Summary
The write tool has additional path restrictions (sandbox workspace only) that the exec tool does not have. This creates an inconsistency where file writes are blocked via the write tool but allowed via exec with heredoc/cat.
Reproduction
With sandbox mode: "all" and binds configured:
"binds": [
"/Users/me/Projects:/Users/me/Projects:rw"
]
write tool:
Error: Path escapes sandbox root (~/.openclaw/sandboxes/agent-xxx): /Users/me/Projects/file.md
exec tool:
cat > /Users/me/Projects/file.md << EOF
content
EOF
# Works fine ✅
Expected Behavior
Both tools should have the same access boundaries. Either:
write tool should allow writes to any path within Docker binds (like exec)- Or
exec should have the same path restrictions as write
Analysis
The Docker binds define what paths are mountable and accessible. The extra write tool restriction provides a false sense of security since exec can bypass it trivially.
Recommendation: Remove the extra write tool path restriction and let Docker binds be the single source of truth for filesystem access boundaries.
Environment
- OpenClaw version: 2026.2.2
- Sandbox mode: all
- OS: macOS (Docker Desktop)
Summary
The
writetool has additional path restrictions (sandbox workspace only) that theexectool does not have. This creates an inconsistency where file writes are blocked via thewritetool but allowed viaexecwith heredoc/cat.Reproduction
With sandbox
mode: "all"and binds configured:write tool:
exec tool:
Expected Behavior
Both tools should have the same access boundaries. Either:
writetool should allow writes to any path within Docker binds (likeexec)execshould have the same path restrictions aswriteAnalysis
The Docker binds define what paths are mountable and accessible. The extra
writetool restriction provides a false sense of security sinceexeccan bypass it trivially.Recommendation: Remove the extra
writetool path restriction and let Docker binds be the single source of truth for filesystem access boundaries.Environment