Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix tools.exec.safeBins not inherited by isolated cron/heartbeat sessions [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#59908Fetched 2026-04-08 02:38:58
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
KimAcrossKimAcross
Participants
KimAcrossKimAcross

Code Example

{
  "tools": {
    "exec": {
      "security": "allowlist",
      "ask": "on-miss",
      "safeBins": ["ls", "cat", "grep", "brew", "npm", "gh", "qmd"]
    }
  }
}

---

{
  "cron": [
    {
      "schedule": "0 8 * * *",
      "agent": "main",
      "task": "Check system status",
      "model": "anthropic/claude-sonnet-4-20250514",
      "isolated": true
    }
  ]
}
RAW_BUFFERClick to expand / collapse

Bug Description

tools.exec.safeBins configured at the global level (tools.exec.safeBins) or per-agent level (agents[].tools.exec.safeBins) is not propagated to isolated sessions spawned by cron jobs or heartbeat polls (when isolatedSession: true).

Commands that should bypass approval via safeBins still trigger the approval flow in isolated cron sessions, where no human is present to approve — causing them to hang or silently fail.

Reproduction

  1. Configure tools.exec.safeBins in openclaw.json:
{
  "tools": {
    "exec": {
      "security": "allowlist",
      "ask": "on-miss",
      "safeBins": ["ls", "cat", "grep", "brew", "npm", "gh", "qmd"]
    }
  }
}
  1. Create a cron job for any agent that uses exec commands with one of the safeBins:
{
  "cron": [
    {
      "schedule": "0 8 * * *",
      "agent": "main",
      "task": "Check system status",
      "model": "anthropic/claude-sonnet-4-20250514",
      "isolated": true
    }
  ]
}
  1. When the cron fires and the agent runs exec with a safeBin command (e.g., ls, gh issue list), the command hits the approval flow instead of being auto-approved.

Expected Behavior

Isolated cron/heartbeat sessions should inherit the full tools.exec config from their resolved agent config, including:

  • safeBins
  • safeBinProfiles
  • safeBinTrustedDirs
  • strictInlineEval

These properties are already correctly propagated in regular (non-isolated) sessions.

Actual Behavior

The isolated session constructs its ExecToolDefaults without merging safeBins (and related properties) from the resolved agent/global config. The processGatewayAllowlist() function receives an empty safeBins set, so all exec commands require explicit approval.

Environment

  • OpenClaw version: v2026.4.2
  • OS: macOS 26.3 (Apple Silicon)
  • Channel: Telegram (exec approvals enabled)

Related Issues

This appears to be part of a broader pattern where isolated cron sessions do not fully inherit their parent agent config:

  • #58542 — LiveSessionModelSwitchError in isolated cron jobs
  • #58568 — isolated cron sessions inherit parent agent's model override
  • #56572 — Isolated cron run sessions never transition to 'done'

Willingness to Contribute

I would like to contribute a fix for this. The likely location is wherever isolated sessions assemble their ExecToolDefaults — the same code path that already copies security, ask, and host should also copy safeBins, safeBinProfiles, safeBinTrustedDirs, and strictInlineEval.

🤖 This issue was drafted with AI assistance (OpenClaw + Claude). The bug was discovered and verified through real-world cron job usage.

extent analysis

TL;DR

The issue can be fixed by modifying the code that assembles ExecToolDefaults for isolated sessions to include safeBins and related properties from the resolved agent or global config.

Guidance

  • Review the code path that constructs ExecToolDefaults for isolated sessions and verify that it correctly merges safeBins, safeBinProfiles, safeBinTrustedDirs, and strictInlineEval from the parent agent or global config.
  • Update the processGatewayAllowlist() function to receive the complete safeBins set from the resolved agent or global config.
  • Test the fix by running a cron job with an exec command that uses a safeBin and verify that it is auto-approved without requiring explicit approval.
  • Consider reviewing related issues (#58542, #58568, #56572) to ensure that the fix does not introduce any regressions.

Example

No code snippet is provided as the issue does not include the relevant code, but the fix should involve updating the ExecToolDefaults construction to include the missing properties.

Notes

The fix may require modifications to the OpenClaw codebase, and it is recommended to test the changes thoroughly to ensure that they do not introduce any regressions.

Recommendation

Apply a workaround by modifying the ExecToolDefaults construction code to include the missing properties, as this is the most direct way to address the issue.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#permission error#memory optimization#batch processing#GPU compatibility#latency issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING