OpenClaw's 'Allow Always' Feature Security Flaws and Safer Alternatives
OpenClaw Approval System Vulnerabilities
OpenClaw's approval system asks users "can I do this?" before running commands, with options to approve once or approve always. The "allow always" feature has been identified as a security risk through two recent CVEs.
Specific Security Issues
CVE-2026-29607: The "allow always" approval binds to the wrapper command, not the inner command. If you approve time npm test with "always," the system remembers "always allow time." Later, if the agent (or through prompt injection) runs time rm -rf /, it executes without re-prompting because you approved the wrapper command.
CVE-2026-28460: This vulnerability bypasses the allowlist entirely using shell line-continuation characters. Different technique but same outcome: commands execute without the approval check you thought was protecting you.
Both vulnerabilities are patched in OpenClaw 3.12+, but the deeper issue remains.
The Behavioral Security Problem
Even after patching, the "allow always" mental model trains users to stop paying attention. Initially, users carefully read every approval prompt. By week 3, they're clicking "always" on everything because prompts become annoying and trust builds in the agent. By week 6, users accumulate 20+ "always" rules they couldn't list if asked.
Recommended Alternative Approach
The source author recommends: no "allow always" for anything that modifies files, sends messages, or runs shell commands. Instead, add explicit guardrails in your SOUL.md file:
"for any action that modifies files, sends communications, or executes shell commands: show me exactly what you plan to do and wait for my explicit ok. previous approvals do not carry forward. ask every time. this is non-negotiable."
This approach means more tapping "ok" on interfaces like Telegram, but prevents the agent from being tricked via prompt injection or its own hallucination into executing destructive actions under stale approvals.
Key Takeaway
The approval system is a convenience feature that was never designed as a security boundary. Treat it accordingly.
📖 Read the full source: r/openclaw
👀 See Also
Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection
Bitwarden's new Agent Access SDK enables AI agents to access credentials from Bitwarden's vault with human approval, while OneCLI acts as a gateway that injects credentials at the network layer without exposing raw values to agents.
OpenClaw Security: 13 Practical Steps to Lock Down Your AI Agent
A Reddit post outlines 13 security measures for OpenClaw installations, including running on a separate machine, using Tailscale for network isolation, sandboxing subagents in Docker, and configuring allowlists for user access.
AI Is Breaking the Two Vulnerability Cultures: Coordinated Disclosure vs. Linux's "Bugs Are Bugs"
Jeff Kaufman analyzes how AI vulnerability discovery is fracturing both coordinated disclosure and Linux's quiet-fix culture, using the recent Copy Fail (ESP) vulnerability as a case study.
Claude models vulnerable to invisible Unicode character hijacking, especially with tool access
Testing shows Claude Sonnet 4 is 71.2% compliant with hidden instructions embedded in invisible Unicode characters when tools are enabled, with Opus 4 reaching 100% compliance on Unicode Tags encoding. Tool access dramatically increases vulnerability across all Claude models.