Govern

Govern OpenClaw Tool Calls with Policy Profiles

A production reference for exec, file_read, file_write, browser_navigate, browser_interact, web_search, web_fetch, sessions_send, memory_write, and cron_create.

TL;DR

Most OpenClaw security content explains sandboxing and credentials, but not policy defaults for each tool.
This page maps every major OpenClaw tool to CordClaw topic, risk tags, and strict/moderate/permissive default behavior.
Use moderate first, validate with simulate, then tighten toward strict for high-impact workflows.

What Other Guides Usually Miss

Top OpenClaw articles and docs cover useful hardening basics: sandboxing, auth, network exposure, and credential hygiene. The missing piece is usually a per-tool governance map with default decisions by profile.

The practical question in production is not only "is sandboxing on?". It is "what does policy do for this exact tool call right now?".

OpenClaw Tool Governance Matrix

Tool	Strict	Moderate	Permissive
exec	REQUIRE_APPROVAL for every exec request.	DENY destructive/cloud/remote-access, REQUIRE_APPROVAL package-install + code-deploy, ALLOW_WITH_CONSTRAINTS for general exec.	DENY destructive + secrets, REQUIRE_APPROVAL cloud/infrastructure, ALLOW the rest.
file_read	ALLOW by default for workspace-scoped reads.	ALLOW file reads in normal workspace operations.	ALLOW except requests tagged as secrets (DENY).
file_write	REQUIRE_APPROVAL for every file write.	ALLOW file writes for normal workspace flow.	ALLOW except writes tagged as secrets (DENY).
browser_navigate	ALLOW_WITH_CONSTRAINTS (sandbox=true, timeout_seconds=60).	ALLOW by default.	ALLOW by default.
browser_interact	ALLOW_WITH_CONSTRAINTS (sandbox=true, timeout_seconds=60).	ALLOW by default.	ALLOW by default.
web_search	ALLOW by default.	ALLOW by default.	ALLOW by default.
web_fetch	ALLOW by default.	ALLOW by default.	ALLOW by default.
sessions_send	REQUIRE_APPROVAL for outbound messages.	REQUIRE_APPROVAL for outbound messages.	ALLOW by default unless custom rules require approval.
memory_write	REQUIRE_APPROVAL for memory writes.	ALLOW by default.	ALLOW by default.
cron_create	DENY scheduled task creation.	REQUIRE_APPROVAL for scheduled task creation.	ALLOW by default unless overridden.

Tool-by-Tool Governance Guide

OpenClaw keyword variants often use underscores. CordClaw internal mapping uses dotted or plain names.

exec
file_read
file_write
browser_navigate
browser_interact
web_search
web_fetch
sessions_send
memory_write
cron_create

exec

OpenClaw tool: exec

CordClaw topic: job.cordclaw.exec

Description: Runs shell commands. This is the highest-impact tool because it can mutate system state and trigger downstream actions quickly.

Risk profile: Base tags: exec, system, write. Extra tags are inferred from command text (destructive, cloud, infrastructure, package-install, remote-access, code-deploy, secrets).

Strict default

REQUIRE_APPROVAL for every exec request.

Moderate default

DENY destructive/cloud/remote-access, REQUIRE_APPROVAL package-install + code-deploy, ALLOW_WITH_CONSTRAINTS for general exec.

Permissive default

DENY destructive + secrets, REQUIRE_APPROVAL cloud/infrastructure, ALLOW the rest.

Example policy rule

- id: cordclaw-moderate-deny-destructive
  match:
    topics: ["job.cordclaw.exec"]
    risk_tags: ["destructive"]
  decision: deny
  reason: Destructive commands are blocked in moderate mode.

file_read

OpenClaw tool: read

CordClaw topic: job.cordclaw.file-read

Description: Reads files from workspace or host paths. Read-only actions still expose credentials and infrastructure secrets if scope is too broad.

Risk profile: Base tags: filesystem, read. Path patterns add tags like secrets and system-config.

Strict default

ALLOW by default for workspace-scoped reads.

Moderate default

ALLOW file reads in normal workspace operations.

Permissive default

ALLOW except requests tagged as secrets (DENY).

Example policy rule

- id: cordclaw-permissive-deny-secrets-access
  match:
    topics: ["job.cordclaw.file-read", "job.cordclaw.file-write", "job.cordclaw.exec"]
    risk_tags: ["secrets"]
  decision: deny
  reason: Secrets access remains blocked in permissive mode.

file_write

OpenClaw tool: write

CordClaw topic: job.cordclaw.file-write

Description: Writes files. This includes config edits, generated artifacts, and script mutations that can alter behavior for later runs.

Risk profile: Base tags: filesystem, write. Path patterns can add secrets and system-config, which should change policy decisions immediately.

Strict default

REQUIRE_APPROVAL for every file write.

Moderate default

ALLOW file writes for normal workspace flow.

Permissive default

ALLOW except writes tagged as secrets (DENY).

Example policy rule

- id: cordclaw-strict-approve-all-file-write
  match:
    topics: ["job.cordclaw.file-write"]
  decision: require_approval
  reason: Strict mode requires approval for all file writes.

browser_navigate

OpenClaw tool: browser.navigate

CordClaw topic: job.cordclaw.browser

Description: Navigates browser sessions and fetches page context. Useful for automation, but it expands prompt-injection exposure through external content.

Risk profile: Base tags: network, browser. URL checks can add insecure-transport when non-HTTPS URLs are requested.

Strict default

ALLOW_WITH_CONSTRAINTS (sandbox=true, timeout_seconds=60).

Moderate default

ALLOW by default.

Permissive default

ALLOW by default.

Example policy rule

- id: cordclaw-strict-constrain-browser
  match:
    topics: ["job.cordclaw.browser", "job.cordclaw.browser-action"]
  decision: allow_with_constraints
  constraints:
    sandbox: true
    timeout_seconds: 60
  reason: Browser actions are allowed only in a constrained sandbox.

browser_interact

OpenClaw tool: browser.action

CordClaw topic: job.cordclaw.browser-action

Description: Interacts with browser state (click/type/submit). This is write-like behavior because it can trigger external side effects.

Risk profile: Base tags: network, browser, write. Treat this as higher risk than read-only navigation.

Strict default

ALLOW_WITH_CONSTRAINTS (sandbox=true, timeout_seconds=60).

Moderate default

ALLOW by default.

Permissive default

ALLOW by default.

Example policy rule

- id: cordclaw-constrain-browser
  description: Allow browser actions with timeout
  match:
    topics: ["job.cordclaw.browser", "job.cordclaw.browser-action"]
  decision: allow_with_constraints
  constraints:
    timeout_seconds: 60
  reason: Browser actions are allowed with a 60s timeout.

web_search

OpenClaw tool: web_search

CordClaw topic: job.cordclaw.web-search

Description: Runs search queries on the open web. Normally low friction, but still increases exposure to untrusted content.

Risk profile: Base tags: network, read. Risk increases when search output is used directly for side-effecting follow-up actions.

Strict default

ALLOW by default.

Moderate default

ALLOW by default.

Permissive default

ALLOW by default.

Example policy rule

- id: cordclaw-allow-search
  match:
    topics: ["job.cordclaw.web-search", "job.cordclaw.web-fetch"]
  decision: allow
  reason: Web search and fetch actions are allowed by default.

web_fetch

OpenClaw tool: web_fetch

CordClaw topic: job.cordclaw.web-fetch

Description: Fetches remote content by URL. Similar to web_search but with direct URL targeting and response body retrieval.

Risk profile: Base tags: network, read. Non-HTTPS URLs can be flagged with insecure-transport.

Strict default

ALLOW by default.

Moderate default

ALLOW by default.

Permissive default

ALLOW by default.

Example policy rule

- id: cordclaw-strict-allow-web
  match:
    topics: ["job.cordclaw.web-search", "job.cordclaw.web-fetch"]
  decision: allow
  reason: Web search and fetch are allowed in strict mode.

sessions_send

OpenClaw tool: sessions_send

CordClaw topic: job.cordclaw.message-send

Description: Sends outbound messages to external channels. This has immediate external impact and should not run without context controls.

Risk profile: Base tags: messaging, write, external. This is a high-reputation and compliance-sensitive path.

Strict default

REQUIRE_APPROVAL for outbound messages.

Moderate default

REQUIRE_APPROVAL for outbound messages.

Permissive default

ALLOW by default unless custom rules require approval.

Example policy rule

- id: cordclaw-moderate-approve-messages
  match:
    topics: ["job.cordclaw.message-send"]
  decision: require_approval
  reason: Outbound messaging requires approval in moderate mode.

memory_write

OpenClaw tool: memory_write

CordClaw topic: job.cordclaw.memory-write

Description: Writes persistent memory for future agent behavior. Low immediate blast radius, but high long-term drift risk.

Risk profile: Base tags: memory, write, persistence. Bad writes can bias later decisions silently.

Strict default

REQUIRE_APPROVAL for memory writes.

Moderate default

ALLOW by default.

Permissive default

ALLOW by default.

Example policy rule

- id: cordclaw-strict-approve-memory-write
  match:
    topics: ["job.cordclaw.memory-write"]
  decision: require_approval
  reason: Strict mode requires approval for memory writes.

cron_create

OpenClaw tool: cron.create

CordClaw topic: job.cordclaw.cron-create

Description: Creates scheduled autonomous tasks. This turns one-time intent into recurring action, which can multiply mistakes.

Risk profile: Base tags: schedule, write, autonomy. Schedule creation should be treated as high governance risk.

Strict default

DENY scheduled task creation.

Moderate default

REQUIRE_APPROVAL for scheduled task creation.

Permissive default

ALLOW by default unless overridden.

Example policy rule

- id: cordclaw-moderate-approve-cron
  match:
    topics: ["job.cordclaw.cron-create"]
  decision: require_approval
  reason: Creating scheduled tasks requires approval in moderate mode.

Limitations and Tradeoffs

Strict profile reduces accidental side effects but increases approval queue volume and latency.
Permissive profile moves faster but requires stronger monitoring to catch bad behavior quickly.
Moderate profile is usually the best first step, but it still needs simulation against your real command patterns.
Tool policy and sandboxing solve different problems; use both in production.

Related guides

Frequently Asked Questions

Why include file_read/file_write if CordClaw maps read/write?

OpenClaw SEO queries often use file_read and file_write, while CordClaw internally maps these to read/write and policy topics job.cordclaw.file-read and job.cordclaw.file-write.

Which profile should most teams start with?

Moderate is usually the best first deployment profile. It blocks destructive and infrastructure-sensitive exec paths, keeps low-risk read flows fast, and adds approval gates only where risk is highest.

Does sandboxing replace governance for OpenClaw tools?

No. Sandboxing limits blast radius after execution starts. Governance decides whether a tool action should execute at all.

How do I test policy changes safely?

Use simulation before enabling risky actions in production paths. For CordClaw, run openclaw cordclaw simulate with representative tool payloads and compare decisions across profiles.

Next Step: Simulate Before You Ship

Pick the three highest-risk tool actions in your current OpenClaw setup and run simulation under moderate and strict profiles. Tune policy before enabling broad autonomous access.

Run CordClaw Quickstart Open Platform Quickstart