Summary
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Steps to reproduce
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Expected behavior
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Actual behavior
all plugins blocked
OpenClaw version
OpenClaw 2026.2.27
Operating system
Debian
Install method
ACA
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response
Summary
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Steps to reproduce
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Expected behavior
Title: /app/extensions directories are world-writable (777) in Docker image
Body:
The /app/extensions directory and its subdirectories ship with mode 777 (world-writable) in the Docker image. This causes OpenClaw to block all plugins with:
WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777)
chmod 755 fixes it temporarily but doesn't persist across container restarts since it's baked into the image layer.
Affected directories: /app/extensions/*, /app/.agent, /app/.agents
Expected: Directories should be 755 and files 644 in the image.
Workaround: Running chmod -R 755 /app/extensions && find /app/extensions -type f -exec chmod 644 {} + on startup or via cron.
Environment: OpenClaw 2026.2.27, Azure Container Apps, Node 22.22.0
Actual behavior
all plugins blocked
OpenClaw version
OpenClaw 2026.2.27
Operating system
Debian
Install method
ACA
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response