OpenClaw Agent File Permissions: Complete Guide
Every OpenClaw agent runs inside a workspace, and that workspace has boundaries. The openclaw.json file is the configuration that defines what files an agent can read, write, and execute. Get permissions wrong and your agent either breaks with cryptic errors or gets access to files it should never touch. This guide covers how openclaw.json controls file access, default vs custom permissions, common errors and their fixes, and best practices for running multiple agents on the same machine.
How OpenClaw File Permissions Work
OpenClaw uses a permission model inspired by the principle of least privilege. By default, agents can only access files within their own workspace directory. Everything outside that boundary is blocked unless you explicitly allow it.
The permission system has three layers. The first layer is the workspace root, which is the directory where the agent lives. The second layer is the openclaw.json configuration file, which overrides defaults with custom rules. The third layer is runtime enforcement, where OpenClaw checks every file operation against the permission rules before allowing it to proceed.
When an agent tries to read, write, or delete a file, OpenClaw intercepts the operation and checks it against the permission rules defined in openclaw.json. If the operation is allowed, it proceeds. If not, the agent receives a permission denied error and the operation is blocked. This happens transparently. The agent does not need to know about the permission system. It simply gets an error when it tries something it is not allowed to do.
The openclaw.json File: Structure and Syntax
The openclaw.json file lives in the root of your agent's workspace directory. It is the single source of truth for all permission rules. Here is the complete structure:
{
"agent": "radar",
"workspace": {
"root": "./",
"allowPaths": [
"./data/**",
"./reports/**",
"./config/*.yaml"
],
"denyPaths": [
"./.env",
"./.env.*",
"./secrets/**",
"./node_modules/**"
],
"permissions": {
"read": true,
"write": true,
"delete": false,
"execute": false
}
},
"shared": {
"paths": [
"/shared/datasets/**"
],
"readOnly": true
},
"env": {
"allowEnv": [
"OPENAI_API_KEY",
"DATABASE_URL",
"NODE_ENV"
]
},
"network": {
"allowNetwork": true,
"allowDomains": [
"api.openai.com",
"api.anthropic.com"
]
}
}Let us break down each section.
agent
The name of the agent this configuration applies to. This must match the agent name used when you run openclaw agent --agent [name].
workspace.root
The root directory of the agent's workspace. Use './' for the current directory. All relative paths in allowPaths and denyPaths are resolved relative to this root.
workspace.allowPaths
An array of glob patterns defining which files and directories the agent can access. Supports standard glob syntax: ** for recursive matching, * for single-level wildcards, and specific file extensions like *.yaml.
workspace.denyPaths
An array of glob patterns for files that are explicitly blocked. Deny rules take priority over allow rules. If a path matches both an allow and a deny pattern, it is blocked.
workspace.permissions
Global permission flags for the workspace. Set read, write, delete, and execute independently. These act as a top-level gate. Even if a path is in allowPaths, the agent cannot write to it if permissions.write is false.
shared
Configuration for shared directories that multiple agents can access. The readOnly flag prevents the agent from modifying shared files, which is critical for preventing conflicts in multi-agent setups.
env
Controls which environment variables the agent can read. Only the variables listed in allowEnv are accessible. All others are hidden from the agent.
network
Controls outbound network access. Set allowNetwork to false to block all internet access, or use allowDomains to whitelist specific API endpoints.
Default Permissions vs Custom Permissions
When you deploy an agent without an openclaw.json file, OpenClaw applies a set of default permissions. Understanding these defaults helps you decide when you need a custom configuration and when the defaults are sufficient.
| Setting | Default Value | When to Customize |
|---|---|---|
| workspace.root | Agent directory | When the agent needs to access files outside its own folder |
| allowPaths | ["./**"] | When you want to restrict access to specific subdirectories only |
| denyPaths | [".env", ".env.*"] | When you have additional sensitive files like credentials or private keys |
| read | true | Rarely changed. Agents almost always need read access |
| write | true | Set to false for read-only agents like monitors and auditors |
| delete | false | Enable only for cleanup agents that need to remove old files |
| execute | false | Enable for agents that need to run scripts or binaries |
| allowNetwork | true | Set to false for agents handling sensitive data that should not call external APIs |
The defaults are conservative. Delete and execute are disabled. Env files are blocked. This means a freshly deployed agent cannot accidentally delete your project files or run arbitrary scripts. But the defaults also give the agent full read and write access to its workspace directory, which might be too broad for production deployments.
For production, always create an explicit openclaw.json with the minimum permissions your agent needs. A monitoring agent that only reads log files should not have write access. A report generator that writes to a specific output folder should not have access to your entire project tree.
Common Errors and How to Fix Them
Permission errors are the most common issue when deploying OpenClaw agents. Here are the errors you will encounter and exactly how to fix each one.
Error: EPERM - Permission denied: /path/to/file
The agent tried to access a file that is not in its allowPaths or is explicitly listed in denyPaths.
Fix:
// Add the path to allowPaths in openclaw.json "allowPaths": [ "./data/**", "./path/to/file" // Add the specific file or directory ] // Then restart the agent session // openclaw agent restart --agent [name]
Error: EACCES - Write operation blocked
The file is in allowPaths but the global write permission is set to false, or the shared path is configured as readOnly.
Fix:
// Check workspace.permissions.write is true
"permissions": {
"read": true,
"write": true // Must be true for write operations
}
// If accessing a shared path, check readOnly
"shared": {
"paths": ["/shared/data/**"],
"readOnly": false // Set to false if this agent needs to write
}Error: ENOENT - Workspace root not found
The workspace.root path in openclaw.json does not exist or is misspelled.
Fix:
// Verify the root directory exists
// ls -la /path/to/workspace
// Use relative path from openclaw.json location
"workspace": {
"root": "./" // Relative to where openclaw.json lives
}
// Or use absolute path
"workspace": {
"root": "/home/deploy/agents/radar"
}Error: ENV_BLOCKED - Environment variable not accessible
The agent tried to read an environment variable that is not listed in env.allowEnv.
Fix:
// Add the variable to allowEnv
"env": {
"allowEnv": [
"OPENAI_API_KEY",
"DATABASE_URL",
"MY_NEW_VARIABLE" // Add the missing variable
]
}Error: DENY_OVERRIDE - Path matches deny rule
The file matches both an allowPaths pattern and a denyPaths pattern. Deny always wins.
Fix:
// Remove the file from denyPaths if the agent truly needs access "denyPaths": [ "./.env", // "./config/secrets.yaml" // Remove this if agent needs it ] // Or restructure your files so sensitive data is separate // from files the agent needs to access
Error: Permission changes not taking effect
You updated openclaw.json but the agent still gets the same permission errors.
Fix:
// OpenClaw caches permissions at session start // You must restart the agent session // Option 1: Restart the agent // openclaw agent restart --agent radar // Option 2: Clear the session and start fresh // rm ~/.openclaw/agents/radar/sessions/sessions.json // openclaw agent --agent radar --message "test"
Best Practices for Multi-Agent Setups
Running multiple agents on the same machine introduces coordination challenges. File permissions become critical when two or more agents interact with overlapping directories. Here are the practices that prevent problems.
Give each agent its own workspace directory
Never put two agents in the same root directory. Each agent should have its own folder under a parent directory. For example, /agents/orion/, /agents/echo/, and /agents/radar/. Each agent's openclaw.json lives in its own directory with permissions scoped to that space.
Use a shared directory with strict read/write separation
When agents need to exchange data, create a dedicated /shared/ directory. Configure the producing agent with write access and all consuming agents with readOnly access. For example, Radar writes SEO reports to /shared/seo-reports/ and Echo reads them to write blog content. Echo should never write to that directory.
Always deny .env and secret files
Every openclaw.json should deny access to .env, .env.*, credentials.json, *.pem, and *.key files. Even if an agent seems like it needs database credentials, pass those through the env.allowEnv array instead. This prevents agents from reading raw credential files on disk.
Disable delete permissions by default
Keep permissions.delete set to false unless the agent specifically needs to clean up files. A bug in an agent's logic that tries to delete files will be caught by the permission system instead of destroying your data. Only cleanup and maintenance agents should have delete enabled.
Scope allowPaths as narrowly as possible
Avoid using './**' in production. Instead of giving an agent access to the entire workspace, list the specific directories it actually needs. An SEO agent needs ./reports/** and ./data/keywords/**. It does not need ./config/** or ./scripts/**.
Use separate env allowlists per agent
Each agent should only see the environment variables it needs. Orion (the PM agent) needs the Telegram bot token and the Convex API key. Radar (the SEO agent) needs the GSC service account and GA4 credentials. Do not share the full environment across all agents.
Lock down network access for data-processing agents
Agents that process sensitive customer data, financial records, or health information should have allowNetwork set to false. If they need to call a specific API, use allowDomains to whitelist only that endpoint. A compliance auditing agent should not be able to send data to arbitrary external servers.
Real-World Example: Three-Agent Setup
Here is a production-ready multi-agent configuration with Orion (project manager), Echo (content writer), and Radar (SEO analyst) running on the same server. Each agent has its own openclaw.json with properly scoped permissions.
Directory structure:
/agents/
orion/
SOUL.md
openclaw.json
tasks/
reports/
echo/
SOUL.md
openclaw.json
drafts/
published/
radar/
SOUL.md
openclaw.json
data/
seo-reports/
shared/
briefs/ # Orion writes, Echo reads
seo-reports/ # Radar writes, Echo reads
keywords/ # Radar writes, Orion readsOrion (PM) - openclaw.json:
{
"agent": "orion",
"workspace": {
"root": "./",
"allowPaths": [
"./tasks/**",
"./reports/**"
],
"denyPaths": ["./.env", "./.env.*"],
"permissions": {
"read": true,
"write": true,
"delete": false,
"execute": false
}
},
"shared": {
"paths": [
"/agents/shared/briefs/**",
"/agents/shared/keywords/**"
],
"readOnly": false
},
"env": {
"allowEnv": ["TELEGRAM_BOT_TOKEN", "CONVEX_URL"]
}
}Echo (Writer) - openclaw.json:
{
"agent": "echo",
"workspace": {
"root": "./",
"allowPaths": [
"./drafts/**",
"./published/**"
],
"denyPaths": ["./.env", "./.env.*"],
"permissions": {
"read": true,
"write": true,
"delete": false,
"execute": false
}
},
"shared": {
"paths": [
"/agents/shared/briefs/**",
"/agents/shared/seo-reports/**"
],
"readOnly": true
},
"env": {
"allowEnv": ["OPENAI_API_KEY"]
}
}Radar (SEO) - openclaw.json:
{
"agent": "radar",
"workspace": {
"root": "./",
"allowPaths": [
"./data/**",
"./seo-reports/**"
],
"denyPaths": ["./.env", "./.env.*"],
"permissions": {
"read": true,
"write": true,
"delete": false,
"execute": false
}
},
"shared": {
"paths": [
"/agents/shared/seo-reports/**",
"/agents/shared/keywords/**"
],
"readOnly": false
},
"env": {
"allowEnv": ["GSC_SERVICE_ACCOUNT", "GA4_PROPERTY_ID"]
},
"network": {
"allowNetwork": true,
"allowDomains": [
"www.googleapis.com",
"searchconsole.googleapis.com",
"analyticsdata.googleapis.com"
]
}
}Notice the pattern. Orion writes briefs to the shared directory and reads keywords. Echo reads briefs and SEO reports but cannot modify them. Radar writes SEO reports and keywords but only connects to Google APIs. No agent can delete files. No agent can access another agent's private workspace. Each agent sees only the environment variables it needs.
Advanced: Glob Pattern Reference
The allowPaths and denyPaths arrays in openclaw.json use glob patterns. Here is a quick reference for the patterns you will use most often.
| Pattern | Matches | Example |
|---|---|---|
| * | Any file in the current directory | ./data/* matches ./data/report.csv but not ./data/archive/old.csv |
| ** | All files recursively in all subdirectories | ./data/** matches ./data/report.csv and ./data/2026/march/report.csv |
| *.ext | All files with a specific extension | ./config/*.yaml matches ./config/main.yaml but not ./config/db.json |
| **/*.ext | All files with extension, recursively | ./logs/**/*.log matches logs at any depth |
| file.txt | A specific file | ./config/settings.json matches exactly that file |
A common mistake is using ** when you mean *. The pattern ./data/* only matches files directly inside ./data/. If your agent needs to access nested subdirectories, you need ./data/**. Conversely, if you want to restrict access to only the top level of a directory, use * to prevent recursive access.
Security Checklist
Before deploying any agent to production, run through this checklist to make sure your permissions are locked down.
openclaw.json exists in the agent's root directory
allowPaths lists only the directories the agent actually needs
denyPaths includes .env, .env.*, *.pem, *.key, and credentials files
permissions.delete is false unless the agent specifically needs to delete files
permissions.execute is false unless the agent needs to run scripts
env.allowEnv lists only the specific variables the agent needs
network.allowDomains is set if the agent only needs to call specific APIs
Shared paths use readOnly: true for agents that should not modify shared data
No two agents have write access to the same shared directory
The agent session has been restarted after any openclaw.json changes
Frequently Asked Questions
What happens if I do not create an openclaw.json file?
OpenClaw uses default permissions when no openclaw.json exists. The agent gets read access to the project root directory and its subdirectories, but cannot write to any files outside its own workspace folder. This is safe for testing, but you should define explicit permissions before deploying to production.
Can two agents share the same workspace directory?
Yes, but you need to configure shared access carefully. Both agents must have the shared directory listed in their allowPaths. Use the readOnly flag for agents that only need to read shared data, and grant write access only to the agent responsible for updating those files. This prevents race conditions and accidental overwrites.
How do I give an agent access to environment variables?
Environment variables are controlled through the env section in openclaw.json, not through file permissions. List the specific variable names your agent needs in the allowEnv array. Never use a wildcard pattern for environment variables, as that would expose all system variables including secrets the agent does not need.
Why does my agent get a permission denied error even after updating openclaw.json?
OpenClaw caches the permission configuration when an agent session starts. After updating openclaw.json, you need to restart the agent session for changes to take effect. Run openclaw agent restart or delete the session file at ~/.openclaw/agents/[agent-name]/sessions/sessions.json and start a new session.
Can I restrict an agent from accessing the internet?
Yes. The network section in openclaw.json controls outbound access. Set allowNetwork to false to completely block internet access, or use allowDomains to whitelist specific domains the agent can reach. This is useful for agents that process sensitive data and should not be able to exfiltrate information.
See what AI agents can do for your site
Scan Your Site Free. Enter your URL and get an SEO analysis with a personalized AI team recommendation in 30 seconds.
Deploy a Ready-Made AI Agent
Skip the setup. Pick a template and deploy in 60 seconds.