[Feature]: Allow cron/scheduling tools inside sandbox containers

[cybertschunk]

Summary

When running with sandbox.mode: "all", the agent cannot access scheduling tools (cron) from within the sandbox container. This means the agent cannot autonomously create, modify, or delete cron jobs — a core capability for a personal assistant workflow.

Current Behavior

• cron is in the sandbox tool policy deny list by default
• The openclaw CLI is not available inside the container
• The agent must ask the user to manually run openclaw cron add ... on the host

Expected Behavior

The agent should be able to manage cron jobs from within a sandboxed session, either by:

1. Adding cron to the sandbox tool allow list (Gateway-side RPC, no host CLI needed), or
2. Exposing a scheduling API endpoint accessible from the sandbox container

Motivation

Sandboxing is meant to isolate filesystem and process execution, not to prevent the agent from managing its own scheduled tasks. Cron jobs are a Gateway-level abstraction (not host processes), so there is no security reason to block them from sandboxed sessions.

A personal assistant that cannot set its own reminders or periodic checks without user intervention loses a key workflow.

Environment

• OpenClaw: 2026.2.26
• Sandbox mode: all, scope: agent
• OS: Ubuntu 24.04 (Linux 6.8.0)

[lukemt]

I have the exact same problem. There seems to be no way to allow a sandboxed agent to use the cron tool currently. It was possible with the version i had installed before.

[Thinkscape]

This is a massive letdown after I enabled sandboxing...

[Thinkscape]

Here's a workaround I used:

Fix: OpenClaw agents missing cron tool

Context

The OpenClaw agent doesn't have access to the cron tool despite it being in the tools.sandbox.tools.allow list. The agent reports: "it's not in the function definitions the Gateway sends to the model."

Root cause:

The cron tool (along with gateway and nodes) is marked ownerOnly: true in the gateway runtime. When senderIsOwner is false, these tools are completely filtered out from the function definitions sent to the model — they don't just error, they're invisible.

 The ownership resolution chain for Discord messages fails because:
 1. commands.ownerAllowFrom is not set in the config
 2. channels.discord.allowFrom is not set (DM policy uses pairing, no explicit allowlist)
 3. With no channel-level allowFrom, the resolver treats it as "allow all" (allowAll=true)
 4. When allowAll=true, ownerCandidatesForCommands becomes [] (empty array)
 5. Empty ownerList → no sender can match → senderIsOwner = false for ALL messages
 6. applyOwnerOnlyToolPolicy() filters out cron, gateway, and nodes entirely

The config field commands.allowFrom controls command authorization, not ownership. The dedicated field for owner-only tool access is commands.ownerAllowFrom.

Workaround

Add commands.ownerAllowFrom with the Discord user ID to the live config and the ansible seed.

File: openclaw.json (live config)

 In the commands section, add ownerAllowFrom:

     "commands": {
         "native": "auto",
         "nativeSkills": "auto",
         "restart": true,
         "ownerDisplay": "raw",
         "ownerAllowFrom": {
             "discord": ["00000000000"] // replace with your discord user id 
         },
         "allowFrom": {
             "discord": ["00000000000"]  // replace with your discord user id 
         }
     }

[shunfan]

For sandboxed agents, getting host exec working requires these:

1. Elevated mode: tools.elevated.enabled + sender in allowFrom.
2. Exec approvals: ~/.openclaw/exec-approvals.json security policy (allowlist/full)
3. Gateway restart: some config changes aren't hot-reloaded

Reference:

• https://docs.openclaw.ai/tools/elevated
• https://docs.openclaw.ai/tools/exec-approvals

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.