Node host: document Windows shell wrapper approvals

BradGroux · BradGroux · commit 3baf42a36bcd · 2026-05-08T12:28:15.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -187,6 +187,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Node host/exec: require approval for Windows PowerShell and pwsh shell-wrapper runs in allowlist mode, matching the existing cmd.exe wrapper behavior. (#67655) Thanks @plgonzalezrx8.
 - Cron/agents: recognize same-target `edit`↔`write` recovery in `isSameToolMutationAction`, so a successful `write` to a path clears an earlier failed `edit` on the same path. Stops cron from reporting fatal failures when an agent self-heals across `edit` and `write`, while preserving same-tool fingerprint matching, blocking different-target writes, and excluding tools (including `apply_patch`) whose real call args do not produce a stable `path` fingerprint segment. Fixes #79024. Thanks @RenzoMXD.
 - Gateway/Tailscale: add opt-in `gateway.tailscale.preserveFunnel` so when `tailscale.mode = "serve"` and an externally configured Tailscale Funnel route already covers the gateway port, OpenClaw skips re-applying `tailscale serve` on startup and skips the `resetOnExit` teardown for that run, keeping operator-managed Funnel exposure alive across gateway restarts. Fixes #57241. Thanks @RenzoMXD.
 - Agents/compaction: keep the recent tail after manual `/compact` when Pi returns an empty or no-op compaction summary, preventing blank checkpoints from replacing the live context.
diff --git a/docs/nodes/index.md b/docs/nodes/index.md
@@ -374,7 +374,7 @@ Notes:
 - `system.run` supports `--cwd`, `--env KEY=VAL`, `--command-timeout`, and `--needs-screen-recording`.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped `--env` values are reduced to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
-- On Windows node hosts in allowlist mode, shell-wrapper runs via `cmd.exe /c` require approval (allowlist entry alone does not auto-allow the wrapper form).
+- On Windows node hosts in allowlist mode, shell-wrapper runs via `cmd.exe /c` or `powershell`/`pwsh -Command` require approval (allowlist entry alone does not auto-allow the wrapper form).
 - `system.notify` supports `--priority <passive|active|timeSensitive>` and `--delivery <system|overlay|auto>`.
 - Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `NODE_OPTIONS`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.
 - On macOS node mode, `system.run` is gated by exec approvals in the macOS app (Settings → Exec approvals).
diff --git a/docs/nodes/troubleshooting.md b/docs/nodes/troubleshooting.md
@@ -93,8 +93,8 @@ run as an approval mismatch instead of trusting the edited payload.
 - `LOCATION_BACKGROUND_UNAVAILABLE` → app is backgrounded but only While Using permission exists.
 - `SYSTEM_RUN_DENIED: approval required` → exec request needs explicit approval.
 - `SYSTEM_RUN_DENIED: allowlist miss` → command blocked by allowlist mode.
-  On Windows node hosts, shell-wrapper forms like `cmd.exe /c ...` are treated as allowlist misses in
-  allowlist mode unless approved via ask flow.
+  On Windows node hosts, shell-wrapper forms like `cmd.exe /c ...` or `powershell`/`pwsh -Command ...`
+  are treated as allowlist misses in allowlist mode unless approved via ask flow.
 
 ## Fast recovery loop
 
diff --git a/src/node-host/exec-policy.test.ts b/src/node-host/exec-policy.test.ts
@@ -64,13 +64,13 @@ describe("formatSystemRunAllowlistMissMessage", () => {
     ).toContain("shell wrappers like sh/bash/zsh -c require approval");
   });
 
-  it("adds Windows shell-wrapper guidance when blocked by cmd.exe policy", () => {
+  it("adds Windows shell-wrapper guidance when blocked by Windows wrapper policy", () => {
     expect(
       formatSystemRunAllowlistMissMessage({
         shellWrapperBlocked: true,
         windowsShellWrapperBlocked: true,
       }),
-    ).toContain("Windows shell wrappers like cmd.exe /c require approval");
+    ).toContain("Windows shell wrappers like cmd.exe /c or powershell/pwsh -Command");
   });
 });
 
@@ -155,7 +155,7 @@ describe("evaluateSystemRunPolicy", () => {
     );
     expect(denied.shellWrapperBlocked).toBe(true);
     expect(denied.windowsShellWrapperBlocked).toBe(true);
-    expect(denied.errorMessage).toContain("powershell -Command");
+    expect(denied.errorMessage).toContain("powershell/pwsh -Command");
   });
 
   it("does not block Windows cmd.exe invocations without inline shell-wrapper transport", () => {
diff --git a/src/node-host/exec-policy.ts b/src/node-host/exec-policy.ts
@@ -35,7 +35,7 @@ export function formatSystemRunAllowlistMissMessage(params?: {
   if (params?.windowsShellWrapperBlocked) {
     return (
       "SYSTEM_RUN_DENIED: allowlist miss " +
-      "(Windows shell wrappers like cmd.exe /c or powershell -Command require approval; " +
+      "(Windows shell wrappers like cmd.exe /c or powershell/pwsh -Command require approval; " +
       "approve once/always or run with --ask on-miss|always)"
     );
   }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ export function formatSystemRunAllowlistMissMessage(params?: {`
`35`	`35`	`if (params?.windowsShellWrapperBlocked) {`
`36`	`36`	`return (`
`37`	`37`	`"SYSTEM_RUN_DENIED: allowlist miss " +`
`38`		`- "(Windows shell wrappers like cmd.exe /c or powershell -Command require approval; " +`
	`38`	`+ "(Windows shell wrappers like cmd.exe /c or powershell/pwsh -Command require approval; " +`
`39`	`39`	`"approve once/always or run with --ask on-miss\|always)"`
`40`	`40`	`);`
`41`	`41`	`}`