OpenClaw's 'Allow Always' Feature Security Flaws and Safer Alternatives
OpenClaw Approval System Vulnerabilities
OpenClaw's approval system asks users "can I do this?" before running commands, with options to approve once or approve always. The "allow always" feature has been identified as a security risk through two recent CVEs.
Specific Security Issues
CVE-2026-29607: The "allow always" approval binds to the wrapper command, not the inner command. If you approve time npm test with "always," the system remembers "always allow time." Later, if the agent (or through prompt injection) runs time rm -rf /, it executes without re-prompting because you approved the wrapper command.
CVE-2026-28460: This vulnerability bypasses the allowlist entirely using shell line-continuation characters. Different technique but same outcome: commands execute without the approval check you thought was protecting you.
Both vulnerabilities are patched in OpenClaw 3.12+, but the deeper issue remains.
The Behavioral Security Problem
Even after patching, the "allow always" mental model trains users to stop paying attention. Initially, users carefully read every approval prompt. By week 3, they're clicking "always" on everything because prompts become annoying and trust builds in the agent. By week 6, users accumulate 20+ "always" rules they couldn't list if asked.
Recommended Alternative Approach
The source author recommends: no "allow always" for anything that modifies files, sends messages, or runs shell commands. Instead, add explicit guardrails in your SOUL.md file:
"for any action that modifies files, sends communications, or executes shell commands: show me exactly what you plan to do and wait for my explicit ok. previous approvals do not carry forward. ask every time. this is non-negotiable."
This approach means more tapping "ok" on interfaces like Telegram, but prevents the agent from being tricked via prompt injection or its own hallucination into executing destructive actions under stale approvals.
Key Takeaway
The approval system is a convenience feature that was never designed as a security boundary. Treat it accordingly.
📖 Read the full source: r/openclaw
👀 See Also
AI Security Researchers: Your 0-Day Vulnerabilities May Leak via Data Opt-In Toggle
The 'Improve the model for everyone' toggle in LLM interfaces can automatically harvest deep red-teaming research, sending your vulnerability concepts to vendor safety teams and potentially to academic papers before you publish. Disable data sharing before conducting serious security research.
AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.
The Uniformed Guard Problem: Why Agent Sandboxes Need Identity, Not Just Policy
Nemoclaw's openshell sandbox scopes policies to binaries, enabling malware to live-off-the-land using the same binaries as the agent. ZeroID, an open-source agent identity layer, applies security policies to agents backed by secure identities.
Security Alert for Local OpenClaw Instances Without Sandboxing
A Reddit post warns that running vanilla OpenClaw instances locally without proper isolation can lead to exposed API keys, accidental file deletion, and data leaks. The source recommends sandboxing bash tools or using a managed service.