#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/openclaw/setting-up-your-ai-assistant/tool-policies-allow-and-deny-lists

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█████████████████████████████████████████████████████████████████████████████████████████████████████

#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/openclaw/setting-up-your-ai-assistant/tool-policies-allow-and-deny-lists

Repovive

Tool Policies: Allow and Deny Lists - Setting Up Your AI Assistant | OpenClaw | Repovive

Repovive.

Tool Policies: Allow and Deny Lists

Controlling actions

4 min

Tool policies give you fine-grained control over which system commands your assistant can run. Let me show you how they work.

The allow list defines safe binaries. If a binary is not on the list, the agent cannot execute it:

{
  "allow": ["git", "npm", "node", "python3", "curl"]
}

The deny list blocks specific binaries even if they would otherwise be allowed:

{
  "deny": ["rm", "sudo", "chmod"]
}

You can also set per-agent policies. A coding agent might have access to git and npm, while a research agent only gets curl and python3. Store these in ~/.openclaw/policies/.