Sandbox Permission Denied / EACCES
Error: EACCES: permission denied / sandbox: command blocked / SYSTEM_RUN_DENIED: allowlist miss
OpenClaw troubleshooting · Updated 2026
Error Message
Error: EACCES: permission denied / sandbox: command blocked / SYSTEM_RUN_DENIED: allowlist miss
What Causes This
The sandbox is blocking a command because it's not on the tool allowlist, or file permissions prevent the sandboxed process from accessing a path. This is the sandbox doing its job — it's a security feature, not a bug.
How to Fix It
Check and adjust sandbox permissions:
# See what the sandbox allows
openclaw config get agents.defaults.sandbox
# Common fix: add the command to the allowlist
# In openclaw.json under sandbox.tools.allow:
# ["bash", "read", "write", "edit", "process"]
# If the error is file permission (EACCES):
chmod 755 ~/.openclaw
chmod 644 ~/.openclaw/workspace/*
# To temporarily disable sandbox for debugging:
# (NOT recommended for production)
# sandbox.mode: "off" in openclaw.json
If you see SYSTEM_RUN_DENIED: approval required, the command needs explicit approval. Use /approve allow-once in chat, or set exec.ask: "off" for trusted sessions only. If the error is SYSTEM_RUN_DENIED: allowlist miss, add the specific command to your exec allowlist.