

























OpenClaw blog
OpenClaw is moving host exec from YOLO to auto: deterministic commands run, risky misses get reviewed, and humans stay in the approval loop.
May 31, 2026 3 min read
YOLO mode made host commands fast by skipping approval prompts. That was useful for trusted local automation, but too blunt for everyday use.
auto is the safer default.
Safe, repeatable commands can run without nagging you. Commands that miss policy go to a reviewer first. If the reviewer is not confident, OpenClaw asks you.
We shipped this first through the Codex harness, so OpenAI-backed OpenClaw sessions could already use Codex-style auto approvals. Now we are bringing the same safer default to host exec for everyone.
Codex already made this shift in its own permission presets. Its auto preset is the default: workspace files are writable, normal commands can run, and approvals are still required for escapes such as network access or writes outside the workspace.
OpenClaw is bringing the same shape to host exec. tools.exec.mode: "auto" keeps the agent moving without turning every command into a permanent yes.
Ask Human first
Allowlist misses stop and wait for an operator. Good for strict setups, noisy for busy agents.
Auto Reviewer first
Deterministic matches run. Misses go through OpenClaw's native auto reviewer before a human fallback.
YOLO No prompts
Host exec runs without approval prompts. Useful only when the surrounding environment is already trusted.
Host exec starts with OpenClaw config: what the agent is allowed to ask for. Most users only need that setting. Hosts can still apply stricter local policy.
In auto mode, OpenClaw handles a host command like this:
auto does not override local safety settings. A host configured to always ask still asks. A host configured to deny still denies.
For a local gateway-host setup:
openclaw config set tools.exec.host gateway
openclaw config set tools.exec.mode auto
Auto is now active for host exec.
If you use the Codex harness, this is the path OpenAI-backed sessions already use: tools.exec.mode: "auto" maps Codex app-server sessions to reviewed approvals with workspace-write sandboxing when available.
Human approval is still the final authority when the reviewer cannot safely say yes.
An approval prompt can offer:
allow-once: run this exact request once.allow-always: persist a durable allowlist entry when the request supports it.deny: do not run it.allow-once is intentionally narrow. For node-host runs, OpenClaw binds the approval to the canonical command plan, cwd, argv, and session context. If the caller changes the command after the approval request was created, the run is rejected instead of silently executing the changed request.
Approvals are no longer trapped in a local terminal. OpenClaw can route approval prompts into the places operators already watch, including Slack, Telegram, and iMessage.
The detailed setup lives in Exec approvals - advanced.
auto reduces prompt noise. It still respects the host policy.
The reviewer may only allow one low-risk execution. It is prompted to treat the command text, argv, cwd, env keys, heredocs, strings, filenames, and metadata as untrusted data. If that untrusted data tries to instruct the reviewer or request a decision, OpenClaw defers to a human.
YOLO remains available for environments that are already externally sandboxed or deliberately trusted. For most users, auto is the better default: fewer prompts than strict ask mode, less risk than full host access.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。