OpenClaw Update Fix: Resolving Telegram Exec 'allowlist miss' Errors
Telegram Exec Failures After OpenClaw Update
After a recent OpenClaw update, users reported Telegram bots and channels responding normally but exec commands consistently failing with the error: exec denied: allowlist miss. This occurred even after addressing obvious permission and approval issues.
Root Cause: Three Separate Gates
The failure resulted from three configuration issues:
- Telegram elevated access wasn't enabled: Elevated exec requires explicit enablement plus an allowlist for who can request it
- Exec approvals weren't configured for Telegram: OpenClaw either couldn't prompt for approvals on Telegram or kept waiting for approvals not intended for use
- Gateway-host exec defaulted to allowlist: When using elevated exec, execution switches to host=gateway. Without explicit
tools.exec.securitysettings, gateway-host exec defaults to allowlist, causing the persistent error
Complete Fix Configuration
Step 1 — Enable elevated access for Telegram in openclaw.json:
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
}Step 2 — Allow shell-style commands in Telegram in openclaw.json:
"commands": {
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}Step 3 — Disable exec approval prompts globally in exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Step 4 — The key fix: set exec security + host explicitly in openclaw.json:
"exec": {
"security": "full",
"host": "gateway"
}Full Working Configuration
~/.openclaw/openclaw.json:
"tools": {
"profile": "coding",
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
},
"exec": {
"security": "full",
"host": "gateway"
}
},
"commands": {
"native": "auto",
"restart": true,
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}~/.openclaw/exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Testing the Fix
After applying the configuration:
- Restart the gateway:
openclaw gateway restart - Start a fresh Telegram session with
/new - Test with
! pwd
The key insight: when Telegram exec fails after an update, the issue may not be Telegram permissions or approvals. Elevated exec moves to host=gateway, and gateway exec security defaults to allowlist unless explicitly set to "full" with host: "gateway".
📖 Read the full source: r/openclaw
👀 See Also
Evaluating Agent Skill Safety: Key Considerations Before Installation
Installing new agent skills can enhance functionality but also comes with risks. Learn how to evaluate the safety of these skills to protect your system.
OpenClaw Memory Plugin Testing Results and Recommended Stack
A Reddit user tested every OpenClaw memory plugin and found the default markdown setup causes token bloat and instruction compression. The recommended setup combines Obsidian for human-readable notes, QMD for token-free searching, and SQLite for structured data.
Fix for Claude VS Code Extension Error: 'command claude-vscode.editor.openLast not found'
The Claude VS Code extension version 2.1.51 contains a breaking bug that causes the error 'command claude-vscode.editor.openLast not found'. The workaround is to downgrade to version 2.1.49.
Fix for sub-agents not showing up in OpenClaw v2026.3.13
A workaround for OpenClaw v2026.3.13 where custom sub-agents don't appear in the agent list: simplify the openclaw.json agent list to only include IDs and manually register agents in runs.json with status set to 'idle'.