OpenClaw Tip #13: Sandbox modes + allowlists

OpenClaw Safety Tip 13 featured image about sandbox modes and tool allowlists

When OpenClaw can run tools (files, terminal, web, integrations), the main safety lever you control is where tool calls execute and which tools are allowed. Today’s tip is a quick hardening pattern: use sandbox modes plus strict tool allowlists so untrusted content can’t turn into high-privilege actions.

Why this matters

Prompt injection doesn’t need to hack OpenClaw. It just needs to convince an agent with broad tool access to do something risky. Sandboxing and tool policies reduce blast radius by enforcing boundaries even when instructions are malicious.

Sandbox modes (choose one)

Many OpenClaw deployments support three sandbox levels:

  • Off: no isolation.
  • Non-main: secondary threads/groups run isolated while your primary session stays on-host (often the default).
  • All: every tool call runs in an isolated container; you can also control whether the workspace is mounted read-only or not mounted.

If you ever let OpenClaw read untrusted sources (web pages, shared chats, unknown skills), pick non-main or all as your baseline.

Step-by-step hardening checklist

1) Turn on sandboxing for risky contexts

sandbox.mode: "non-main"   # or "all" for maximum isolation

2) Use allowlists for tools (deny by default)

Start with the minimum set of tools needed for the job. For example, a research agent might only need read plus web search.

tools.allow:
  - read
  - web_search
# keep exec disabled unless absolutely required

3) Split roles across agents

Use a low-privilege agent to ingest untrusted text, and a separate high-privilege agent for controlled execution. This prevents a single injected instruction from jumping straight into terminal/file actions.

4) Minimize elevated tools

Some setups allow elevated tools to execute on the host (bypassing the container). Keep this list tiny and review it regularly.

5) Add a human checkpoint for high-risk actions

Even with sandboxing, add a confirmation gate for destructive or sensitive steps: deleting files, changing permissions, deploying code, exporting data, or posting publicly.

Quick reminder: treat untrusted text as data

If instructions are found inside a web page, email, issue, or document, treat them as untrusted content, not commands. Your safest workflow is: ingest, summarize, decide, execute (only in a constrained environment).

Related tips

Source: Nebius hardening guide (https://nebius.com/blog/posts/openclaw-security).

Share this post

Subscribe to our newsletter

Keep up with the latest blog posts by staying updated. No spamming: we promise.
By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.

Related posts