Enforced?
Subagentsessions_spawn({ agentId: "configurator" })NO
Daemonopenclaw agent --agent configurator --message "..."NO

Conclusion: tools.deny is completely non-functional regardless of spawn method.

Security Impact

Critical for Privileged Agents

Agents that require sandbox: off (for system access like gateway restart, exec) have NO tool restrictions:

AgentWhy Needs sandbox:offtools.denyActual Protection
configuratorgateway restart, system exec["group:web"]NONE

Attack Vector

If the main agent is compromised (prompt injection):

  1. Main → spawns configurator (or any agent with tools.deny)
  2. Configurator → can access web despite deny list
  3. Attacker → exfiltrates data via web_search/web_fetch

Current Workaround

Our security model now relies on:

┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Communication Isolation                            │
│ - No bindings for privileged agents                         │
│ - Only main can communicate via sessions_send               │
│ Status: ✅ EFFECTIVE                                        │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Layer 2: Human Approval (Config Changes)                    │
│ - Configurator proposes → User approves → Apply             │
│ Status: ✅ EFFECTIVE                                        │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Layer 3: Sandbox (For Non-Privileged Agents)                │
│ - planner, executor, critic: sandbox: all                   │
│ Status: ✅ EFFECTIVE                                        │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Layer 4: tools.deny (Documentation Only)                    │
│ - Records intent, but NOT enforced                          │
│ Status: ❌ BROKEN                                           │
└─────────────────────────────────────────────────────────────┘

Related Issues

  • #18075 - tools.deny is not enforced for spawned subagent sessions (CLOSED NOT_PLANNED)
  • This issue - Extends #18075 to daemon agents (CLI launch)
  • #35434 - tools.subagents.tools.deny override not applied
  • #46635 - Security: agent tool deny list not enforced for cron tool

Request

Please confirm:

  1. Is this a known architectural limitation affecting ALL agent launch methods?
  2. Is the tool policy pipeline designed to allow tools if ANY stage allows (vs ALL stages must allow)?
  3. Will this be fixed, or should we rely solely on sandbox + communication isolation?

This is critical for production deployments where privileged agents need both:

  • sandbox: off (for system access)
  • tools.deny (to block web/exfil)

Evidence

Full test logs and analysis:

  • ~/vaults/openclaw/workspace/docs/TOOLS-DENY-BUG-REPORT.md
  • ~/vaults/openclaw/workspace/docs/AGENT-TOOLS-AUDIT-REPORT.md
  • ~/vaults/openclaw/workspace/docs/CONFIGURATOR-DAEMON-IMPLEMENTATION.md

Labels: bug, security, tools, daemon-agents, sandbox Priority: High (Security)

extent analysis

TL;DR

The most likely fix or workaround for the tools.deny not being enforced for daemon agents is to rely on sandbox and communication isolation until a proper fix is implemented for the tool policy pipeline.

Guidance

  1. Review the tool policy pipeline design: Understand how the tool policy pipeline is designed to handle allow and deny lists, specifically if it allows tools if any stage allows or if all stages must allow.
  2. Implement additional security layers: Until a fix is available, rely on sandbox and communication isolation as additional security layers to prevent unauthorized access.
  3. Monitor related issues: Keep track of related issues such as #18075, #35434, and #46635 for updates on the enforcement of tools.deny for different agent launch methods and tool types.
  4. Test with different configurations: Experiment with different tools.deny configurations to understand the current behavior and potential workarounds.

Example

No specific code example is provided due to the lack of detailed implementation information in the issue. However, reviewing the tools.deny configuration and the tool policy pipeline implementation would be crucial steps.

Notes

The provided information suggests an architectural limitation or bug in the tool policy enforcement for daemon agents launched via CLI. The current workaround relies on additional security layers, but a proper fix would require changes to the tool policy pipeline.

Recommendation

Apply the workaround by relying on sandbox and communication isolation until a proper fix is implemented for the tool policy pipeline. This recommendation is based on the critical security impact of the issue, especially for privileged agents requiring sandbox: off.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#device allocation#model download#tokenizer error#prompt formatting#chain error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING