SingleAnalytics
Back to Blog
Privacy

Secure sandbox vs full access modes

Choose between sandboxed and full-access modes for OpenClaw in the US: tradeoffs for security and capability.

MW

Marcus Webb

Head of Engineering

February 23, 202613 min read

Secure sandbox vs full access modes

OpenClaw can run in a restricted sandbox (limited files, network, and commands) or with full access to the machine. US teams should choose based on risk and trust: sandbox for untrusted or shared use, full access for trusted single-user or locked-down instances. SingleAnalytics can track usage and errors in both modes so you can tune policies."

When OpenClaw runs scripts, accesses files, or calls APIs, it can do so in a sandbox (restricted) or with full access to the host. In the US, the choice affects security, compliance, and what the agent can do. This post compares secure sandbox and full access modes and when to use each.

Sandbox mode

What it is: The agent (or specific skills) run with limited permissions:

  • Filesystem – Read/write only in allowlisted directories (e.g., ~/OpenClaw/data, ~/Documents/assistant). No access to system dirs, other users’ home, or sensitive config. US teams use this to prevent the agent from reading or overwriting critical files.
  • Network – Only allowlisted domains or IPs (e.g., API endpoints the skill needs). Blocks arbitrary outbound connections. In the US, this reduces exfiltration and abuse via unknown endpoints.
  • Commands – Only allowlisted commands or scripts. No arbitrary shell. US enterprises often allow a small set (e.g., scripts/approved-*.sh) and reject everything else.
  • Environment – Limited env vars (no secrets unless explicitly injected). Reduces leakage. US teams can inject only the vars the skill needs.
  • User/process – Run the agent or skill as a dedicated user with minimal privileges (e.g., no sudo, no access to other users’ processes). In the US, this limits blast radius if the agent is compromised.

When to use: Untrusted or community skills, shared instances (multiple US users), or when policy requires least privilege. Sandbox is the default recommendation for US teams that can’t fully trust every skill or user.

Full access mode

What it is: The agent runs with the same permissions as the process that started it (e.g., your user or a service account). It can:

  • Read and write any file the user can.
  • Run any command or script (unless the skill itself restricts).
  • Connect to any network endpoint.
  • Use all env vars and installed tools. US power users and single-user setups often use this for maximum flexibility.

When to use: Trusted single-user machine, all skills are first-party or highly trusted, and you want no friction. In the US, full access is acceptable when the machine and OpenClaw instance are under your control and you don’t run untrusted code.

Comparison

| Aspect | Sandbox | Full access | |--------|--------|-------------| | Security | Higher; limited blast radius | Lower; agent can do anything the user can | | Capability | Some tasks need allowlisting or workarounds | No artificial limits | | Best for | Shared instances, untrusted skills, US enterprises | Single user, trusted skills, dev/personal | | Compliance | Easier to justify least privilege in the US | May require compensating controls |

SingleAnalytics works in both modes; you can track which skills run and succeed so US teams can tighten or relax policies based on real usage.

Implementing sandbox

  • Per-skill – Configure sandbox per skill: e.g., "file skill can only access ~/Documents/assistant." Other skills might have different or no sandbox. US teams can sandbox third-party skills and leave first-party skills with broader access.
  • Per-instance – One OpenClaw instance runs entirely in a sandbox (dedicated user, restricted fs and network). Simpler; all skills share the same limits. Good for US shared or multi-tenant setups.
  • Containers – Run OpenClaw (or the skill runtime) in a container with limited mounts and network. Strong isolation; more ops overhead. US teams with containerized infra may prefer this.
  • OS-level – Use OS mechanisms (e.g., restricted user, namespaces, or mandatory access control) to limit the process. Depends on your host; in the US, document how the sandbox is enforced so auditors can verify.

Migrating from full to sandbox

  1. List what the agent currently does (files, commands, domains). US teams can use logs or SingleAnalytics to see which paths and endpoints are used.
  2. Define allowlists that cover those uses without over-granting.
  3. Enable sandbox with those allowlists in staging; run the same workflows and fix any "permission denied" or "blocked" errors.
  4. Roll out to production and monitor. Adjust allowlists as needed. In the US, document exceptions and who can change them.

Summary

Choose sandbox when you need to limit risk: shared instances, untrusted skills, or US compliance. Choose full access when you fully trust the instance and skills and want maximum capability. Implement sandbox per skill or per instance with allowlisted fs, network, and commands. Use SingleAnalytics to see how skills behave in either mode and tune policies over time.

OpenClawsandboxsecurityUSaccess

Previous

Self-improving automation loops

Next

Secure automation workflows

Related Articles

Privacy

Local-first AI privacy advantages

Running AI agents like OpenClaw locally in the US keeps data on your machine, reduces compliance risk, and puts you in control. Here's why local-first matters for privacy and how it fits into your stack.

Marcus Webb13 min read
Privacy

The Complete Guide to Privacy-First Analytics in 2026

GDPR, CCPA, cookie banners, consent fatigue: privacy regulations are reshaping how we track users. Here's how to stay compliant without losing insights.

Marcus Webb12 min read

Ready to unify your analytics?

Replace GA4 and Mixpanel with one platform. Traffic intelligence, product analytics, and revenue attribution in a single workspace.

Get Started Free Read the Docs

Free up to 10K events/month. No credit card required.