0e7a992d3f
* fix(agents): filter bundled tools through final policy * changelog: filter bundled tools through final policy (#68195) * forward agentId into compaction tool-policy filter Pass effectiveSkillAgentId to applyFinalEffectiveToolPolicy in the compaction path so per-agent tool policies apply to bundled tools during compaction the same way they do during normal runs. * scope final tool-policy filter to bundled tools only Running the full tool-policy pipeline on the merged core + bundled tool list re-filters core tools whose plugin WeakMap metadata no longer survives the normalize/hook wrappers applied by createOpenClawCodingTools(). Narrow the helper to only the newly-appended bundled MCP/LSP tools so plugin-provided core tools keep matching group:plugins and plugin-id allowlist entries. * harden authorization signals on final tool policy - message.action gateway handler now server-derives senderIsOwner from the authenticated gateway client scopes (ADMIN_SCOPE on client.connect.scopes) and ignores any senderIsOwner value on the wire, so a non-admin scoped caller cannot spoof owner status to unlock owner-only channel actions or owner-only tool policy. Schema keeps the field optional for wire compat but documents that it is ignored. - applyFinalEffectiveToolPolicy now cross-checks caller-provided groupId against the session-derived group context resolved from sessionKey (and spawnedBy). When they disagree, the caller groupId plus its adjacent groupChannel/groupSpace are dropped and a warn is emitted, so a caller that fabricates a different group id cannot reach a more permissive group-scoped tool policy during the final bundled-tool filter. Added a JSDoc trust invariant on the helper input describing the required server-verified identity contract. * align compact agentId resolution with core tools Drop the explicit agentId on applyFinalEffectiveToolPolicy during compaction. The core tool set produced just above via createOpenClawCodingTools(...) also omits agentId, so resolveEffectiveToolPolicy falls back to resolveAgentIdFromSessionKey(sessionKey) in both places. Passing effectiveSkillAgentId only to the final filter made the two policy lookups diverge on legacy/non-agent session keys where the sessionKey path resolves to main but effectiveSkillAgentId follows the configured default-agent path, which could deny or allow bundled tools under a different per-agent policy than the already-created core tools. * tighten trusted propagation for owner and group signals - message.action gateway handler: full-operator callers (shared-secret bearer or operator.admin scope) now propagate the request-provided senderIsOwner through to channel action handlers instead of having it hard-coded off. Previously the hardened path force-derived ownership from ADMIN_SCOPE alone, which broke owner-gated actions when the trusted runtime forwards them via the least-privilege gateway path (callGatewayLeastPrivilege requests only the method scope, so even legitimate owner senders were downgraded to senderIsOwner=false). Narrowly-scoped callers (e.g. operator.write-only) still have the wire value forced to false so a non-admin caller cannot assert ownership. - applyFinalEffectiveToolPolicy: fail-closed when the session key and spawnedBy encode no group context. Previously the helper only dropped a caller-provided groupId that conflicted with a non-empty set of session-derived group ids, which left an accept-caller fallback open when the session had no group context at all (direct/cron/subagent session keys). An attacker who could run without a group-bound session could then supply an arbitrary groupId and reach a more permissive group-scoped tool policy. Now: no session-derived group context plus any caller-provided groupId drops the caller value and warns. * suppress unavailable-core-tool warnings in bundled-only pass applyToolPolicyPipeline infers its coreToolNames reference set from the tools array it is filtering. The bundled-only second pass only sees the MCP/LSP subset, so normal core allowlist entries (for example tools.allow: ['read', 'exec']) would look "unknown" during this pass and emit misleading warnings even when the config is valid for the full effective tool set — polluting logs and potentially evicting real diagnostics from the shared warning cache. Set suppressUnavailableCoreToolWarning on every step of this pass so known core-tool allowlist entries stay silent; genuinely unknown entries still surface through the otherEntries warning path.
🦞 OpenClaw — Personal AI Assistant
EXFOLIATE! EXFOLIATE!
OpenClaw is a personal AI assistant you run on your own devices. It answers you on the channels you already use. It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane — the product is the assistant.
If you want a personal, single-user assistant that feels local, fast, and always-on, this is it.
Supported channels include: WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, BlueBubbles, IRC, Microsoft Teams, Matrix, Feishu, LINE, Mattermost, Nextcloud Talk, Nostr, Synology Chat, Tlon, Twitch, Zalo, Zalo Personal, WeChat, QQ, WebChat.
Website · Docs · Vision · DeepWiki · Getting Started · Updating · Showcase · FAQ · Onboarding · Nix · Docker · Discord
New install? Start here: Getting started
Preferred setup: run openclaw onboard in your terminal.
OpenClaw Onboard guides you step by step through setting up the gateway, workspace, channels, and skills. It is the recommended CLI setup path and works on macOS, Linux, and Windows (via WSL2; strongly recommended).
Works with npm, pnpm, or bun.
Sponsors
|
|
|
|
|
|
Subscriptions (OAuth):
- OpenAI (ChatGPT/Codex)
Model note: while many providers and models are supported, prefer a current flagship model from the provider you trust and already use. See Onboarding.
Install (recommended)
Runtime: Node 24 (recommended) or Node 22.16+.
npm install -g openclaw@latest
# or: pnpm add -g openclaw@latest
openclaw onboard --install-daemon
OpenClaw Onboard installs the Gateway daemon (launchd/systemd user service) so it stays running.
Quick start (TL;DR)
Runtime: Node 24 (recommended) or Node 22.16+.
Full beginner guide (auth, pairing, channels): Getting started
openclaw onboard --install-daemon
openclaw gateway --port 18789 --verbose
# Send a message
openclaw message send --to +1234567890 --message "Hello from OpenClaw"
# Talk to the assistant (optionally deliver back to any connected channel: WhatsApp/Telegram/Slack/Discord/Google Chat/Signal/iMessage/BlueBubbles/IRC/Microsoft Teams/Matrix/Feishu/LINE/Mattermost/Nextcloud Talk/Nostr/Synology Chat/Tlon/Twitch/Zalo/Zalo Personal/WeChat/QQ/WebChat)
openclaw agent --message "Ship checklist" --thinking high
Upgrading? Updating guide (and run openclaw doctor).
Models config + CLI: Models. Auth profile rotation + fallbacks: Model failover.
Security defaults (DM access)
OpenClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input.
Full security guide: Security
Default behavior on Telegram/WhatsApp/Signal/iMessage/Microsoft Teams/Discord/Google Chat/Slack:
- DM pairing (
dmPolicy="pairing"/channels.discord.dmPolicy="pairing"/channels.slack.dmPolicy="pairing"; legacy:channels.discord.dm.policy,channels.slack.dm.policy): unknown senders receive a short pairing code and the bot does not process their message. - Approve with:
openclaw pairing approve <channel> <code>(then the sender is added to a local allowlist store). - Public inbound DMs require an explicit opt-in: set
dmPolicy="open"and include"*"in the channel allowlist (allowFrom/channels.discord.allowFrom/channels.slack.allowFrom; legacy:channels.discord.dm.allowFrom,channels.slack.dm.allowFrom).
Run openclaw doctor to surface risky/misconfigured DM policies.
Highlights
- Local-first Gateway — single control plane for sessions, channels, tools, and events.
- Multi-channel inbox — WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, BlueBubbles (iMessage), iMessage (legacy), IRC, Microsoft Teams, Matrix, Feishu, LINE, Mattermost, Nextcloud Talk, Nostr, Synology Chat, Tlon, Twitch, Zalo, Zalo Personal, WeChat, QQ, WebChat, macOS, iOS/Android.
- Multi-agent routing — route inbound channels/accounts/peers to isolated agents (workspaces + per-agent sessions).
- Voice Wake + Talk Mode — wake words on macOS/iOS and continuous voice on Android (ElevenLabs + system TTS fallback).
- Live Canvas — agent-driven visual workspace with A2UI.
- First-class tools — browser, canvas, nodes, cron, sessions, and Discord/Slack actions.
- Companion apps — macOS menu bar app + iOS/Android nodes.
- Onboarding + skills — onboarding-driven setup with bundled/managed/workspace skills.
Security model (important)
- Default: tools run on the host for the
mainsession, so the agent has full access when it is just you. - Group/channel safety: set
agents.defaults.sandbox.mode: "non-main"to run non-mainsessions inside per-session Docker sandboxes. - Typical sandbox default: allow
bash,process,read,write,edit,sessions_list,sessions_history,sessions_send,sessions_spawn; denybrowser,canvas,nodes,cron,discord,gateway. - Before exposing anything remotely, read Security, Docker sandboxing, and Configuration.
Operator quick refs
- Chat commands:
/status,/new,/reset,/compact,/think <level>,/verbose on|off,/trace on|off,/usage off|tokens|full,/restart,/activation mention|always - Session tools:
sessions_list,sessions_history,sessions_send - Skills registry: ClawHub
- Architecture overview: Architecture
Docs by goal
- New here: Getting started, Onboarding, Updating
- Channel setup: Channels index, WhatsApp, Telegram, Discord, Slack
- Apps + nodes: macOS, iOS, Android, Nodes
- Config + security: Configuration, Security, Docker sandboxing
- Remote + web: Gateway, Remote access, Tailscale, Web surfaces
- Tools + automation: Tools, Skills, Cron jobs, Webhooks, Gmail Pub/Sub
- Internals: Architecture, Agent, Session model, Gateway protocol
- Troubleshooting: Channel troubleshooting, Logging, Docs home
Apps (optional)
The Gateway alone delivers a great experience. All apps are optional and add extra features.
If you plan to build/run companion apps, follow the platform runbooks below.
macOS (OpenClaw.app) (optional)
- Menu bar control for the Gateway and health.
- Voice Wake + push-to-talk overlay.
- WebChat + debug tools.
- Remote gateway control over SSH.
Note: signed builds required for macOS permissions to stick across rebuilds (see macOS Permissions).
iOS node (optional)
- Pairs as a node over the Gateway WebSocket (device pairing).
- Voice trigger forwarding + Canvas surface.
- Controlled via
openclaw nodes ….
Runbook: iOS connect.
Android node (optional)
- Pairs as a WS node via device pairing (
openclaw devices ...). - Exposes Connect/Chat/Voice tabs plus Canvas, Camera, Screen capture, and Android device command families.
- Runbook: Android connect.
From source (development)
Prefer pnpm for builds from source. Bun is optional for running TypeScript directly.
git clone https://github.com/openclaw/openclaw.git
cd openclaw
pnpm install
pnpm ui:build # auto-installs UI deps on first run
pnpm build
pnpm openclaw onboard --install-daemon
# Dev loop (auto-reload on source/config changes)
pnpm gateway:watch
Note: pnpm openclaw ... runs TypeScript directly (via tsx). pnpm build produces dist/ for running via Node / the packaged openclaw binary.
Development channels
- stable: tagged releases (
vYYYY.M.DorvYYYY.M.D-<patch>), npm dist-taglatest. - beta: prerelease tags (
vYYYY.M.D-beta.N), npm dist-tagbeta(macOS app may be missing). - dev: moving head of
main, npm dist-tagdev(when published).
Switch channels (git + npm): openclaw update --channel stable|beta|dev.
Details: Development channels.
Agent workspace + skills
- Workspace root:
~/.openclaw/workspace(configurable viaagents.defaults.workspace). - Injected prompt files:
AGENTS.md,SOUL.md,TOOLS.md. - Skills:
~/.openclaw/workspace/skills/<skill>/SKILL.md.
Configuration
Minimal ~/.openclaw/openclaw.json (model + defaults):
{
agent: {
model: "<provider>/<model-id>",
},
}
Full configuration reference (all keys + examples).
Star History
Molty
OpenClaw was built for Molty, a space lobster AI assistant. 🦞 by Peter Steinberger and the community.
Community
See CONTRIBUTING.md for guidelines, maintainers, and how to submit PRs. AI/vibe-coded PRs welcome! 🤖
Special thanks to Mario Zechner for his support and for pi-mono. Special thanks to Adam Doppelt for the lobster.bot domain.
Thanks to all clawtributors:
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&s=48)
![clawdinator[bot]](https://avatars.githubusercontent.com/in/2607181?v=4&s=48)
![google-labs-jules[bot]](https://avatars.githubusercontent.com/in/842251?v=4&s=48)
