Security Allowlists – OpenClaw Global Knowledgebase

What Are Allowlists in OpenClaw?

Allowlists are one of the most critical security mechanisms in OpenClaw. They define exactly which commands, tools, APIs, and file paths your AI agent is permitted to access. Anything not explicitly on the allowlist is denied by default — a principle known as deny-by-default security.

This approach ensures that even if an agent receives a malicious prompt or hallucinates an unsafe action, it cannot execute operations outside its approved scope.

How Allowlists Work

OpenClaw uses a layered allowlist system that operates at three levels:

Command Allowlist: Defines which shell commands the agent can execute. For example, you might allow git, npm, and curl while blocking rm -rf, sudo, and shutdown.
File Path Allowlist: Restricts which directories and files the agent can read or write. Typically scoped to your project workspace, preventing access to system files or sensitive directories like ~/.ssh.
API Allowlist: Controls which external APIs and endpoints the agent can call. This prevents data exfiltration by blocking unauthorized outbound network requests.

Configuring Your Allowlist

Allowlists are configured in your openclaw.config.json file under the security section:

{
  "security": {
    "commandAllowlist": ["git", "npm", "node", "python", "curl"],
    "pathAllowlist": ["./src", "./docs", "./tests"],
    "apiAllowlist": ["api.openai.com", "api.anthropic.com"],
    "denyByDefault": true
  }
}

Best Practices

Start restrictive: Begin with a minimal allowlist and expand only as needed. It is far safer to add permissions than to remove them after a breach.
Use glob patterns carefully: Patterns like ./src/** provide recursive access. Ensure you understand the scope before adding them.
Separate production and development: Use different allowlist profiles for development (more permissive) versus production (locked down).
Audit regularly: Review your allowlists monthly. Remove any entries that are no longer needed.
Log denied actions: Enable logging for denied operations to identify legitimate actions that need allowlisting and potential attack attempts.

Common Pitfalls

The most frequent mistake is using wildcard allowlists like "commandAllowlist": ["*"]. This completely defeats the purpose of the security layer. Another common issue is forgetting to restrict file paths, allowing agents to read .env files containing API keys and secrets.

Integration with Approval Gates

Allowlists work in conjunction with Approval Gates. Even allowed commands can require human-in-the-loop approval for high-risk operations. This creates a defense-in-depth strategy where the allowlist provides the first barrier and approval gates provide the second.

Prompt Guardian

Protect your AI agent from prompt injection and malicious commands.

Explore Prompt Guardian →