惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
GbyAI
GbyAI
WordPress大学
WordPress大学
小众软件
小众软件
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
A
About on SuperTechFans
月光博客
月光博客
F
Fortinet All Blogs
宝玉的分享
宝玉的分享
Microsoft Security Blog
Microsoft Security Blog
大猫的无限游戏
大猫的无限游戏
Hugging Face - Blog
Hugging Face - Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
V2EX
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
Netflix TechBlog - Medium
Jina AI
Jina AI
博客园 - 聂微东
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
博客园 - 司徒正美
N
News | PayPal Newsroom
PCI Perspectives
PCI Perspectives
Last Week in AI
Last Week in AI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Proofpoint News Feed
Hacker News: Ask HN
Hacker News: Ask HN
B
Blog
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
Martin Fowler
Martin Fowler
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
NISL@THU
NISL@THU
Know Your Adversary
Know Your Adversary
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 叶小钗
N
News and Events Feed by Topic
T
The Exploit Database - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
S
Security @ Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
Vulnerabilities – Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threatpost
IT之家
IT之家
B
Blog RSS Feed

OpenClaw Blog

Skill Workshop: Turn Agent Work Into Reusable Skills OpenClaw Collaborates with NVIDIA for Stronger Agent Skill Security Safer Than YOLO: Auto Mode for Exec Approvals OpenClaw Is Getting Faster, Smaller, and Easier to Trust Where OpenClaw Security Is Heading OpenAI Models in OpenClaw, Done Right OpenClaw Had a Rough Week How OpenClaw Got Safer in Public OpenClaw Partners with VirusTotal for Skill Security Introducing OpenClaw
Auto Mode Is the Safer Way to Let Agents Run Commands - OpenClaw Blog
Vince Koc @vincent_koc Jesse Merhi LinkedIn@jesse_merhi · 2026-05-31 · via OpenClaw Blog

OpenClaw blog

OpenClaw is moving host exec from YOLO to auto: deterministic commands run, risky misses get reviewed, and humans stay in the approval loop.

May 31, 2026 3 min read

YOLO mode made host commands fast by skipping approval prompts. That was useful for trusted local automation, but too blunt for everyday use.

auto is the safer default.

Safe, repeatable commands can run without nagging you. Commands that miss policy go to a reviewer first. If the reviewer is not confident, OpenClaw asks you.

We shipped this first through the Codex harness, so OpenAI-backed OpenClaw sessions could already use Codex-style auto approvals. Now we are bringing the same safer default to host exec for everyone.

Why This Exists

Codex already made this shift in its own permission presets. Its auto preset is the default: workspace files are writable, normal commands can run, and approvals are still required for escapes such as network access or writes outside the workspace.

OpenClaw is bringing the same shape to host exec. tools.exec.mode: "auto" keeps the agent moving without turning every command into a permanent yes.

Ask Human first

Allowlist misses stop and wait for an operator. Good for strict setups, noisy for busy agents.

Auto Reviewer first

Deterministic matches run. Misses go through OpenClaw's native auto reviewer before a human fallback.

YOLO No prompts

Host exec runs without approval prompts. Useful only when the surrounding environment is already trusted.

What Auto Does

Host exec starts with OpenClaw config: what the agent is allowed to ask for. Most users only need that setting. Hosts can still apply stricter local policy.

In auto mode, OpenClaw handles a host command like this:

  1. If the command matches the allowlist or a deterministic safe-bin rule, it runs.
  2. If the command misses policy, OpenClaw builds a bounded review packet: command, argv, cwd, env key names, host, and parser analysis.
  3. The auto reviewer can allow one low-risk execution only.
  4. Anything ambiguous, higher-risk, unparseable, timed out, model-unavailable, or reviewer-directed falls back to human approval.
  5. If no UI or configured approval client can answer, OpenClaw uses the host’s configured fallback.

auto does not override local safety settings. A host configured to always ask still asks. A host configured to deny still denies.

Enabling Auto

For a local gateway-host setup:

openclaw config set tools.exec.host gateway
openclaw config set tools.exec.mode auto

Auto is now active for host exec.

If you use the Codex harness, this is the path OpenAI-backed sessions already use: tools.exec.mode: "auto" maps Codex app-server sessions to reviewed approvals with workspace-write sandboxing when available.

What Gets Asked

Human approval is still the final authority when the reviewer cannot safely say yes.

An approval prompt can offer:

  • allow-once: run this exact request once.
  • allow-always: persist a durable allowlist entry when the request supports it.
  • deny: do not run it.

allow-once is intentionally narrow. For node-host runs, OpenClaw binds the approval to the canonical command plan, cwd, argv, and session context. If the caller changes the command after the approval request was created, the run is rejected instead of silently executing the changed request.

Approvals in Chat

Approvals are no longer trapped in a local terminal. OpenClaw can route approval prompts into the places operators already watch, including Slack, Telegram, and iMessage.

The detailed setup lives in Exec approvals - advanced.

Security Notes

auto reduces prompt noise. It still respects the host policy.

The reviewer may only allow one low-risk execution. It is prompted to treat the command text, argv, cwd, env keys, heredocs, strings, filenames, and metadata as untrusted data. If that untrusted data tries to instruct the reviewer or request a decision, OpenClaw defers to a human.

YOLO remains available for environments that are already externally sandboxed or deliberately trusted. For most users, auto is the better default: fewer prompts than strict ask mode, less risk than full host access.