OpenClaw Update Fix: Resolving Telegram Exec 'allowlist miss' Errors
Telegram Exec Failures After OpenClaw Update
After a recent OpenClaw update, users reported Telegram bots and channels responding normally but exec commands consistently failing with the error: exec denied: allowlist miss. This occurred even after addressing obvious permission and approval issues.
Root Cause: Three Separate Gates
The failure resulted from three configuration issues:
- Telegram elevated access wasn't enabled: Elevated exec requires explicit enablement plus an allowlist for who can request it
- Exec approvals weren't configured for Telegram: OpenClaw either couldn't prompt for approvals on Telegram or kept waiting for approvals not intended for use
- Gateway-host exec defaulted to allowlist: When using elevated exec, execution switches to host=gateway. Without explicit
tools.exec.securitysettings, gateway-host exec defaults to allowlist, causing the persistent error
Complete Fix Configuration
Step 1 — Enable elevated access for Telegram in openclaw.json:
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
}Step 2 — Allow shell-style commands in Telegram in openclaw.json:
"commands": {
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}Step 3 — Disable exec approval prompts globally in exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Step 4 — The key fix: set exec security + host explicitly in openclaw.json:
"exec": {
"security": "full",
"host": "gateway"
}Full Working Configuration
~/.openclaw/openclaw.json:
"tools": {
"profile": "coding",
"elevated": {
"enabled": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID",
"telegram:group:YOUR_GROUP_ID"
]
}
},
"exec": {
"security": "full",
"host": "gateway"
}
},
"commands": {
"native": "auto",
"restart": true,
"text": true,
"bash": true,
"allowFrom": {
"telegram": [
"YOUR_TELEGRAM_USER_ID"
]
}
}~/.openclaw/exec-approvals.json:
"defaults": {
"security": "full",
"ask": "off",
"askFallback": "full"
}Testing the Fix
After applying the configuration:
- Restart the gateway:
openclaw gateway restart - Start a fresh Telegram session with
/new - Test with
! pwd
The key insight: when Telegram exec fails after an update, the issue may not be Telegram permissions or approvals. Elevated exec moves to host=gateway, and gateway exec security defaults to allowlist unless explicitly set to "full" with host: "gateway".
📖 Read the full source: r/openclaw
👀 See Also
Slash Claude costs 60x by offloading mechanical tasks to DeepSeek V4 Flash via MCP
A Reddit user cut Claude API spend 60x by routing file classification, JSON reformatting, and field extraction to DeepSeek V4 Flash via a simple MCP tool and a CLAUDE.md deny-list rule.
Open-source launch playbook for OSS LLM and local AI projects
An open-source playbook addresses discoverability issues for LLM and local AI projects by providing structured guidance on pre-launch preparation, launch-day execution, and post-launch follow-up. It includes templates and strategies for community distribution, creator outreach, and SEO optimization.
Building Claude Skills to Automate Cognitive Processes
Claude Code includes a built-in skill-creator that lets you build AI-powered skills by describing processes in natural language instead of writing code. The source describes creating a startup validation skill that reduced a 2-day manual process to 15 minutes.
AGENTS.md Done Right: A 25% Correctness Boost — or a 30% Drop
Augment Code tested AGENTS.md files head-to-head: the best ones rival a model upgrade from Haiku to Opus; the worst ones hurt output. Decision tables, procedural workflows, and progressive disclosure win.