2026-01-08 01:06:09 +01:00
---
summary: "Per-agent sandbox + tool restrictions, precedence, and examples"
title: Multi-Agent Sandbox & Tools
read_when: "You want per-agent sandboxing or per-agent tool allow/deny policies in a multi-agent gateway."
status: active
---
2026-01-07 11:59:16 +01:00
# Multi-Agent Sandbox & Tools Configuration
## Overview
Each agent in a multi-agent setup can now have its own:
2026-01-31 21:13:13 +09:00
2026-01-09 12:44:23 +00:00
- **Sandbox configuration** (`agents.list[].sandbox` overrides `agents.defaults.sandbox` )
- **Tool restrictions** (`tools.allow` / `tools.deny` , plus `agents.list[].tools` )
2026-01-07 11:59:16 +01:00
This allows you to run multiple agents with different security profiles:
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- Personal assistant with full access
- Family/work agents with restricted tools
- Public-facing agents in sandboxes
2026-01-19 01:35:17 +00:00
`setupCommand` belongs under `sandbox.docker` (global or per-agent) and runs once
when the container is created.
2026-01-15 04:41:38 +00:00
Auth is per-agent: each agent reads from its own `agentDir` auth store at:
```
2026-01-30 03:15:10 +01:00
~/.openclaw/agents/<agentId>/agent/auth-profiles.json
2026-01-15 04:41:38 +00:00
```
Credentials are **not ** shared between agents. Never reuse `agentDir` across agents.
If you want to share creds, copy `auth-profiles.json` into the other agent's `agentDir` .
2026-01-08 21:49:26 +01:00
For how sandboxing behaves at runtime, see [Sandboxing ](/gateway/sandboxing ).
2026-01-30 03:15:10 +01:00
For debugging “why is this blocked?”, see [Sandbox vs Tool Policy vs Elevated ](/gateway/sandbox-vs-tool-policy-vs-elevated ) and `openclaw sandbox explain` .
2026-01-08 21:49:26 +01:00
2026-01-07 11:59:16 +01:00
---
## Configuration Examples
### Example 1: Personal + Restricted Family Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-07 11:59:16 +01:00
"name" : "Personal Assistant" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "family" ,
2026-01-07 11:59:16 +01:00
"name" : "Family Bot" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-family" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
"mode" : "all" ,
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "process" , "browser" ]
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
]
} ,
"bindings" : [
{
"agentId" : "family" ,
"match" : {
"provider" : "whatsapp" ,
"accountId" : "*" ,
"peer" : {
"kind" : "group" ,
"id" : "120363424282127706@g.us"
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
}
]
2026-01-07 11:59:16 +01:00
}
```
**Result: **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- `main` agent: Runs on host, full tool access
- `family` agent: Runs in Docker (one container per agent), only `read` tool
---
### Example 2: Work Agent with Shared Sandbox
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "personal" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-personal" ,
2026-01-07 11:59:16 +01:00
"sandbox" : { "mode" : "off" }
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "work" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-work" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
"mode" : "all" ,
"scope" : "shared" ,
"workspaceRoot" : "/tmp/work-sandboxes"
} ,
"tools" : {
2026-01-12 03:42:49 +00:00
"allow" : [ "read" , "write" , "apply_patch" , "exec" ] ,
2026-01-07 11:59:16 +01:00
"deny" : [ "browser" , "gateway" , "discord" ]
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
2026-01-13 06:28:15 +00:00
### Example 2b: Global coding profile + messaging-only agent
``` json
{
"tools" : { "profile" : "coding" } ,
"agents" : {
"list" : [
{
"id" : "support" ,
"tools" : { "profile" : "messaging" , "allow" : [ "slack" ] }
}
]
}
}
```
**Result: **
2026-01-31 21:13:13 +09:00
2026-01-13 06:28:15 +00:00
- default agents get coding tools
- `support` agent is messaging-only (+ Slack tool)
---
2026-01-07 11:59:16 +01:00
### Example 3: Different Sandbox Modes per Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "non-main" , // Global default
2026-01-09 12:44:23 +00:00
"scope" : "session"
}
} ,
"list" : [
{
"id" : "main" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "off" // Override: main never sandboxed
2026-01-07 11:59:16 +01:00
}
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "public" ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace-public" ,
2026-01-07 11:59:16 +01:00
"sandbox" : {
2026-01-31 21:13:13 +09:00
"mode" : "all" , // Override: public always sandboxed
2026-01-07 11:59:16 +01:00
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" ]
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
## Configuration Precedence
2026-01-09 12:44:23 +00:00
When both global (`agents.defaults.*` ) and agent-specific (`agents.list[].*` ) configs exist:
2026-01-07 11:59:16 +01:00
### Sandbox Config
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
Agent-specific settings override global:
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
```
2026-01-09 12:44:23 +00:00
agents.list[].sandbox.mode > agents.defaults.sandbox.mode
agents.list[].sandbox.scope > agents.defaults.sandbox.scope
agents.list[].sandbox.workspaceRoot > agents.defaults.sandbox.workspaceRoot
agents.list[].sandbox.workspaceAccess > agents.defaults.sandbox.workspaceAccess
agents.list[].sandbox.docker.* > agents.defaults.sandbox.docker.*
agents.list[].sandbox.browser.* > agents.defaults.sandbox.browser.*
agents.list[].sandbox.prune.* > agents.defaults.sandbox.prune.*
2026-01-07 11:59:16 +01:00
```
2026-01-08 01:06:09 +01:00
**Notes: **
2026-01-31 21:13:13 +09:00
2026-01-09 12:44:23 +00:00
- `agents.list[].sandbox.{docker,browser,prune}.*` overrides `agents.defaults.sandbox.{docker,browser,prune}.*` for that agent (ignored when sandbox scope resolves to `"shared"` ).
2026-01-07 11:59:16 +01:00
### Tool Restrictions
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
The filtering order is:
2026-01-31 21:13:13 +09:00
2026-01-13 06:28:15 +00:00
1. **Tool profile ** (`tools.profile` or `agents.list[].tools.profile` )
2026-01-13 09:59:36 +00:00
2. **Provider tool profile ** (`tools.byProvider[provider].profile` or `agents.list[].tools.byProvider[provider].profile` )
3. **Global tool policy ** (`tools.allow` / `tools.deny` )
4. **Provider tool policy ** (`tools.byProvider[provider].allow/deny` )
5. **Agent-specific tool policy ** (`agents.list[].tools.allow/deny` )
6. **Agent provider policy ** (`agents.list[].tools.byProvider[provider].allow/deny` )
7. **Sandbox tool policy ** (`tools.sandbox.tools` or `agents.list[].tools.sandbox.tools` )
8. **Subagent tool policy ** (`tools.subagents.tools` , if applicable)
2026-01-07 11:59:16 +01:00
Each level can further restrict tools, but cannot grant back denied tools from earlier levels.
2026-01-09 12:44:23 +00:00
If `agents.list[].tools.sandbox.tools` is set, it replaces `tools.sandbox.tools` for that agent.
2026-01-13 06:28:15 +00:00
If `agents.list[].tools.profile` is set, it overrides `tools.profile` for that agent.
2026-01-13 09:59:36 +00:00
Provider tool keys accept either `provider` (e.g. `google-antigravity` ) or `provider/model` (e.g. `openai/gpt-5.2` ).
2026-01-07 11:59:16 +01:00
2026-01-12 21:51:26 +00:00
### Tool groups (shorthands)
2026-01-13 06:28:15 +00:00
Tool policies (global, agent, sandbox) support `group:*` entries that expand to multiple concrete tools:
2026-01-12 21:51:26 +00:00
- `group:runtime` : `exec` , `bash` , `process`
- `group:fs` : `read` , `write` , `edit` , `apply_patch`
- `group:sessions` : `sessions_list` , `sessions_history` , `sessions_send` , `sessions_spawn` , `session_status`
- `group:memory` : `memory_search` , `memory_get`
2026-01-13 06:28:15 +00:00
- `group:ui` : `browser` , `canvas`
- `group:automation` : `cron` , `gateway`
- `group:messaging` : `message`
- `group:nodes` : `nodes`
2026-01-30 03:15:10 +01:00
- `group:openclaw` : all built-in OpenClaw tools (excludes provider plugins)
2026-01-12 21:51:26 +00:00
2026-01-09 20:42:16 +00:00
### Elevated Mode
2026-01-31 21:13:13 +09:00
2026-01-09 20:42:16 +00:00
`tools.elevated` is the global baseline (sender-based allowlist). `agents.list[].tools.elevated` can further restrict elevated for specific agents (both must allow).
2026-01-08 22:57:08 +01:00
Mitigation patterns:
2026-01-31 21:13:13 +09:00
2026-01-12 02:49:55 +00:00
- Deny `exec` for untrusted agents (`agents.list[].tools.deny: ["exec"]` )
2026-01-08 22:57:08 +01:00
- Avoid allowlisting senders that route to restricted agents
2026-01-09 12:44:23 +00:00
- Disable elevated globally (`tools.elevated.enabled: false` ) if you only want sandboxed execution
2026-01-09 20:42:16 +00:00
- Disable elevated per agent (`agents.list[].tools.elevated.enabled: false` ) for sensitive profiles
2026-01-08 22:57:08 +01:00
2026-01-07 11:59:16 +01:00
---
## Migration from Single Agent
**Before (single agent): **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : {
"mode" : "non-main"
}
}
} ,
"tools" : {
2026-01-07 11:59:16 +01:00
"sandbox" : {
"tools" : {
2026-01-12 03:42:49 +00:00
"allow" : [ "read" , "write" , "apply_patch" , "exec" ] ,
2026-01-07 11:59:16 +01:00
"deny" : [ ]
}
}
}
}
```
**After (multi-agent with different profiles): **
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-30 03:15:10 +01:00
"workspace" : "~/.openclaw/workspace" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
2026-01-30 03:15:10 +01:00
Legacy `agent.*` configs are migrated by `openclaw doctor` ; prefer `agents.defaults` + `agents.list` going forward.
2026-01-07 11:59:16 +01:00
---
## Tool Restriction Examples
### Read-only Agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
"allow" : [ "read" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "process" ]
2026-01-07 11:59:16 +01:00
}
}
```
### Safe Execution Agent (no file modifications)
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
2026-01-12 02:49:55 +00:00
"allow" : [ "read" , "exec" , "process" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "write" , "edit" , "apply_patch" , "browser" , "gateway" ]
2026-01-07 11:59:16 +01:00
}
}
```
### Communication-only Agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
``` json
{
"tools" : {
2026-02-16 03:43:51 +01:00
"sessions" : { "visibility" : "tree" } ,
2026-01-09 23:35:35 +00:00
"allow" : [ "sessions_list" , "sessions_send" , "sessions_history" , "session_status" ] ,
2026-01-12 03:42:49 +00:00
"deny" : [ "exec" , "write" , "edit" , "apply_patch" , "read" , "browser" ]
2026-01-07 11:59:16 +01:00
}
}
```
---
2026-01-09 03:23:36 +01:00
## Common Pitfall: "non-main"
2026-01-09 12:44:23 +00:00
`agents.defaults.sandbox.mode: "non-main"` is based on `session.mainKey` (default `"main"` ),
2026-01-09 03:23:36 +01:00
not the agent id. Group/channel sessions always get their own keys, so they
are treated as non-main and will be sandboxed. If you want an agent to never
2026-01-09 12:44:23 +00:00
sandbox, set `agents.list[].sandbox.mode: "off"` .
2026-01-09 03:23:36 +01:00
---
2026-01-07 11:59:16 +01:00
## Testing
After configuring multi-agent sandbox and tools:
1. **Check agent resolution: **
2026-01-31 21:13:13 +09:00
2026-01-12 02:49:55 +00:00
```exec
2026-01-30 03:15:10 +01:00
openclaw agents list --bindings
2026-01-07 11:59:16 +01:00
` ``
2. **Verify sandbox containers:**
2026-01-31 21:13:13 +09:00
2026-01-12 02:49:55 +00:00
` ``exec
2026-01-30 03:15:10 +01:00
docker ps --filter "name=openclaw-sbx-"
2026-01-07 11:59:16 +01:00
` ``
3. **Test tool restrictions:**
- Send a message requiring restricted tools
- Verify the agent cannot use denied tools
4. **Monitor logs:**
2026-02-06 10:08:59 -05:00
2026-01-12 02:49:55 +00:00
` ``exec
2026-01-30 03:15:10 +01:00
tail -f "${OPENCLAW_STATE_DIR:-$HOME/.openclaw}/logs/gateway.log" | grep -E "routing|sandbox|tools"
2026-01-07 11:59:16 +01:00
` ``
---
## Troubleshooting
### Agent not sandboxed despite ` mode: "all"`
2026-01-31 21:13:13 +09:00
2026-01-09 12:44:23 +00:00
- Check if there's a global ` agents.defaults.sandbox.mode` that overrides it
- Agent-specific config takes precedence, so set ` agents.list[].sandbox.mode: "all"`
2026-01-07 11:59:16 +01:00
### Tools still available despite deny list
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- Check tool filtering order: global → agent → sandbox → subagent
- Each level can only further restrict, not grant back
- Verify with logs: ` [tools] filtering tools for agent:${agentId}`
### Container not isolated per agent
2026-01-31 21:13:13 +09:00
2026-01-07 11:59:16 +01:00
- Set ` scope: "agent"` in agent-specific sandbox config
- Default is ` "session"` which creates one container per session
---
## See Also
- [Multi-Agent Routing ](/concepts/multi-agent )
2026-01-09 12:44:23 +00:00
- [Sandbox Configuration ](/gateway/configuration#agentsdefaults-sandbox )
2026-01-07 11:59:16 +01:00
- [Session Management ](/concepts/session )