Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix No config path enables exec for agents in isolated sessions — sandbox blocks before exec-approvals [2 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#59720Fetched 2026-04-08 02:41:25
View on GitHub
Comments
2
Participants
1
Timeline
4
Reactions
0
Author
optimization-daveoptimization-dave
Participants
optimization-daveoptimization-dave
Timeline (top)
commented ×2cross-referenced ×1renamed ×1

In OpenClaw 2026.3.31 (213a704), there is no configuration path that enables exec for agents running in isolated sessions. The sandbox policy blocks exec before exec-approvals.json is even consulted, and the elevated escape hatch doesn't work because isolated sessions report channel: (unknown), which no allowFrom entry can match.

This affects any agent that needs to run shell commands autonomously — trading bots, monitoring agents, CI/CD pipelines. Our agent Maverick (a trading bot running 5-min governor heartbeats with Python script exec) is completely blocked from executing its governor scripts after upgrading to 2026.3.31.

Root Cause

The exec authorization chain is:

  1. Sandbox policy checks elevated.enabled + allowFrom[channel]
  2. If sandbox allows → exec-approvals.json checks agent-level permissions
  3. If exec-approvals allows → exec runs

The bug is in step 1: isolated sessions set channel: (unknown), and the allowFrom matcher has no way to match an unknown channel. So the sandbox always blocks exec for isolated sessions, regardless of what's configured in exec-approvals.json or openclaw.json.

This is a regression — prior to 2026.3.31, agents could exec in their heartbeat loops without issue.

Fix Action

Fix / Workaround

  1. Configure an agent (e.g., Maverick) with heartbeat.every: "5m" and governor scripts that require exec
  2. Set heartbeat.target: "discord" — exec is denied: exec denied: allowlist miss (Discord exec gate)
  3. Set heartbeat.target: "isolated" — config validation fails: unknown heartbeat target: isolated
  4. Remove target entirely — heartbeat skipped with reason: "target-none"
  5. Create a cron workaround with sessionTarget: "isolated" — job fires successfully, but exec is still denied inside the agent turn: 
    Heartbeat tick not run: exec denied by sandbox policy (allowlist miss); mode/MTM/actions unavailable.
  • Any agent requiring autonomous shell exec (trading bots, monitoring, CI/CD) is broken after upgrading to 2026.3.31
  • No workaround exists within the OpenClaw config system
  • The only remaining path is using Claude Code with dangerouslyDisableSandbox, which defeats the purpose of the sandbox entirely

Code Example

Heartbeat tick not run: exec denied by sandbox policy (allowlist miss); mode/MTM/actions unavailable.

---

{
  "tools": {
    "elevated": {
      "enabled": true,
      "allowFrom": {
        "discord": ["*"],
        "isolated": ["*"]
      }
    }
  }
}

---

openclaw cron add \
  --agent maverick \
  --name "maverick-governor-heartbeat-5min" \
  --cron "*/5 9-16 * * 1-5" \
  --tz "America/New_York" \
  --session isolated \
  --exact \
  --message "Run governor heartbeat tick..." \
  --announce --to <discord-channel-id> --channel discord

---

$ openclaw sandbox explain --agent maverick

Elevated:
  enabled: true
  channel: (unknown)
  allowedByConfig: false
RAW_BUFFERClick to expand / collapse

Summary

In OpenClaw 2026.3.31 (213a704), there is no configuration path that enables exec for agents running in isolated sessions. The sandbox policy blocks exec before exec-approvals.json is even consulted, and the elevated escape hatch doesn't work because isolated sessions report channel: (unknown), which no allowFrom entry can match.

This affects any agent that needs to run shell commands autonomously — trading bots, monitoring agents, CI/CD pipelines. Our agent Maverick (a trading bot running 5-min governor heartbeats with Python script exec) is completely blocked from executing its governor scripts after upgrading to 2026.3.31.

Steps to Reproduce

  1. Configure an agent (e.g., Maverick) with heartbeat.every: "5m" and governor scripts that require exec
  2. Set heartbeat.target: "discord" — exec is denied: exec denied: allowlist miss (Discord exec gate)
  3. Set heartbeat.target: "isolated" — config validation fails: unknown heartbeat target: isolated
  4. Remove target entirely — heartbeat skipped with reason: "target-none"
  5. Create a cron workaround with sessionTarget: "isolated" — job fires successfully, but exec is still denied inside the agent turn: 
    Heartbeat tick not run: exec denied by sandbox policy (allowlist miss); mode/MTM/actions unavailable.

Full Configuration Attempted (Exhaustive)

Every combination below was tested with a gateway restart after each change. None enabled exec.

1. exec-approvals.json

Maverick configured with security: "full" + ask: "off" — should be unrestricted ("YOLO mode") per docs. Result: Still blocked. Sandbox denies exec before exec-approvals is consulted.

2. openclaw.json — agent-level tools

elevated.enabled: true on Maverick's agent config. Result: Still blocked.

3. openclaw.json — global tools

{
  "tools": {
    "elevated": {
      "enabled": true,
      "allowFrom": {
        "discord": ["*"],
        "isolated": ["*"]
      }
    }
  }
}

Result: Still blocked.

4. Cron with sessionTarget: "isolated"

openclaw cron add \
  --agent maverick \
  --name "maverick-governor-heartbeat-5min" \
  --cron "*/5 9-16 * * 1-5" \
  --tz "America/New_York" \
  --session isolated \
  --exact \
  --message "Run governor heartbeat tick..." \
  --announce --to <discord-channel-id> --channel discord

Cron job fires (status: ok, delivered to Discord), but exec is denied inside the agent turn.

5. openclaw sandbox explain

$ openclaw sandbox explain --agent maverick

Elevated:
  enabled: true
  channel: (unknown)
  allowedByConfig: false

allowedByConfig is always false regardless of configuration. The channel: (unknown) for isolated sessions means no allowFrom entry ever matches — the channel resolution runs before the allowlist lookup, and isolated sessions have no channel identity to resolve.

Root Cause Analysis

The exec authorization chain is:

  1. Sandbox policy checks elevated.enabled + allowFrom[channel]
  2. If sandbox allows → exec-approvals.json checks agent-level permissions
  3. If exec-approvals allows → exec runs

The bug is in step 1: isolated sessions set channel: (unknown), and the allowFrom matcher has no way to match an unknown channel. So the sandbox always blocks exec for isolated sessions, regardless of what's configured in exec-approvals.json or openclaw.json.

This is a regression — prior to 2026.3.31, agents could exec in their heartbeat loops without issue.

Impact

  • Any agent requiring autonomous shell exec (trading bots, monitoring, CI/CD) is broken after upgrading to 2026.3.31
  • No workaround exists within the OpenClaw config system
  • The only remaining path is using Claude Code with dangerouslyDisableSandbox, which defeats the purpose of the sandbox entirely

Proposed Fix

Either (or both):

  1. Allow "isolated" as a heartbeat.target and ensure the sandbox allowFrom matcher recognizes "isolated" as a valid channel — heartbeats that need exec should be able to use isolated sessions just like crons
  2. Register isolated sessions with a known channel identity (e.g., channel: "isolated") instead of (unknown), so allowFrom.isolated entries can match
  3. Decouple exec approval from channel transport — if an agent has security: "full" in exec-approvals.json, the sandbox should respect that regardless of channel origin

Environment

  • OpenClaw: 2026.3.31 (213a704)
  • OS: macOS Darwin 25.3.0
  • Agent: Maverick — trading bot running 5-min governor heartbeats with Python script exec

extent analysis

TL;DR

The most likely fix is to modify the OpenClaw configuration to allow isolated sessions to be recognized as a valid channel, enabling exec approval.

Guidance

  • The root cause of the issue is the sandbox policy blocking exec for isolated sessions due to the unknown channel identity.
  • To verify the issue, check the openclaw sandbox explain output for the channel: (unknown) and allowedByConfig: false values.
  • A potential workaround is to use the dangerouslyDisableSandbox option with Claude Code, but this defeats the purpose of the sandbox.
  • Another possible solution is to register isolated sessions with a known channel identity, such as channel: "isolated", to allow allowFrom.isolated entries to match.

Example

No code snippet is provided as the issue is related to configuration and not code.

Notes

The proposed fix involves modifying the OpenClaw configuration to recognize isolated sessions as a valid channel, which may require updates to the openclaw.json file or the exec-approvals.json file.

Recommendation

Apply a workaround by registering isolated sessions with a known channel identity, such as channel: "isolated", to allow allowFrom.isolated entries to match, as this is a more targeted solution that does not disable the sandbox entirely.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#ISR setup#authentication setup#request error#file not found#serialization error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix No config path enables exec for agents in isolated sessions — sandbox blocks before exec-approvals [2 comments, 1 participants]