Tool allow/deny lists are a machine-enforced boundary that determines which tools an agent is allowed to call at runtime. In OpenClaw, this maps to tool policy controls like tool profiles and explicit allow and deny lists, and it is one of the fastest ways to reduce blast radius when an agent gets confused or is prompt-injected.
For enterprise use, prompt-only rules are not sufficient because they are not binding: the model can ignore them, and you cannot reliably prove what was allowed at execution time. Claw EA makes the boundary permissioned by binding tool policy to a WPC and issuing a CST that pins to that policy, then producing gateway receipts and a proof bundle for audit.
Step-by-step runbook
-
Inventory the agent’s tools and group them into profiles (for example: “read-only M365”, “ticketing write”, “devops break-glass”). Start with the smallest set that still completes the workflow, and keep shell and filesystem write tools out of the default profile.
-
Define OpenClaw tool policy: a base tool profile plus explicit allow and deny overrides per agent and per provider. Keep “elevated” tools separate so you can require a different approval path before host execution is possible.
-
Create a WPC that expresses the intended tool boundary and reference it by hash, so the policy used at runtime is unambiguous. Store the WPC in the WPC registry and treat updates as a code change with review, not as a prompt tweak.
-
Issue a CST (from clawscope) for the job with scope hash and optional policy hash pinning to the WPC. Use marketplace anti-replay binding so the CST is job-scoped and cannot be reused across runs.
-
Route model calls through clawproxy so you get gateway receipts for each model call, tied to the job and its CST. Keep the agent runtime fail-closed: if the proxy cannot verify the pinned policy hash, do not proceed with tool execution.
-
After execution, collect the proof bundle and store it with the job record, and optionally publish the Trust Pulse for external review. Use this as the evidence package for “what was allowed” and “what was actually called” during the run.
Threat model
Allow/deny lists are about preventing capability escalation, not making the model “behave.” Your baseline assumption should be: prompts are attacker-controlled inputs, tool schemas can be misused, and the model will sometimes attempt dangerous calls even when instructed not to.
| Threat | What happens | Control |
|---|---|---|
| Prompt injection triggers a high-impact tool | The agent tries to call shell, write files, or perform a destructive API operation because text asked it to. | Default-deny tool profile plus explicit allow list for only the tools needed in that workflow. |
| Tool confusion and parameter abuse | The agent uses a legitimate tool with unsafe arguments (for example, wildcard deletes, bulk email, or posting secrets into a ticket). | Split tools into narrow actions and deny bulk or admin variants; require a separate profile for risky operations. |
| Plugin sprawl expands attack surface | New extensions introduce tools that become callable by accident after a config change. | Pin tool availability to a reviewed profile and deny unknown tools by default; run OpenClaw security audit after changes. |
| Cross-run token reuse | A token minted for one job is replayed to run additional actions later. | Marketplace anti-replay binding with a job-scoped CST binding, and short TTL issuance policy. |
| Unverifiable “policy drift” during an incident | After a bad run, you cannot prove whether the agent was allowed to call a tool or whether the config changed mid-run. | WPC hash addressing plus CST optional policy hash pinning, and a proof bundle that includes gateway receipts. |
Policy-as-code example
This example shows a WPC-style policy intent for a Microsoft 365 workflow: the agent may read from Microsoft Graph via official API, but cannot send mail, delete files, or call host execution tools. In practice, you map this to OpenClaw tool policy (profile + allow + deny) and then pin the WPC hash into the CST.
{
"wpc_version": "v1",
"policy_name": "m365-readonly-triage",
"tools": {
"profile": "readonly",
"allow": [
"mcp.microsoft_graph.users.read",
"mcp.microsoft_graph.mail.read",
"mcp.microsoft_graph.calendar.read",
"web.get",
"text.search"
],
"deny": [
"mcp.microsoft_graph.mail.send",
"mcp.microsoft_graph.files.delete",
"exec",
"write",
"apply_patch",
"tools.elevated.*"
]
},
"token_binding": {
"require_cst_scope_hash": true,
"optional_policy_hash_pinning": true,
"job_scoped_anti_replay": true
}
}
If you are using Entra ID for Microsoft Graph, treat Graph permissions and Conditional Access as a second boundary, not the primary one. The allow/deny list should still block “mail.send” even if an app registration accidentally has that Graph permission, and PIM should be used to limit when elevated permissions are even available.
What proof do you get?
Each model call routed through clawproxy yields gateway receipts, which you can later verify and correlate to a specific job and CST. This is the minimal evidence that the model traffic was mediated and recorded under the configured constraints.
At the end of a run, Claw EA produces a proof bundle that packages the gateway receipts and related metadata needed for audit and verification. If you publish it, the Trust Pulse serves as the stored artifact for viewing and third-party review.
Rollback posture
Tool allow/deny lists are effective because rollback is operationally simple: you can remove a tool from the allow list and rerun under a new WPC, without changing prompts or retraining anything. For incidents, design your profiles so you can rapidly drop to “read-only” and still preserve basic triage.
| Action | Safe rollback | Evidence |
|---|---|---|
| Disable a risky tool (for example, mail send) | Update tool profile and deny list, publish a new WPC, and issue a new CST pinned to the new policy hash. | Proof bundle shows policy hash change boundary across runs, with gateway receipts per run. |
| Freeze tool surface during an incident | Drop to a minimal “read-only” profile and deny elevated tools; keep workflows running for investigation. | WPC hash reference in job record plus receipts tied to job-scoped CST binding. |
| Re-enable a tool with tighter scope | Replace a broad tool with narrower tools and only allow the narrow set; keep bulk variants denied. | Proof bundle and gateway receipts show which tool calls occurred and whether denied calls were blocked. |
| Post-incident audit and replay review | Verify receipts and policy bindings; compare effective tool policy across affected jobs. | Gateway receipts plus proof bundle, and optional Trust Pulse for external viewing. |
FAQ
How is a tool allow/deny list different from telling the agent “do not do X”?
A prompt is guidance that the model can ignore or misunderstand. A tool allow/deny list is enforced by the runtime, so disallowed calls cannot execute even if the model requests them.
Where does this control live in OpenClaw?
OpenClaw has a distinct tool policy layer that determines which tools are callable, separate from sandboxing (where tools run) and elevated execution (host escape hatch). Use tool profiles and explicit allow and deny lists, then verify the effective configuration with OpenClaw’s inspection and security audit tooling.
How do WPC and CST make this policy enforceable across a fleet?
A WPC is a signed, hash-addressed policy artifact served by clawcontrols, so the policy is stable and referencable. A CST (issued by clawscope) can include scope hash and optional policy hash pinning, so the job token is cryptographically bound to the intended policy version.
What evidence can I show an auditor after a bad run?
Gateway receipts from clawproxy show mediated model calls, and the proof bundle packages those receipts with metadata for verification. Together with the WPC hash and the CST binding, you can show what the agent was allowed to do and what it attempted during that job.
Does this replace Microsoft Graph permissions and Entra ID controls?
No. Graph permissions, Conditional Access, and PIM remain necessary for identity and least privilege, but they do not control the agent runtime’s tool surface by themselves. Use both: Graph to constrain what a tool could do, and tool allow/deny lists to constrain what the agent is allowed to try.