skills in
~/.openclaw/openclaw.json. Agent-specific visibility lives under
agents.defaults.skills and agents.list[].skills.
For built-in image generation, use
agents.defaults.imageGenerationModel
plus the core image_generate tool instead of skills.entries. Skill
entries are for custom or third-party skill workflows only.Loading (skills.load)
Additional skill directories to scan, at the lowest precedence (below
bundled and plugin skills). Paths are expanded with
~ support.Trusted real target directories that symlinked skill folders may resolve
into, even when the symlink lives outside the configured root. Use this for
intentional sibling-repo layouts such as
<workspace>/skills/manager -> ~/Projects/manager/skills. Keep this list
narrow — do not point at broad roots like ~ or ~/Projects.Watch skill folders and refresh the skills snapshot when
SKILL.md files
change. Covers nested files under grouped skill roots.Debounce window for skill watcher events in milliseconds.
Install (skills.install)
Prefer Homebrew installers when
brew is available.Node package manager preference for skill installs. This only affects skill
installs — the Gateway runtime should still use Node (Bun is not
recommended for WhatsApp/Telegram).
openclaw setup --node-manager and
openclaw onboard --node-manager accept npm, pnpm, or bun; set
"yarn" directly in config for Yarn-backed skill installs.Allow trusted
operator.admin Gateway clients to install private zip
archives staged through skills.upload.*. Normal ClawHub installs do not
need this setting.Operator Install Policy (security.installPolicy)
Use security.installPolicy when operators need a trusted local command to
approve or block skill and plugin installs with host-specific policy. The
policy runs after OpenClaw has staged source material and before the install
or update continues. It applies to ClawHub skills, uploaded skills, Git/local
skills, skill dependency installers, and plugin install/update sources.
Enables operator-owned install policy. When enabled without a valid
exec
command, installs fail closed.Optional target filter. When omitted, policy applies to every supported
target so new installs do not unexpectedly fail open.
Absolute path to the trusted policy executable. OpenClaw runs it without a
shell and validates the path before use.
Static arguments passed after
command.Maximum wall-clock runtime for one policy decision.
Maximum time without stdout or stderr output before the policy fails
closed.
Maximum combined stdout and stderr bytes accepted from the policy process.
Literal environment variables provided to the policy process.
Environment variable names copied from the OpenClaw process into the
policy process. Only named variables are passed.
Optional allowlist of directories that may contain the policy executable.
Bypasses command path ownership and permission checks. Use only when the
path is protected by another mechanism.
Allows the configured command path to be a symlink. The resolved target
must still satisfy the other path checks. Interpreter script arguments must
be direct regular files, not symlinks.
protocolVersion: 1,
openclawVersion, targetType, targetName, sourcePath, sourcePathKind,
optional structured source, structured origin, and request. It must
write one JSON object on stdout: { "protocolVersion": 1, "decision": "allow" }
or { "protocolVersion": 1, "decision": "block", "reason": "..." }. Non-zero
exit, timeout, malformed JSON, missing fields, or unsupported protocol
versions fail closed.
OpenClaw does not execute install policy during normal Gateway startup.
Installs and updates fail closed when policy is enabled but unavailable.
openclaw doctor performs static validation; openclaw doctor --deep
executes a synthetic install probe against the configured command.
Bulk updates apply policy per target: a blocked skill or plugin update fails
that target without disabling the policy or skipping later targets in the
batch.
Example stdin:
Bundled skill allowlist
Optional allowlist for bundled skills only. When set, only bundled
skills in the list are eligible. Managed, agent-level, and workspace
skills are unaffected.
Per-skill entries (skills.entries)
Keys under entries match the skill name by default. If a skill defines
metadata.openclaw.skillKey, use that key instead. Quote hyphenated names
(JSON5 allows quoted keys).
false disables the skill even when bundled or installed. The
coding-agent bundled skill is opt-in — set it to true and ensure one of
claude, codex, opencode, or another supported CLI is installed and
authenticated.Convenience field for skills that declare
metadata.openclaw.primaryEnv.
Supports a plaintext string or a SecretRef: { source: "env", provider: "default", id: "VAR_NAME" }.Environment variables injected for the agent run. Only injected when the
variable is not already set in the process.
Optional bag for custom per-skill configuration fields.
Agent allowlists (agents)
Use agent config when you want the same machine/workspace skill roots but a
different visible skill set per agent.
Shared baseline allowlist inherited by agents that omit
agents.list[].skills. Omit entirely to leave skills unrestricted by
default.Explicit final skill set for that agent. Explicit lists replace
inherited defaults — they do not merge. Set to
[] to expose no skills for
that agent.Workshop (skills.workshop)
When
true, agents can create pending proposals from durable conversation
signals after successful turns. User-prompted skill creation always goes
through Skill Workshop regardless of this setting.pending requires operator approval before agent-initiated apply, reject,
or quarantine. auto allows those actions without approval.Allow Skill Workshop apply to write through workspace skill symlinks whose
real target is already trusted by
skills.load.allowSymlinkTargets. Keep
this disabled unless generated proposal applies should mutate that shared
skill root.Maximum pending and quarantined proposals retained per workspace (allowed
range: 1-200).
Maximum proposal body size in bytes (allowed range: 1024-200000). Proposal
descriptions are hard-capped at 160 bytes separately, because they appear
in discovery and listing output.
Symlinked skill roots
By default, workspace, project-agent, extra-dir, and bundled skill roots are containment boundaries. A symlinked skill folder under<workspace>/skills
that resolves outside the root is skipped with a log message.
To allow an intentional symlink layout, declare the trusted target:
<workspace>/skills/manager -> ~/Projects/manager/skills
is accepted after realpath resolution. extraDirs scans the sibling repo
directly; allowSymlinkTargets preserves the symlinked path for existing
layouts.
Skill Workshop apply does not write through those symlinks by default. To
let Workshop apply mutate skills under already-trusted symlink targets, opt
in separately:
~/.openclaw/skills and personal ~/.agents/skills directories
already accept skill-directory symlinks unconditionally (per-skill
SKILL.md containment still applies) — allowSymlinkTargets is only needed
for workspace, extra-dir, and project-agent (<workspace>/.agents/skills)
roots.
Sandboxed skills and env vars
Pass secrets into a Docker sandbox with:Users with Docker daemon access can inspect
sandbox.docker.env values
through Docker metadata. Use a mounted secret file, a custom image, or
another delivery path when that exposure is not acceptable.Loading order reminder
Related
Skills reference
What skills are, loading order, gating, and SKILL.md format.
Creating skills
Authoring custom workspace skills.
Skill Workshop
Proposal queue for agent-drafted skills.
Slash commands
Native slash-command catalog and chat directives.