OpenClaw Update Fix: Resolving Telegram Exec 'allowlist miss' Errors
Telegram Exec Failures After OpenClaw Update
After a recent OpenClaw update, users reported Telegram bots and channels responding normally but exec commands consistently failing with the error: exec denied: allowlist miss. This occurred even after addressing obvious permission and approval issues.
Root Cause: Three Separate Gates
The failure resulted from three configuration issues:
- Telegram elevated access wasn't enabled: Elevated exec requires explicit enablement plus an allowlist for who can request it
- Exec approvals weren't configured for Telegram: OpenClaw either couldn't prompt for approvals on Telegram or kept waiting for approvals not intended for use
- Gateway-host exec defaulted to allowlist: When using elevated exec, execution switches to host=gateway. Without explicit
tools.exec.securitysettings, gateway-host exec defaults to allowlist, causing the persistent error
Complete Fix Configuration
Step 1 — Enable elevated access for Telegram in openclaw.json:
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
}Step 2 — Allow shell-style commands in Telegram in openclaw.json:
"commands": {
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}Step 3 — Disable exec approval prompts globally in exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Step 4 — The key fix: set exec security + host explicitly in openclaw.json:
"exec": {
"security": "full",
"host": "gateway"
}Full Working Configuration
~/.openclaw/openclaw.json:
"tools": {
"profile": "coding",
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
},
"exec": {
"security": "full",
"host": "gateway"
}
},
"commands": {
"native": "auto",
"restart": true,
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}~/.openclaw/exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Testing the Fix
After applying the configuration:
- Restart the gateway:
openclaw gateway restart - Start a fresh Telegram session with
/new - Test with
! pwd
The key insight: when Telegram exec fails after an update, the issue may not be Telegram permissions or approvals. Elevated exec moves to host=gateway, and gateway exec security defaults to allowlist unless explicitly set to "full" with host: "gateway".
📖 Read the full source: r/openclaw
👀 See Also
How to fix OpenClaw 'Cannot find module' error after update
After updating OpenClaw from version 2026.3.24 to 2026.4.5, users are encountering a 'Cannot find module @buape/carbon' error. The solution involves manually running a post-installation script instead of installing the package globally.
Designing Constraints for Production-Grade AI Agent Reliability
A Reddit post details a constraint-based approach to using Claude for complex codebase operations, emphasizing explicit failure mode enumeration, phased execution with checkpoints, and anti-shortcut rules to achieve zero broken builds when removing 140 files.
Custom Command Center App for OpenClaw: React PWA with WebSocket Proxy and Tailscale
A developer built a React PWA command center for their OpenClaw setup, featuring a live agent dashboard, trading desk, and push notifications, using a WebSocket proxy pattern to bridge OpenClaw's loopback-only gateway with devices on a Tailscale mesh.
Post-Mortem: Claude Max + OpenClaw Billing Errors from Stale OAuth and Isolated Cron Jobs
OpenClaw agent breaks randomly due to stale OAuth token blacklisting the entire Anthropic provider and isolated cron jobs hitting the Extra Usage bucket. Full fix: remove manual profile, move cron to main session, clear billing lockout.