Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Feature: Subagent tool allowlists (per-agent-type tool sandboxing) [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#60945Fetched 2026-04-08 02:45:18
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
ohmanthatsgreatohmanthatsgreat
Participants
ohmanthatsgreatohmanthatsgreat

Allow configuring which tools each sub-agent type has access to, preventing spawned agents from having broader capabilities than needed.

Root Cause

Allow configuring which tools each sub-agent type has access to, preventing spawned agents from having broader capabilities than needed.

Code Example

sessions_spawn({
  task: "Research competitor pricing",
  toolsAllow: ["web_search", "web_fetch", "read"],  // only these tools available
  runtime: "subagent"
})

---

agents:
  toolProfiles:
    explore: [read, web_search, web_fetch, memory_search, memory_get, image]
    plan: [read, web_search, web_fetch, memory_search, memory_get, write]
    verify: [read, exec, web_search, web_fetch]
    full: [all except sessions_spawn]  # prevent recursive spawning

---

sessions_spawn({
  task: "Audit the codebase for security issues",
  toolProfile: "explore",  // shorthand for predefined allowlist
  runtime: "subagent"
})
RAW_BUFFERClick to expand / collapse

Summary

Allow configuring which tools each sub-agent type has access to, preventing spawned agents from having broader capabilities than needed.

Motivation

Currently, sub-agents spawned via sessions_spawn inherit tool access from their parent or get the full tool set. Claude Code and Claw Code both implement explicit tool allowlists per agent type:

  • Explore agents: read_file, glob, grep, web search — NO write, NO exec
  • Plan agents: read tools + structured output — NO write, NO exec
  • Verification agents: exec + read tools — NO write
  • General agents: everything except recursive agent spawning

This follows the principle of least privilege — a sub-agent spawned to "research topic X" shouldn't be able to modify files or run arbitrary commands.

Proposed Design

In sessions_spawn:

sessions_spawn({
  task: "Research competitor pricing",
  toolsAllow: ["web_search", "web_fetch", "read"],  // only these tools available
  runtime: "subagent"
})

Predefined profiles (optional convenience):

agents:
  toolProfiles:
    explore: [read, web_search, web_fetch, memory_search, memory_get, image]
    plan: [read, web_search, web_fetch, memory_search, memory_get, write]
    verify: [read, exec, web_search, web_fetch]
    full: [all except sessions_spawn]  # prevent recursive spawning

Usage:

sessions_spawn({
  task: "Audit the codebase for security issues",
  toolProfile: "explore",  // shorthand for predefined allowlist
  runtime: "subagent"
})

Benefits

  • Security: Sub-agents can't take actions beyond their mandate
  • Predictability: Parent agent knows exactly what tools the child can use
  • Cost control: Read-only agents can't accidentally trigger expensive operations
  • Auditability: Clear tool boundaries per agent type

Prior Art

  • Claw Code (Rust): allowed_tools_for_subagent() in rust/crates/tools/src/lib.rs
  • Claude Code: Agent tool configuration in task/team orchestration

extent analysis

TL;DR

Implementing a tool allowlist configuration for sub-agents in the sessions_spawn function will help restrict their capabilities and enhance security.

Guidance

  • Define a toolsAllow parameter in the sessions_spawn function to specify the tools available to sub-agents, as shown in the proposed design.
  • Create predefined tool profiles (e.g., explore, plan, verify, full) to provide a shorthand for common tool allowlists, making it easier to manage and reuse configurations.
  • Use the toolProfile parameter to reference these predefined profiles, simplifying the process of assigning tool permissions to sub-agents.
  • Review and test the implementation to ensure it aligns with the principle of least privilege and meets the required security, predictability, cost control, and auditability benefits.

Example

// Example usage of toolsAllow and toolProfile
sessions_spawn({
  task: "Research market trends",
  toolsAllow: ["web_search", "read"],  // custom tool allowlist
  runtime: "subagent"
})

// Using a predefined tool profile
sessions_spawn({
  task: "Analyze system logs",
  toolProfile: "explore",  // shorthand for predefined allowlist
  runtime: "subagent"
})

Notes

The proposed design and usage examples provide a solid foundation for implementing tool allowlists for sub-agents. However, the actual implementation details may vary depending on the specific requirements and constraints of the project.

Recommendation

Apply the proposed design and implementation to restrict sub-agent capabilities and enhance security, as it aligns with the principle of least privilege and provides clear benefits in terms of security, predictability, cost control, and auditability.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#serialization error#model compatibility#GPU setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING