Title
Exec allowlist returns "unsupported platform" on Windows after upgrading to v2026.2.23
Body
Summary
After upgrading from v2026.2.22-2 to v2026.2.23, exec commands that were previously working with allowlist mode now fail with:
exec denied: allowlist execution plan unavailable (unsupported platform)
The allowlist entries are correct and unchanged — the same entries worked fine in v2026.2.22-2. The error originates from exec-approvals-analysis.ts which returns { ok: false, reason: "unsupported platform" }.
Environment
- OS: Windows 11 (Windows_NT 10.0.26200 x64)
- Node: v22.16.0
- OpenClaw: v2026.2.23 (b817600)
- Shell: powershell
- Previous version (working): v2026.2.22-2
Steps to reproduce
- Have a working exec-approvals allowlist on Windows with absolute path entries (e.g.
C:\Program Files\GitHub CLI\gh.exe, C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe)
- Upgrade to v2026.2.23:
npm install -g openclaw@2026.2.23
- Restart the gateway
- Agent tries to run any allowlisted command (e.g.
gh search issues ..., openclaw hooks list, powershell -File script.ps1)
- Result:
exec denied: allowlist execution plan unavailable (unsupported platform)
Expected behavior
Commands matching allowlist entries should be resolved and executed (or prompted for approval if ask: on-miss), just like in v2026.2.22-2.
Actual behavior
All commands that go through the allowlist resolution pipeline fail immediately with unsupported platform. No approval prompt is shown — the command is denied outright.
Commands that DO work:
- Commands in
safeBins (e.g. echo, Get-ChildItem, Select-String) — these bypass allowlist resolution
- Commands when
elevated: full is active — this skips approvals entirely
Commands that FAIL:
powershell -Command "..."powershell -File "..."gh search issues ...openclaw hooks listopenclaw hooks enable ...- Any command that requires allowlist path resolution
Relevant config
{
"tools": {
"exec": {
"security": "allowlist",
"ask": "on-miss"
}
}
}Allowlist entries (all with full absolute paths, verified via openclaw approvals get):
C:\Program Files\GitHub CLI\gh.exe
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Users\<user>\AppData\Roaming\npm\openclaw.cmd
C:\Program Files\nodejs\node.exe
C:\WINDOWS\system32\curl.exe
... (20 entries total, all absolute paths)
Logs
From gateway log (\tmp\openclaw\openclaw-2026-02-24.log):
11:20:36 info exec {"subsystem":"exec"} elevated command openclaw hooks enable command-logger
11:20:36 error [tools] exec failed: exec denied: allowlist execution plan unavailable (unsupported platform)
11:20:36 error [tools] exec failed: exec denied: allowlist execution plan unavailable (unsupported platform)
Analysis
The error string unsupported platform comes from src/infra/exec-approvals-analysis.ts. It appears that the execution plan builder (which resolves command text into binary path + arguments for allowlist matching) does not fully support Windows shell wrapping in v2026.2.23.
In v2026.2.22-2, the same allowlist entries and same commands worked correctly — the path resolver could match powershell ... to the allowlisted C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.
Workaround
Setting elevated: full (via /exec security=full or Telegram elevated mode) bypasses the allowlist entirely and allows all commands to run. This is not ideal for security but unblocks usage on Windows.
Impact
High — on Windows, allowlist mode is effectively broken in v2026.2.23. All agent exec commands that aren't in safeBins are denied, making the agent unable to perform most tasks without elevated full access.
Title
Exec allowlist returns "unsupported platform" on Windows after upgrading to v2026.2.23
Body
Summary
After upgrading from v2026.2.22-2 to v2026.2.23, exec commands that were previously working with allowlist mode now fail with:
The allowlist entries are correct and unchanged — the same entries worked fine in v2026.2.22-2. The error originates from
exec-approvals-analysis.tswhich returns{ ok: false, reason: "unsupported platform" }.Environment
Steps to reproduce
C:\Program Files\GitHub CLI\gh.exe,C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe)npm install -g openclaw@2026.2.23gh search issues ...,openclaw hooks list,powershell -File script.ps1)exec denied: allowlist execution plan unavailable (unsupported platform)Expected behavior
Commands matching allowlist entries should be resolved and executed (or prompted for approval if
ask: on-miss), just like in v2026.2.22-2.Actual behavior
All commands that go through the allowlist resolution pipeline fail immediately with
unsupported platform. No approval prompt is shown — the command is denied outright.Commands that DO work:
safeBins(e.g.echo,Get-ChildItem,Select-String) — these bypass allowlist resolutionelevated: fullis active — this skips approvals entirelyCommands that FAIL:
powershell -Command "..."powershell -File "..."gh search issues ...openclaw hooks listopenclaw hooks enable ...Relevant config
{ "tools": { "exec": { "security": "allowlist", "ask": "on-miss" } } }Allowlist entries (all with full absolute paths, verified via
openclaw approvals get):Logs
From gateway log (
\tmp\openclaw\openclaw-2026-02-24.log):Analysis
The error string
unsupported platformcomes fromsrc/infra/exec-approvals-analysis.ts. It appears that the execution plan builder (which resolves command text into binary path + arguments for allowlist matching) does not fully support Windows shell wrapping in v2026.2.23.In v2026.2.22-2, the same allowlist entries and same commands worked correctly — the path resolver could match
powershell ...to the allowlistedC:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.Workaround
Setting
elevated: full(via/exec security=fullor Telegram elevated mode) bypasses the allowlist entirely and allows all commands to run. This is not ideal for security but unblocks usage on Windows.Impact
High — on Windows, allowlist mode is effectively broken in v2026.2.23. All agent exec commands that aren't in
safeBinsare denied, making the agent unable to perform most tasks without elevated full access.