Why disk and shell access needs adult defaults
Interactive demos reward broad permissions because the human in the loop notices mistakes before they become incidents. Production agents run unattended loops, retried tool calls, and occasionally creative interpretations of natural language instructions. If the POSIX user behind the gateway can read secrets, mutate repositories, or spawn shells without narrow working directories, you have delegated root-like agility to a stochastic process.
workspaceAccess is the declarative story for which trees are legitimate working context versus ambient filesystem noise. It should reflect how your repository is laid out, where build outputs land, and which paths must never appear in tool responses. Treat it like firewall rules: explicit permits with documented exceptions, not an implicit allow on $HOME.
Shell tools compound risk because they inherit environment variables, aliases, and sometimes unexpected paths from login scripts. Even read-only file tools can leak structure that helps an attacker chain prompts. Write-capable tools can rewrite configuration that the gateway loads on next restart, which turns a single bad automation into persistent compromise.
Least privilege is not only Unix permissions. It is also model policy: which automations may call mutating tools, which must stay read-only, and which require human confirmation. The human-in-the-loop and Lobster workflow article is the right companion when you need structured approvals instead of silent shell.
Operational teams already know the value of repeatable diagnostics. When permissions drift, symptoms look like flaky channels or mysterious file-not-found errors. Reusing the ladder from gateway status through doctor and logs keeps security incidents inside a familiar playbook instead of inventing panic-specific wiki pages.
Finally, remember that configuration travels. A laptop with permissive workspaceAccess becomes a template that someone copies into CI and then into a customer-facing gateway. Encode production posture in versioned config, review it like application code, and test downgrades with the rollback habits from install and rollback guides.
Multi-tenant or shared build hosts amplify mistakes: one agent workspace that can see another team’s artifacts is a confidentiality breach waiting for the wrong prompt. Separate users, separate roots, or separate machines. Document the boundary in onboarding so new hires do not flatten it for convenience on day one.
Quantitative monitoring matters as much as declarations. Count denied path attempts, shell invocations per hour, and distinct files touched per session. Spikes often precede runaway automations or prompt injection attempts that try to exfiltrate through file reads.
Your reverse proxy and TLS edge do not replace filesystem policy, but they shape trust in remote control planes. Keep TLS and origin rules aligned with reverse proxy guidance so administrative interfaces are not accidentally exposed while you tighten local disk rules.
Pain points
Pain 1: The gateway user owns too much. When the service account can read .ssh, cloud CLI caches, or browser profiles, any file tool becomes a secret exfiltration channel. Shrink the account before you argue about model alignment.
Pain 2: Writable workspace equals supply-chain risk. Agents that can patch package.json, shell profiles, or gateway configuration on disk can persist malicious behavior across restarts. Separate read-only research agents from release agents with explicit promotion steps.
Pain 3: Shell tools bypass higher-level intent. A shell can chain utilities the product team never reviewed. Log argv slices, working directories, and exit codes; block recursive deletes and arbitrary curl-to-file patterns unless policy allows.
Pain 4: MCP and native tools disagree on scope. An MCP server started with a broad environment may reach paths OpenClaw file tools hide. Align lifecycle and restart rules with MCP stdio and transport limits so permission changes actually take effect.
Pain 5: Doctor passes while reality rots. Doctor validates files and known checks, not every runtime syscall. Combine it with manual spot checks, auditd or endpoint logs, and periodic prompts that attempt known-forbidden reads.
Threat model in plain language
Assume prompts can be manipulated by untrusted content the agent reads from the web or from user uploads. Assume models will occasionally follow harmful instructions when stressed by retries. Assume operators will paste secrets into chats. Your controls must survive those defaults.
Filesystem threats split into confidentiality, integrity, and availability. Confidentiality breaks when agents read credentials or customer data outside their ticket. Integrity breaks when agents rewrite code or configuration. Availability breaks when shell tools fork bombs, fill disks, or delete artifacts.
Network-facing gateways add another class: an attacker who can reach the control channel might coerce tool calls remotely. That is why inbound hardening in SSRF and webhook-focused production articles belongs in the same program as disk limits. The attack path often chains remote input to local action.
Insider threats and compromised laptops are part of the model too. Least privilege limits blast radius when a developer key leaks. It also makes forensic timelines shorter because fewer accounts can mutate sensitive trees.
Automation identity should be boring: a dedicated user with no interactive login, no password auth, and keys usable only from expected networks. On macOS gateways, pair that mindset with the daemon patterns in launchd and systemd matrices so restarts recover cleanly without widening permissions “temporarily”.
Finally, consider dependency supply chain: agents that run package installs can pull malicious scripts. If you must allow installs, do so in ephemeral environments or dedicated build hosts, not on the same node that holds signing keys.
Decision matrix for workspace and command posture
| Posture | Strength | Operational cost | Risk if wrong | Best for |
|---|---|---|---|---|
| Narrow workspaceAccess root | Clear blast radius for file tools | Refactor paths when repos move | Broken builds if excludes hide needed headers | Single-repo automation |
| Read-only tool profile | Safe research and triage agents | Second profile for releases | Friction when users expect writes | Customer support assistants |
| Split gateway users per environment | Strong isolation of secrets | More units and key rotation | Config drift between envs | Regulated or multi-tenant teams |
| Shell allowlist or wrapper | Blocks surprise pipelines | Maintain list as tools evolve | False negatives if bypassed via interpreters | High-risk production clusters |
| Permissive onboarding sandbox | Fast iteration for new hires | Must be retired deliberately | Accidental promotion to prod | Week-one learning hosts only |
Pick a default row for production, allow a looser row only on disposable hosts, and schedule quarterly reviews because repositories grow new sensitive folders over time.
How-to: declare boundaries and validate them
{
"workspaceAccess": {
"root": "/var/openclaw/work/crm-sync",
"allowReadGlobs": [
"/var/openclaw/work/crm-sync/**",
"/var/openclaw/shared/readme/**"
],
"denyGlobs": [
"**/.ssh/**",
"**/.aws/**",
"**/.config/gcloud/**",
"/var/openclaw/secrets/**"
]
},
"agents": {
"profiles": {
"readonly-triage": { "tools": { "shell": false, "fileWrite": false } },
"release-bot": { "tools": { "shell": "restricted", "fileWrite": true } }
}
}
}
Field names vary by distribution; treat the JSON as structural guidance. Secrets belong in environment variables or a vault, not inline in files that agents can read.
Step 1 map every path your playbooks touch, including caches, test fixtures, and generated directories. Step 2 set workspaceAccess to the smallest root that still builds. Step 3 split profiles so only release automation may write or invoke shell. Step 4 cold restart the gateway, then run openclaw doctor and compare with the channel checks in gateway operations guidance. Step 5 execute a scripted trio of tests: allowed read, denied read, and approved write, capturing logs with redacted arguments. Step 6 document owners and rollback using snapshot discipline from install guides. Step 7 align session spawning limits with sessions and allowAgents notes so concurrency does not multiply shell tools unexpectedly.
Quantitative guardrails
Track shell invocations per automation per hour and set alert thresholds that reflect normal business hours. Sudden doubling often means a runaway loop or a prompt attack.
Measure denied path attempts separately from tool errors. A steady deny baseline is healthy; a spike merits investigation even if users never complain.
File descriptor and child process counts belong on the same dashboard as CPU and RAM. MCP or shell leaks show up there before users see sluggish channels.
Monitor disk free space on artifact volumes. Agents that fetch large datasets can fill partitions; combine quotas with separate volumes for build outputs.
Log retention should cover at least two release cycles so you can reconstruct whether a bad deploy coincided with new tool permissions. Align rotation policies with unified logging articles you already use for SFTP and gateway hosts.
Set SLOs for gateway restart duration after permission changes. If restarts are slow, teams avoid them and drift accumulates. Daemon health matrices help keep restart time predictable.
Review effective permissions quarterly with a simple script that lists world-readable files under the workspace root containing keywords like BEGIN PRIVATE KEY. Automation finds accidents humans miss.
Capture p95 latency for tool calls; steep rises may indicate excessive directory walks after overly broad globbing. Tighten patterns when metrics justify the engineering time.
Onboarding versus production and the doctor ladder
Onboarding should feel fast, but production should feel boring. Use different hosts or containers, different workspaceAccess roots, and different API keys. Never copy a permissive laptop JSON into a customer gateway “just to unblock a demo”.
Teach new engineers the same diagnostic ladder as operations: observe gateway status, confirm process health, run openclaw doctor, then read structured logs. That mirrors the official troubleshooting mindset without turning every security tweak into a mystery.
When you tighten permissions, do it during a window where you can restart cleanly. Partial applies straddle the same failure mode described for MCP transports; cold restart to avoid zombie tool servers.
Document which automations are allowed to call shell versus file-only tools. Store that matrix beside runbooks for incident response so on-call engineers do not guess under pressure.
Reading order we recommend: start with gateway operations and doctor, then sessions and allowAgents, then MCP lifecycle, then this least-privilege article, then SSRF-style production hardening and reverse proxy TLS. Consistency beats novelty during incidents.
Pair technical controls with people controls: code review for JSON changes, mandatory second reviewer for shell-enabled profiles, and periodic tabletop exercises that include a malicious prompt scenario.
Suggested reading order: gateway status and doctor, session spawn limits, MCP transports, workspace hardening, outbound SSRF thinking, TLS edge, install rollback, daemon health. Keep bookmarks identical across regions so distributed teams share language.
Glossary
workspaceAccess declares which filesystem regions tool calls may treat as in-scope for a gateway instance.
Least privilege grants the minimum rights required for a defined automation task and no more.
Shell tool exposes operating system command execution to the model through a controlled interface.
File tool reads or writes structured content without necessarily invoking a shell.
Read-only profile allows inspection without mutation, ideal for triage bots.
Release profile may write build outputs or merge commits under explicit policy.
Cold restart stops the gateway process completely before starting again to flush caches and child processes.
openclaw doctor runs static checks against configuration and environment expectations.
Gateway status summarizes process health, channels, and sometimes version skew across components.
allowAgents gates which agent types or profiles may run when sessions spawn frequently.
MCP server extends tools through a separate process or HTTP transport with its own permissions.
Prompt injection is untrusted text that attempts to override operator intent inside a session.
Blast radius describes how far a compromise spreads across filesystems and identities.
POSIX user is the operating system account whose privileges tool calls inherit.
Deny glob is a pattern that blocks paths even if they sit under an allowed tree.
Audit log records tool decisions with redacted arguments suitable for security review.
Onboarding posture temporarily relaxes controls to accelerate learning on disposable hosts.
Production posture maximizes friction for dangerous operations while preserving throughput for approved tasks.
Human-in-the-loop requires a person to approve sensitive tool invocations before they execute.
Supply chain covers dependencies fetched during builds or runtime installs.
Ephemeral environment is a short-lived workspace destroyed after a job completes.
Session spawn storm happens when automation or bugs create excessive concurrent agents.
Tool argv lists arguments passed to shell commands and should be logged carefully.
Working directory anchors relative paths for shell and file operations.
Configuration drift is silent divergence between documented policy and running JSON.
Rollback snapshot captures known-good configuration before risky edits.
Hosted remote Mac is managed Apple hardware suited to gateways and artifact delivery via SFTP patterns.
FAQ and hosted Mac bridge
Does doctor prove the model cannot escape the workspace?
No. Doctor helps catch misconfiguration; OS permissions, separate accounts, and monitoring still matter. Use synthetic prompts that attempt forbidden reads and verify denials in logs.
Should onboarding and production share one gateway user?
Avoid sharing. If impossible, isolate with distinct profiles, keys, and roots, and never reuse production secrets on learning hosts.
Where do MCP servers fit in least privilege?
Each server is its own trust boundary. Restart after transport or permission changes and read MCP stdio guidance to avoid leaked processes.
Summary: Treat workspaceAccess and shell scope as production security controls. Layer gateway status, openclaw doctor, and structured logs the same way you troubleshoot channels.
Limits: Self-hosted gateways combine model risk with operating system risk. SFTPMAC hosted remote Mac offers Apple builders a managed node pattern that pairs well with disciplined OpenClaw gateways and stable file delivery for artifacts.
When you tighten scopes, communicate the reading order above to every region so incidents do not fragment into incompatible playbooks.
Explore SFTPMAC when you want a remote Mac platform that respects production boundaries while keeping gateways and file transfer predictable.