← All Articles

OpenClaw Sandbox Policy Fix

Bug Fix Security March 25, 2026 · PR #54492

Nimrod Gutman (ngutman)

OpenClaw core contributor specializing in sandbox security, tool policy, and agent isolation. Known for thorough PR documentation and regression coverage.

Why This Matters

OpenClaw's sandbox mode is critical infrastructure for safely running AI agents in constrained environments. It controls which tools an agent can access — preventing sandboxed agents from executing arbitrary commands, sending messages, or accessing the browser without explicit permission.

This PR fixes a bug where two important sandbox config options were silently ignored:

alsoAllow — for adding tools to the sandbox allowlist
Explicit re-allows of default-denied tools

⚠️ The Bug

Operators configuring tools.sandbox.tools.alsoAllow: ["message", "tts"] expected their sandboxed agents to use those tools. But the sandbox resolver only read allow and deny — completely ignoring alsoAllow. Agents were more restricted than configured.

What Changed Technically

The fix introduces a unified effective sandbox policy resolver that all sandbox-related code paths now share:

Canonical sandbox tool resolution
openclaw sandbox explain output
Security audits
Blocked-tool error messages

This ensures the sandbox behaves consistently everywhere — what you configure is what you get.

Files Changed

Lines Added

815

Lines Removed

113

Key Behaviors Fixed

alsoAllow works: Tools listed in alsoAllow are now additive to the sandbox allowlist.
Re-allows work: Explicitly allowing a default-denied tool (like browser) now removes it from the deny list.
Explain matches runtime: openclaw sandbox explain now reports the same effective policy used at runtime.
allow: [] semantics preserved: Empty allow array plus alsoAllow still means allow-all (not an empty allowlist).

Example Configuration

# Before: alsoAllow was silently ignored
agents:
  defaults:
    sandbox:
      mode: all
  list:
    - id: my-agent
      tools:
        sandbox:
          tools:
            alsoAllow: ["message", "tts"]  # Didn't work!

# After: alsoAllow works as documented
# Same config now correctly grants message + tts access

Regression Coverage

The PR includes comprehensive test coverage to prevent future regressions:

src/agents/tool-policy-sandbox.test.ts — unit tests for policy resolution
src/agents/pi-tools.sandbox-policy.test.ts — integration tests
src/commands/sandbox-explain.test.ts — CLI output tests

🔮 Implications

This fix is already merged (March 25, 2026). If you've been configuring alsoAllow and wondering why it wasn't working — update to the latest OpenClaw release.

The broader lesson: sandbox policy drift is subtle and dangerous. Having a single effective resolver shared by runtime, CLI, and auditing ensures configuration matches behavior.