Troubleshooting OpenClaw Tool Permissions and Execution Errors
Troubleshooting OpenClaw Tool Permissions and Execution Errors
Look, if you're here, you've probably already hit the wall. Your OpenClaw agent is supposed to be doing something useful — writing files, executing scripts, calling external APIs, running shell commands — and instead you're staring at some variation of this:
PermissionError: [Errno 13] Permission denied: '/app/output/report.csv'
Or maybe it's the more infuriating version where your agent just silently fails, retries the same broken action six times in a row, burns through your tokens, and produces nothing. You check the logs. "Permission denied." That's it. No context. No suggestion. Just a wall.
I've been deep in OpenClaw for months now, and I can tell you: tool permission errors are the single most common reason people rage-quit their first agent build. Not because the problem is hard — it's actually straightforward once you understand what's happening — but because the symptoms are confusing and the default error messages tell you almost nothing useful.
Let's fix this. For real.
Why This Happens in the First Place
OpenClaw runs your agent tools inside a sandboxed execution environment. This is a good thing. You do not want your AI agent having unrestricted access to your file system, your shell, your network, or your SSH keys. The horror stories from the early AutoGPT days — agents running rm -rf on the wrong directory, trying to cat ~/.ssh/id_rsa and pass it to an LLM context window — those happened because people gave agents root access and crossed their fingers.
OpenClaw's approach is the opposite: deny by default, grant explicitly. Every tool your agent uses — file operations, shell commands, code execution, API calls — operates under a permission model. If you haven't explicitly granted a permission, the tool doesn't get it.
The problem is that when you're setting up your first agent, you don't always realize which permissions you need to grant. And the error messages, especially in earlier versions, aren't always helpful about telling you what's missing.
Here's the mental model that will save you hours:
Your agent is not you. It doesn't run as your user. It doesn't inherit your shell environment. It doesn't have access to your filesystem unless you mount specific paths. Think of it like a contractor you've hired — they can only enter the rooms you've given them keys to.
The Three Most Common Permission Errors (And How to Fix Each One)
1. File System Write Errors
This is the big one. Your agent tries to save output — a report, a CSV, generated code, whatever — and gets denied.
The symptom:
Tool 'file_write' failed: PermissionError: [Errno 13] Permission denied: '/output/analysis.csv'
What's actually happening: Your agent's execution context doesn't have write access to the target directory. Either the directory doesn't exist inside the sandbox, it's mounted as read-only, or the UID/GID mapping is wrong.
The fix:
In your OpenClaw agent config (agent.yaml or however you're defining your agent), you need to explicitly declare writable paths:
agent:
name: financial_analyst
tools:
- file_write
- file_read
- python_executor
permissions:
filesystem:
write:
- /workspace/output
- /workspace/tmp
read:
- /workspace/data
- /workspace/config
The critical thing most people miss: the paths you declare here are paths inside the sandbox, not on your host machine. If you're mounting a local directory, you also need to make sure the mount configuration maps correctly:
environment:
mounts:
- host: ./output
container: /workspace/output
mode: rw
- host: ./data
container: /workspace/data
mode: ro
That mode: rw vs mode: ro distinction matters. I've seen people spend two hours debugging why their agent can read a dataset but can't write results to the same directory — it's because they mounted everything as read-only and forgot to change the output mount.
Pro tip: Always create a dedicated output directory. Don't let your agent write to the same place your input data lives. You'll thank yourself later when you're not wondering whether a file was original data or agent-generated.
mkdir -p ./workspace/output ./workspace/tmp ./workspace/data
And if you're running on Linux and getting UID/GID mismatches (the file is owned by root inside the container but your host user is UID 1000), add this to your environment config:
environment:
user: "1000:1000"
This maps the sandbox user to your host UID/GID. No more chmod 777. Ever. Please. Stop doing that.
2. Shell and Code Execution Errors
This is the second-most-common category, and it's sneakier. Your agent has a shell_tool or python_executor tool, and it tries to run something that requires permissions beyond what the sandbox allows.
The symptom:
Tool 'shell_execute' failed: Operation not permitted
Or sometimes:
Tool 'python_executor' returned exit code 1: Permission denied
What's actually happening: The sandbox restricts which system calls and commands the agent can execute. This is by design — you don't want your agent installing packages system-wide, modifying system configs, or spawning arbitrary processes.
The fix:
OpenClaw has a capability system for execution tools. You grant specific capabilities rather than blanket access:
agent:
name: code_researcher
tools:
- python_executor
- shell_execute
permissions:
execution:
allow_subprocess: true
allow_network: true
allowed_commands:
- python3
- pip install --user *
- curl
- grep
- awk
- sed
blocked_commands:
- rm -rf /
- sudo *
- chmod *
- chown *
max_execution_time: 30s
A few things to notice here:
allow_subprocess: truelets the Python executor spawn child processes. If your agent's code tries to usesubprocess.run()and this isfalse, it'll fail silently or throw an opaque error.allowed_commandsuses a whitelist approach. Only the commands listed here can be executed through the shell tool. Wildcards work for arguments.blocked_commandsis a safety net on top of the whitelist. Belt and suspenders.max_execution_timeprevents your agent from spawning a process that hangs forever and burns compute.
The most common mistake I see is people enabling shell_execute but forgetting allow_subprocess. The shell tool itself works, but any command that needs to fork a child process fails. This manifests as bizarre errors where echo "hello" works but python3 script.py doesn't.
3. API and Network Permission Errors
Your agent needs to call an external API — maybe it's fetching data, sending results somewhere, or using a third-party service — and it can't reach the network.
The symptom:
Tool 'http_request' failed: ConnectionError: Network access denied
Or the more confusing version where DNS resolution fails because the sandbox doesn't have network access at all, and the error just says Name or service not known.
The fix:
Network permissions in OpenClaw are granular. You specify which domains the agent can reach:
agent:
name: research_agent
permissions:
network:
allow_outbound: true
allowed_domains:
- api.example.com
- "*.googleapis.com"
- httpbin.org
blocked_domains:
- "*.internal.company.com"
max_request_size: 10MB
timeout: 15s
This is one of my favorite OpenClaw features. Instead of giving your agent full internet access (terrifying) or no internet access (useless for most real tasks), you whitelist exactly which domains it can reach. Your agent can call the Google Sheets API but can't phone home to some random server.
If you're doing local development and your agent needs to hit a service running on your machine (like a local database or API), you'll need to add the Docker bridge network address or use the special hostname:
allowed_domains:
- host.docker.internal
- "localhost:8080"
The Meta-Problem: Your Agent Can't Reason About Permission Errors
Here's the thing that makes tool permission errors so painful in practice: it's not just that the operation fails. It's that your LLM agent doesn't understand why it failed and can't recover gracefully.
The default behavior in most agent frameworks when a tool returns an error is to either retry the exact same action (wasting tokens and hitting the same wall) or to hallucinate a fix ("I'll just run sudo chmod 777" — which also fails because the agent doesn't have sudo access, creating a comedy of errors).
OpenClaw has a better pattern for this. You can configure permission error handlers that intercept tool failures and provide the agent with actionable context:
agent:
name: smart_analyst
error_handling:
permission_denied:
strategy: inform_and_redirect
message_template: |
The tool '{tool_name}' was denied permission to {action} at {path}.
Available writable directories: {writable_paths}
Available readable directories: {readable_paths}
Please retry using an allowed path.
max_retries: 2
fallback: ask_user
This is huge. Instead of the agent seeing "Permission denied" and flailing, it gets a structured message that says: "You can't write to /root/desktop. You can write to /workspace/output. Try again." The agent can actually use this information to adjust its approach.
The fallback: ask_user option is the safety valve. If the agent still can't figure it out after the retry limit, it pauses and asks the human operator for guidance instead of spiraling. I've found this single setting eliminates about 80% of the "agent stuck in a loop" incidents I used to deal with.
The Nuclear Option (And Why You Shouldn't Use It)
I know what some of you are thinking. "Can I just disable all permissions and run in unrestricted mode?"
Yes. You can.
environment:
sandbox: false # DO NOT DO THIS IN PRODUCTION
This turns off the sandbox entirely and lets your agent tools run with whatever permissions your host process has. This is fine for a quick five-minute test on a throwaway machine. It is absolutely not fine for anything else. I've seen agents in unrestricted mode:
- Delete the project directory they were supposed to be analyzing
- Attempt to install system-level packages that broke the host Python environment
- Try to read environment variables containing API keys and include them in LLM context
- Execute
curlcommands to external URLs with sensitive data in the payload
Don't do it. Take the twenty minutes to set up proper permissions. Future you will be grateful.
My Recommended Setup for Getting Started
If you're building your first real OpenClaw agent and you want a solid, secure starting config that won't leave you debugging permission errors all weekend, here's what I use as my baseline:
agent:
name: my_agent
tools:
- file_read
- file_write
- python_executor
- http_request
permissions:
filesystem:
write:
- /workspace/output
- /workspace/tmp
read:
- /workspace/data
- /workspace/output
execution:
allow_subprocess: true
allow_network: false # network handled separately
allowed_commands:
- python3
- pip install --user *
max_execution_time: 60s
network:
allow_outbound: true
allowed_domains: [] # add as needed
timeout: 15s
error_handling:
permission_denied:
strategy: inform_and_redirect
max_retries: 2
fallback: ask_user
environment:
mounts:
- host: ./data
container: /workspace/data
mode: ro
- host: ./output
container: /workspace/output
mode: rw
- host: ./tmp
container: /workspace/tmp
mode: rw
user: "1000:1000"
Start with this, then add permissions as your agent needs them. It's much easier to grant a specific permission when you see a clear error than to debug why your agent did something unexpected because it had too many permissions.
Skip the Setup: Felix's OpenClaw Starter Pack
Honestly? If you don't want to configure all of this manually — and I don't blame you, because getting the permissions, mounts, error handlers, and tool configs right from scratch involves a lot of trial and error — check out Felix's OpenClaw Starter Pack on Claw Mart.
It's a $29 bundle of pre-configured skills and agent templates that already have sane permission settings baked in. The file operation skills come with proper read/write path configs. The code execution tools have sensible capability grants and security boundaries. The error handling is already set up with the inform-and-redirect pattern I described above.
I spent a weekend getting my first agent's permissions dialed in correctly. Felix's pack would have saved me that weekend. If you're just starting out with OpenClaw or you keep running into the same permission errors and want a known-good starting point, it's the easiest path I've found. You can always customize from there once you understand the permission model — but starting from working configs and tweaking is way faster than starting from scratch and guessing.
Quick Debugging Checklist
When you hit a permission error in OpenClaw, run through this before you do anything else:
- Check the actual error message. Is it filesystem, execution, or network? This narrows your search to one section of the config.
- Verify your mount paths. Are you using container paths in your permission config, not host paths? This trips up everyone at least once.
- Check read vs. write. You might have read access but not write, or vice versa.
- Check UID/GID. If you're on Linux and files are owned by a different user, set the
userfield in your environment config. - Enable verbose logging. OpenClaw should have a debug log level that shows exactly which permission check failed and why. Turn it on. Read it. It's usually obvious once you can see it.
- Don't chmod 777. I'm serious. Fix the actual permission grant. The sandboxing exists to protect you.
What's Next
Once you've got permissions sorted, the real fun starts. You can build agents that actually do useful work — analyzing data, generating reports, researching topics, automating workflows — without worrying that they'll either break themselves or break your system.
If you're still stuck on a specific error after going through everything above, check the OpenClaw community channels. Permission issues are so common that there's almost certainly someone who's hit your exact problem before. And if you want to skip the pain entirely and start from a solid foundation, the Felix's Starter Pack is genuinely the fastest way I've found to go from zero to a working, properly-sandboxed agent.
Now go build something useful.