No ineffective deny command entries
What this checks
Checks that gateway.nodes.denyCommands entries are all valid, recognized command names.
Why it matters
Ineffective deny entries give a false sense of security commands you think are blocked may still be executable.
How to fix it
Step 1 Find your config file. Open your OpenClaw config (typically ~/.openclaw/config.yaml or the path shown in openclaw config path).
Step 2 Identify the bad entries. Run the security audit to see which names were flagged:
openclaw security audit --json | jq '.findings[] | select(.checkId=="gateway.nodes.deny_commands_ineffective") | .detail'Step 3 Replace with valid command IDs. denyCommands uses exact command IDs, not shell-text filtering. Valid examples:
gateway:
nodes:
denyCommands:
- canvas.eval
- canvas.present
- canvas.navigate
- canvas.snapshotTo see all available command IDs on your installation, run:
openclaw commands listStep 4 Remove or fix unrecognised names. Delete any entries the audit flagged as unknown. If you need to block a capability that doesn't have a dedicated command ID (e.g. arbitrary shell execution), tighten tools.exec policy instead:
tools:
exec:
enabled: falseStep 5 Verify. Re-run openclaw security audit --json and confirm gateway.nodes.deny_commands_ineffective no longer appears in findings.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-003 |
| Domain | OC |
| Severity | High |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
No known false positives OpenClaw validates command names against its own registry.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-003 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.