Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Feature: execDenyPathPatterns — config-level denylist for file paths in exec commands [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#74379Fetched 2026-04-30 06:24:38
View on GitHub
Comments
1
Participants
2
Timeline
1
Reactions
2
Author
xonamanxonaman
Participants
clawsweeper[bot]clawsweeper[bot]xonamanxonaman
Timeline (top)
commented ×1

Error Message

"denyPathAction": "block" // or "warn" | "require_approval" Behavior: any exec command whose tokenized arguments resolve to a path matching one of these globs is rejected at the policy layer (same gate as safeBins/approval), with a clear error: exec_blocked: argument matches denyPathPatterns.

Root Cause

Every OpenClaw user with a secrets directory has the same vulnerability today. Fix is small (~50 LOC), surface is config-only, default off. Agents that need to ship secrets via env-var loaders aren't affected.

Happy to draft the PR if a maintainer agrees on the config shape.

Reported from: production VPS install, OpenClaw 2026.4.22 / agent runtime, incident write-up in agent's .learnings/ERRORS.md (not public, summary above).

Code Example

{
  "tools": {
    "exec": {
      "denyPathPatterns": [
        "~/.openclaw/secrets/**",
        "~/.ssh/id_*",
        "**/.env",
        "**/credentials.json"
      ],
      "denyPathAction": "block"  // or "warn" | "require_approval"
    }
  }
}
RAW_BUFFERClick to expand / collapse

Problem

OpenClaw exec policy has safeBins (allowlist of binaries) but no path-pattern denylist. This means an agent can run cat /home/user/.openclaw/secrets/foo.env and the plaintext token lands in:

  1. The session JSONL transcript (on disk, persistent)
  2. The next outbound LLM API request body (provider sees it)
  3. Any downstream cache, log, or sub-agent fork

Once a secret value crosses into LLM context it must be treated as compromised — full revoke + reissue.

This happened on a production OpenClaw install on 2026-04-29: a sub-agent ran cat ~/.openclaw/secrets/telegram-trader.env to inspect bot config and leaked two Telegram bot tokens. Containment required scrubbing 5 session files and rotating both tokens via BotFather.

Current defenses (insufficient)

  • Filesystem perms (chmod 600) — agent runtime runs as the same user; perms don't help.
  • Instruction-layer rule (e.g. "never cat secrets/") — LLM may follow it, may not, especially under pressure or in sub-agents that don't inherit the rule.
  • safeBinscat is and should remain in safeBins; restricting it would break everything.

The missing layer is runtime-enforced path denylist that blocks the command before exec, regardless of which binary is invoked.

Proposed config

{
  "tools": {
    "exec": {
      "denyPathPatterns": [
        "~/.openclaw/secrets/**",
        "~/.ssh/id_*",
        "**/.env",
        "**/credentials.json"
      ],
      "denyPathAction": "block"  // or "warn" | "require_approval"
    }
  }
}

Behavior: any exec command whose tokenized arguments resolve to a path matching one of these globs is rejected at the policy layer (same gate as safeBins/approval), with a clear error: exec_blocked: argument matches denyPathPatterns.

Detection scope (v1)

Match against literal path-like arguments after shell-quote unescaping. Don't try to defeat:

  • Heredocs, eval'd indirection, base64-decoded paths, `` substitution
  • Symlinks pointing at protected paths (out of scope; document)

Goal: catch the 90% lazy-cat case that caused this incident, not build a perfect sandbox.

Why this matters

Every OpenClaw user with a secrets directory has the same vulnerability today. Fix is small (~50 LOC), surface is config-only, default off. Agents that need to ship secrets via env-var loaders aren't affected.

Happy to draft the PR if a maintainer agrees on the config shape.

Reported from: production VPS install, OpenClaw 2026.4.22 / agent runtime, incident write-up in agent's .learnings/ERRORS.md (not public, summary above).

extent analysis

TL;DR

Implement a runtime-enforced path denylist in the OpenClaw exec policy to prevent sensitive information leaks.

Guidance

  • Introduce a denyPathPatterns configuration option to block commands that access sensitive paths, such as ~/.openclaw/secrets/** or **/.env.
  • Define a denyPathAction to specify the behavior when a command matches a denied path pattern, e.g., block, warn, or require_approval.
  • Focus on catching the "90% lazy-cat case" by matching against literal path-like arguments after shell-quote unescaping.
  • Consider the proposed config shape and draft a PR to implement the fix.

Example

{
  "tools": {
    "exec": {
      "denyPathPatterns": [
        "~/.openclaw/secrets/**",
        "~/.ssh/id_*",
        "**/.env",
        "**/credentials.json"
      ],
      "denyPathAction": "block"
    }
  }
}

Notes

The proposed fix has a small surface area (~50 LOC) and is a config-only change, with a default off setting to avoid affecting agents that need to ship secrets via env-var loaders.

Recommendation

Apply the proposed workaround by introducing a denyPathPatterns configuration option to prevent sensitive information leaks. This fix is small and has a limited surface area, making it a reasonable solution to mitigate the vulnerability.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#training loop#device allocation#model download#tokenizer error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix Feature: execDenyPathPatterns — config-level denylist for file paths in exec commands [1 comments, 2 participants]