Agent-installable Security Source review 2 minutes

exec-approvals

One public skill for the whole “why can’t this agent run commands?” mess.

Manage all OpenClaw exec approval settings — elevated access, obfuscation bypass, security posture, and per-provider allowlists. Use when an agent cannot run sudo/host commands, long commands are blocked as obfuscation, or when onboarding/auditing exec permissions across a fleet of agents. Covers elevated exec enablement, obfuscation check bypass, and security mode configuration.

Install contract

Source

enterprise-crew-skills/exec-approvals

Entrypoint

SKILL.md

Installability

Ready for agent install

Source spec

github:henrino3/enterprise-crew-skills/exec-approvals

This page is designed to be the thing you send to another agent. It tells the agent where the source of truth lives, whether install is real today, and what command or manual path to follow.

Canonical source

https://github.com/henrino3/enterprise-crew-skills/tree/main/exec-approvals

Install command

openclaw skills install github:henrino3/enterprise-crew-skills/exec-approvals

Prompt to hand another agent

Install the skill described on this page from github:henrino3/enterprise-crew-skills/exec-approvals. Review the source first, then run: openclaw skills install github:henrino3/enterprise-crew-skills/exec-approvals

Install steps

Step 1

Review the public skill source and the OpenClaw docs page before changing host-level access.

Step 2

Install the skill from GitHub.

Step 3

Apply the documented gateway or node-host examples exactly, then verify after restart.

What it covers

Skill contract
Persistent gateway-host "never prompt" setup from the docs
Host approvals file example
Local exec-policy yolo shortcut
Node-host approvals example

Good use cases

Set gateway-host exec to the documented no-approval mode
Match requested exec policy with host approvals defaults
Apply the same documented approvals posture to a node host

Published artifacts

Skill contract

github:henrino3/enterprise-crew-skills/exec-approvals/SKILL.md

Canonical public instructions for exec approvals and obfuscation bypass.

OpenClaw docs

https://docs.openclaw.ai/tools/exec-approvals

Published docs page whose examples this page now mirrors exactly.

Current published config examples

Persistent gateway-host "never prompt" setup

openclaw config set tools.exec.host gateway
openclaw config set tools.exec.security full
openclaw config set tools.exec.ask off
openclaw gateway restart

Then set the host approvals file to match

openclaw approvals set --stdin <<'EOF'
{
  version: 1,
  defaults: {
    security: "full",
    ask: "off",
    askFallback: "full"
  }
}
EOF

Local shortcut for the same gateway-host policy on the current machine

openclaw exec-policy preset yolo

For a node host, apply the same approvals file on that node instead

openclaw approvals set --node <id|name|ip> --stdin <<'EOF'
{
  version: 1,
  defaults: {
    security: "full",
    ask: "off",
    askFallback: "full"
  }
}
EOF

Current limits

This changes powerful host-exec behavior, so source review is mandatory before install.
If the host approvals file stays stricter than config, the stricter host policy still wins.