Feature Request: Sandboxed agent profiles for communication channels #28326
Description
We need a better sandbox feature for communication channels that is not subject to prompt injection or jailbreaking.
Use case: Building a customer-facing bot that handles real-time conversations with end users via OpenClaw's messaging channels. The bot needs to be strictly scoped to one knowledge domain and must NOT have access to the main agent's workspace files, memory, tools, or broader context.
Currently the only isolation option is system-prompt-level persona restriction, which works for honest users but isn't robust against prompt injection or creative probing.
What I'd like:
- Restricted agent profiles with explicit tool allowlists (e.g., only
messageandweb_search, noread/exec/memory) - Workspace isolation: agent can only see files in a specified subdirectory
- Memory isolation: agent has its own memory scope, can't access the parent agent's memory
- Session-level enforcement, not just prompt-level
This would make OpenClaw viable for multi-tenant and customer-facing deployments where the main agent handles internal ops and spawned personas handle external interactions.