Summary

The * wildcard is stored correctly in exec-approvals.json but has no effect at runtime. Commands are denied with "exec denied: allowlist miss" even with * present. Also tested /bin/, /usr/bin/, /opt/homebrew/bin/* glob patterns directly in the JSON — none matched. Setting tools.exec.ask to off removes approval prompts but the allowlist still acts as a hard deny list. Tested on macOS Apple Silicon, OpenClaw 2026.2.22, local gateway mode.

Steps to reproduce

1. Run openclaw approvals allowlist add --agent "main" --gateway "*"
2. Confirm * appears in exec-approvals.json
3. Attempt any exec command from the agent

Expected behavior

Wildcard * matches all binaries and commands execute without being blocked

Actual behavior

Commands are denied with "exec denied: allowlist miss" even with * present in the allowlist. Every binary must be added individually.

OpenClaw version

2026.2.22

Operating system

macOS 15.4, Apple Silicon (Mac Mini M4)

Install method

npm global

Logs, screenshots, and evidence

$ openclaw approvals allowlist add --agent "main" --gateway "*"
# * appears in exec-approvals.json under agents.main.allowlist
# Agent still receives "exec denied: allowlist miss" for all commands

Impact and severity

No response

Additional information

No response