openclaw - 💡(How to fix) Fix [Bug] tools.deny Not Enforced for Subagents (sessions_spawn) [1 participants]

openclaw2026-04-08 03:33:43

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

openclaw/openclaw#62887•Fetched 2026-04-09 08:01:11

View on GitHub

Comments

Participants

Timeline

Reactions

Author

renatomaluhy

Participants

renatomaluhy

tools.deny configuration is completely ignored when agents are spawned via sessions_spawn. This is a critical security vulnerability that allows subagents to access tools that should be blocked.

Error Message

Expected: Tool denied error (web access blocked)

Root Cause

tools.deny configuration is completely ignored when agents are spawned via sessions_spawn. This is a critical security vulnerability that allows subagents to access tools that should be blocked.

Fix Action

Fix / Workaround

Current Workaround

Is this a known architectural limitation?
Will this be fixed in a future release?
Is there a workaround we are missing?

Code Example

{
  "id": "configurator",
  "workspace": "~/.openclaw/workspace",
  "model": "ollama/deepseek-v3.2:cloud",
  "sandbox": { "mode": "off" },
  "tools": {
    "allow": ["read", "write", "edit", "exec", "gateway", "cron"],
    "deny": ["group:web", "browser", "sessions_spawn"]
  }
}

---

sessions_spawn({
  agentId: "configurator",
  task: "SECURITY TEST: Try to search the web for 'news about AI'. If tool denied, report 'PASS: web blocked'. If search works, report 'FAIL: web allowed'."
})

---

Session Key: agent:configurator:subagent:7a0e5d88-9a20-4457-aa03-88bcebff44d7
Result: FAIL: web allowed when it should have been blocked

RAW_BUFFERClick to expand / collapse

[Bug] tools.deny Not Enforced for Subagents (sessions_spawn)

Summary

tools.deny configuration is completely ignored when agents are spawned via sessions_spawn. This is a critical security vulnerability that allows subagents to access tools that should be blocked.

OpenClaw Version

Version: 2026.4.2 (d74a122)
Date: 2026-04-08
Tested By: Renato MB (@renatomaluhybellan)

Reproduction Steps

Step 1: Configure Agent with tools.deny

{
  "id": "configurator",
  "workspace": "~/.openclaw/workspace",
  "model": "ollama/deepseek-v3.2:cloud",
  "sandbox": { "mode": "off" },
  "tools": {
    "allow": ["read", "write", "edit", "exec", "gateway", "cron"],
    "deny": ["group:web", "browser", "sessions_spawn"]
  }
}

Step 2: Spawn Agent via sessions_spawn

sessions_spawn({
  agentId: "configurator",
  task: "SECURITY TEST: Try to search the web for 'news about AI'. If tool denied, report 'PASS: web blocked'. If search works, report 'FAIL: web allowed'."
})

Step 3: Observe Result

Expected: Tool denied error (web access blocked)
Actual: Web search succeeds ❌

Test Results

Test	Agent	tools.deny	Spawn Method	Result
1	configurator	`["group:web", "browser", "sessions_spawn"]`	`sessions_spawn`	❌ FAIL - Web allowed
2	configurator	`["group:web", "browser", "sessions_spawn"]`	`sessions_spawn`	❌ FAIL - Web allowed

Session Evidence:

Session Key: agent:configurator:subagent:7a0e5d88-9a20-4457-aa03-88bcebff44d7
Result: FAIL: web allowed when it should have been blocked

Security Impact

High Risk

Agents with sandbox: off (like our Configurator) can:

✅ Access web despite tools.deny: ["group:web"]
✅ Exfiltrate data via web_search/web_fetch
✅ Spawn additional subagents despite tools.deny: ["sessions_spawn"]

Affected Agents

Agent	sandbox	tools.deny	Actual Protection
planner	`all`	`["exec", "write", "edit"]`	✅ Sandbox protects
executor	`all`	`["group:web", "sessions_*"]`	✅ Sandbox protects
critic	`all`	`["exec", "write", "edit"]`	✅ Sandbox protects
configurator	`off`	`["group:web", "browser"]`	❌ NO PROTECTION

Current Workaround

We are relying on communication isolation instead of tools.deny:

✅ No bindings for configurator → Cannot be accessed directly via Telegram/Discord
✅ Only main agent can communicate via sessions_send
✅ Human approval flow for config changes
⚠️ tools.deny is documentation only (not functional)

Related Issues

#18075 - tools.deny is not enforced for spawned subagent sessions (CLOSED NOT_PLANNED - inactivity)
#35434 - tools.subagents.tools.deny override not applied
#46635 - Security: agent tool deny list not enforced for cron tool
#10992/3 - Sub-agents bypass exec approvals for safeBins commands

Request

Please confirm:

Is this a known architectural limitation?
Will this be fixed in a future release?
Is there a workaround we are missing?

This is critical for our Phase 2 security hardening where privileged agents need sandbox: off but still require tool restrictions.

Evidence

Full test logs available at:

~/vaults/openclaw/workspace/docs/TOOLS-DENY-BUG-REPORT.md
~/vaults/openclaw/workspace/docs/AGENT-TOOLS-AUDIT-REPORT.md

Labels: bug, security, tools, subagents Priority: High (Security)

extent analysis

TL;DR

The tools.deny configuration is not enforced for subagents spawned via sessions_spawn, allowing them to access blocked tools, and a workaround using communication isolation is currently in place.

Guidance

Review the tools.deny configuration for each agent to ensure it is correctly set up, especially for those with sandbox: off.
Consider implementing additional security measures, such as human approval flows for config changes, to mitigate the risk of subagents accessing blocked tools.
Investigate the related issues (#18075, #35434, #46635, #10992/3) to see if they are relevant to this problem and if any workarounds or fixes can be applied.
Verify that the communication isolation workaround is correctly implemented and effective in preventing subagents from accessing blocked tools.

Example

No code example is provided as the issue is more related to configuration and security setup.

Notes

The issue seems to be a known limitation or bug, and it's not clear if it will be fixed in a future release. The current workaround using communication isolation may not be sufficient, and additional security measures should be considered.

Recommendation

Apply the workaround using communication isolation and consider implementing additional security measures, as it's not clear if this issue will be fixed in a future release. This is because the current workaround provides some level of protection, and implementing additional security measures can help mitigate the risk of subagents accessing blocked tools.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#model download #tokenizer error #prompt formatting #chain error #conversation history

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

openclaw - 💡(How to fix) Fix [Bug] tools.deny Not Enforced for Subagents (sessions_spawn) [1 participants]

Recommended Tools

GitHub issue graph ai analysis

Error Message

Root Cause

Fix Action

Fix / Workaround

Current Workaround

Code Example

[Bug] tools.deny Not Enforced for Subagents (sessions_spawn)

Summary

OpenClaw Version

Reproduction Steps

Step 1: Configure Agent with tools.deny

Step 2: Spawn Agent via sessions_spawn

Step 3: Observe Result

Test Results

Security Impact

High Risk

Affected Agents

Current Workaround

Related Issues

Request

Evidence

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

RELATED_DISCOVERY

TRENDING