OpenClaw Browser and Exec Remediation Plan
OpenClaw Browser and Exec Remediation Plan
This plan addresses two noisy failure classes without touching exec security settings yet:
- repeated browser prompts caused by avoidable use of the signed-in
userbrowser profile - Gateway-denied exec events caused primarily by inline interpreter heredocs, especially
python3 <<'PY'
The approach is discipline first, guardrail changes later if needed.
What the data says
From the April 23 diagnosis work:
- strongest avoidable
profile="user"route:daily-twitter-briefing - clearly legitimate
profile="user"routes: LinkedIn flows - strongest denial-shaped exec pattern: inline Python heredocs
- no strong evidence yet of a broad false-positive wave on ordinary shell commands
Ordered remediation list by leverage
1. Move daily-twitter-briefing off profile="user" today
Why first: highest likely browser-prompt reduction with the smallest workflow change.
Change:
- update the skill to stop routing X/Twitter browsing through the signed-in
userprofile - route it through the managed OpenClaw browser instead
- keep the workflow compatible with the browser-login guidance for sites that can be used through the managed profile
Expected effect:
- major reduction in avoidable remote-debugging prompts
- cleaner separation between genuine live-session workflows and public browsing flows
Definition of done:
- no explicit
profile="user"indaily-twitter-briefing - skill notes explain why the managed browser is the default
- next scheduled briefing runs without using the signed-in user browser path
2. Tighten session reuse in LinkedIn workflows
Why second: LinkedIn is the clearest legitimate live-session area, so the win comes from fewer attaches, not rerouting away from user.
Workflows:
linkedin-invitespersonal-one-pager- VIP handoff from
linkedin-invitestopersonal-one-pager
Change:
- reuse the same attached browser context or tab where possible
- avoid repeated fresh attaches during the same workflow chain
- keep
useronly for the LinkedIn-required steps - do not use
userfor surrounding public-web research if that step can happen elsewhere
Expected effect:
- fewer prompt bursts during high-touch LinkedIn runs
- lower attach churn during VIP handoffs
Definition of done:
- documented session-reuse approach in both skills
- VIP handoff stops causing redundant user-profile attaches
- non-LinkedIn steps are not lazily kept on the
userprofile
3. Start the saved-helpers library for recurring heredoc patterns
Why third: this is the main non-browser root cause of Gateway denied noise.
Observed leak:
- inline
python3 <<'PY'was repeatedly used for routine parsing and transformations - the pattern appears to come from agent exec habit plus missing checked-in helper scripts
Build these helpers first, in this order:
3.1 scripts/json_array_subset.py
Purpose:
- select rows from a large JSON array by key/value, name list, or simple predicate
Why first:
- this replaces repeated heredocs used to pull subsets from files like
all_enriched.json
Common uses:
- extract US-only companies
- export a named pilot set
- filter by
country,region, orname
3.2 scripts/mc_task_update.py
Purpose:
- update Mission Control tasks by
displayIdfor status, assignee, title, and description patches
Why second:
- task mutations repeatedly triggered inline Python one-offs
Common uses:
- move
JAM-42toin-progress - move tasks to
needs-review - append closure notes to stale tasks
3.3 scripts/json_record_backfill.py
Purpose:
- apply a field or mapping change across a directory of JSON records
Why third:
- this replaces one-off backfills like
concerns_lantronix, strategic tags, or schema field additions
Common uses:
- backfill a boolean across company records
- set defaults for migrated datasets
- patch a directory of workbench records safely
3.4 scripts/json_counts_report.py
Purpose:
- output record counts, sample names, and simple distribution summaries
Why fourth:
- repeated heredocs were used just to count files, print names, and summarize categories
Common uses:
- count products, evidence, companies
- summarize
concerns_lantronix=true/false - print quick sanity checks after migrations
3.5 scripts/log_event_extract.py
Purpose:
- pull timestamped event slices from OpenClaw/session logs by keyword or pattern
Why fifth:
- needed for clean denial-week analysis without ad hoc grep pipelines and transcript spelunking
Common uses:
- extract Gateway-denied events
- extract profile attach activity
- summarize prompt windows by day
4. Pull a clean week of logged denial events
Why fourth: after routing and helper discipline are improved, get the clean measurement baseline Pete asked for.
Change:
- use a saved log-extraction helper to pull one week of timestamped denial events
- separate true logged denials from inferred denials
- classify by command shape and source workflow
Expected effect:
- evidence-backed basis for any later security tuning
- clean before/after comparison once the first three remediation items land
Definition of done:
- one artifact with timestamped logged denials for the measurement week
- grouped patterns by count
- clear separation of logged vs inferred evidence
What not to do yet
- do not change
tools.exec.security - do not change
tools.exec.ask - do not widen browser access or reduce browser safeguards
- do not accept inline heredoc patterns as normal just because they are convenient
Smallest changes short of config edits
- Reroute
daily-twitter-briefingaway fromuser - Reuse LinkedIn browser sessions more aggressively
- Replace recurring inline Python with small saved helpers
- Pull a clean denial week after the first three changes land
Success criteria
This remediation pass is successful if:
- remote-debugging prompts drop sharply because only true live-session workflows still hit
user - LinkedIn workflows produce fewer attach prompts because reuse is tighter
- routine parsing and transformation work stops relying on inline heredocs
- denial analysis for the next measurement window is based on clean logged events rather than inference
- exec security remains unchanged because discipline fixes reduced the noise enough