diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 1b6c1fe8e..cd71d1688 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "198083cde3a15453230ce302ef9c544048195122", - "syncedAt": "2026-04-05T16:17:53.738Z" + "sha": "a74fb94fa374d7fc4ee92001dc6438fcff87bf22", + "syncedAt": "2026-04-05T17:02:19.724Z" } diff --git a/docs/tools/exec-approvals.md b/docs/tools/exec-approvals.md index 0d139da44..965884dfd 100644 --- a/docs/tools/exec-approvals.md +++ b/docs/tools/exec-approvals.md @@ -113,6 +113,7 @@ Important distinction: - `tools.exec.host=auto` chooses where exec runs: sandbox when available, otherwise gateway. - YOLO chooses how host exec is approved: `security=full` plus `ask=off`. +- In YOLO mode, OpenClaw does not add a separate heuristic command-obfuscation approval gate on top of the configured host exec policy. - `auto` does not make gateway routing a free override from a sandboxed session. A per-call `host=node` request is allowed from `auto`, and `host=gateway` is only allowed from `auto` when no sandbox runtime is active. If you want a stable non-auto default, set `tools.exec.host` or use `/exec host=...` explicitly. If you want a more conservative setup, tighten either layer back to `allowlist` / `on-miss` diff --git a/docs/tools/exec.md b/docs/tools/exec.md index ae1c64444..413d18646 100644 --- a/docs/tools/exec.md +++ b/docs/tools/exec.md @@ -66,6 +66,7 @@ Notes: - `tools.exec.ask` (default: `off`) - No-approval host exec is the default for gateway + node. If you want approvals/allowlist behavior, tighten both `tools.exec.*` and the host `~/.openclaw/exec-approvals.json`; see [Exec approvals](/tools/exec-approvals#no-approval-yolo-mode). - YOLO comes from the host-policy defaults (`security=full`, `ask=off`), not from `host=auto`. If you want to force gateway or node routing, set `tools.exec.host` or use `/exec host=...`. +- In `security=full` plus `ask=off` mode, host exec follows the configured policy directly; there is no extra heuristic command-obfuscation prefilter. - `tools.exec.node` (default: unset) - `tools.exec.strictInlineEval` (default: false): when true, inline interpreter eval forms such as `python -c`, `node -e`, `ruby -e`, `perl -e`, `php -r`, `lua -e`, and `osascript -e` always require explicit approval. `allow-always` can still persist benign interpreter/script invocations, but inline-eval forms still prompt each time. - `tools.exec.pathPrepend`: list of directories to prepend to `PATH` for exec runs (gateway + sandbox only).