OpenClaw Field Guide

Section 14: Elevated Permissions and the /approve System

Not every AI action should run automatically.

Some operations are sensitive: deleting files, modifying protected areas, running privileged commands, or actions outside normal sandbox boundaries. OpenClaw handles this with an approval gate.

That gate is the /approve system.

What "elevated permissions" means

An elevated action is a command your assistant is not allowed to run by default under current safety settings.

Instead of running silently, OpenClaw asks for your decision.

This is a feature, not friction.

The three approval choices

When approval is required, you will see command options like:

💬 Send this to your AI assistant:

/approve allow-once <code>
/approve allow-always <code>
/approve deny <code>

Here is how to think about each option.

allow-once (best default)

Use this when the command is needed right now, but you don't want to permanently expand trust.

  • scope: one command instance
  • risk: lowest of the three approvals
  • good for: one-time maintenance, diagnostics, temporary recovery actions

allow-always (persistent trust)

Use this only when you are very confident in both the command pattern and the context where it will be used.

  • scope: ongoing
  • risk: higher (future commands may pass without repeated review)
  • good for: stable, routine operations you fully understand

deny

Use this whenever a command is unclear, unnecessary, or too risky.

  • scope: blocks requested action
  • risk: safest immediate response when uncertain
  • good for: ambiguous requests, overly broad commands, suspicious timing

::: warning Never approve on autopilot. Read the exact command string. One overlooked flag can change impact dramatically. :::

A practical approval workflow for non-technical users

You don't need deep shell expertise to make safe choices. Use this 5-step screen:

  1. What is the command trying to do?
  2. Does it match what I asked for?
  3. Is the scope narrow or broad?
  4. Is this a one-time need or recurring need?
  5. If wrong, is recovery easy?

Then decide:

  • if valid and one-time: approve once
  • if valid and routine (and you trust it): approve always
  • if unclear: deny and ask for a safer version

::: beginner If you don't understand a command, default to deny and request a plain-English explanation. That is good operations practice, not "slowing things down." :::

Real-world examples

Example A: log inspection request

The assistant requests a read-only diagnostics command to inspect service status.

  • low side effect
  • aligned with troubleshooting request
  • best choice: usually allow-once

Example B: broad filesystem modification

The assistant requests a command that changes many files recursively.

  • potentially high side effect
  • may exceed what you asked
  • best choice: often deny first, then ask for narrower scope

Example C: repeated trusted maintenance routine

A known safe operation is required weekly and has been validated.

  • stable and predictable
  • you have audit confidence
  • possible choice: allow-always, but only after a trial period with allow-once

Sandboxing and why it helps

Sandboxing limits what the assistant can touch. Even when approvals exist, sandboxing reduces blast radius.

Think of it as layered safety:

  • sandbox defines boundaries
  • approvals gate exceptional actions
  • logs provide accountability

This layered model is why OpenClaw can be powerful without being reckless.

Auditing: trust, but verify

After elevated actions, check what happened.

Review session logs in dashboard or terminal history and confirm:

  • expected action happened
  • no extra side effects
  • outcome matches report

This habit quickly builds your confidence and helps detect misconfigurations early.

::: tip During your first month, prefer allow-once almost every time. Promote to allow-always only after repeated clean outcomes. :::

Common approval mistakes

  • Approving without reading the full command
  • Granting allow-always too early
  • Treating denied actions as "assistant failure" instead of "safety working"
  • Skipping post-action checks on sensitive operations

A safe default policy

If you want one policy to remember, use this:

  • default: deny unclear commands
  • normal: allow-once for clear one-time commands
  • rare: allow-always for truly stable, low-risk routines

::: action Write your own approval rule in AGENTS.md so your assistant knows your preference before asking. :::

Final rule for elevated permissions

Approvals are where you stay in control.

Speed matters, but irreversible mistakes are slower than careful review.