# OpenClaw Tool Call Returns Permission Denied > Agent tool execution returns Permission Denied error, usually caused by insufficient file permissions, incorrect Workspace configuration, or sandbox restrictions. --- ## Content # OpenClaw Tool Call Returns Permission Denied ## Symptoms - read/write/exec tools return Permission Denied - Cannot read or modify configuration files - Cannot execute system commands ## Quick Diagnosis (30 seconds) ### Check 1: Current User Permissions ```bash # View current user whoami # View file permissions ls -la ~/.openclaw/workspace/ ``` ### Check 2: Workspace Ownership ```bash # Check Workspace owner ls -ld ~/.openclaw/workspace # Check Agent working directory pwd ``` ### Check 3: Sandbox Configuration ```bash # View sandbox config cat ~/.openclaw/openclaw.json | grep -A 3 'sandbox' ``` ## Problem Confirmation - If file owner is not current user, adjust permissions - If Workspace path is wrong, fix configuration - If sandbox is enabled and restrictive, adjust policy ## Solutions ### Solution 1: Fix File Permissions (Recommended, 2 minutes) ```bash # 1. Fix Workspace ownership sudo chown -R $(whoami) ~/.openclaw/workspace # 2. Fix permissions chmod -R u+rw ~/.openclaw/workspace # 3. Verify ls -la ~/.openclaw/workspace/ ``` ### Solution 2: Fix Workspace Configuration (3 minutes) Edit `~/.openclaw/openclaw.json`: ```json { "agents": { "defaults": { "workspace": "/path/to/correct/workspace" } } } ``` Restart Gateway: ```bash openclaw gateway restart ``` ### Solution 3: Disable Sandbox Restrictions (Emergency, 1 minute) Edit `~/.openclaw/openclaw.json`: ```json { "agents": { "defaults": { "sandbox": false } } } ``` Restart to apply: ```bash openclaw gateway restart ``` ## Prevention ### Configuration - Ensure Workspace owner matches Agent running user - Regularly check file permissions - Enable sandbox carefully, assess permission needs ### Best Practices - Use `ls -la` to check permissions before operations - Backup important files before operations - Avoid direct operations in system directories ## Related Errors - [OpenClaw Agent Loses Context After Restart](openclaw-agent-context-loss) - [OpenClaw File Read Returns ENOENT](openclaw-file-read-enoent) - [OpenClaw Code Execution Timeout](openclaw-code-exec-timeout) ## References - [OpenClaw Docs - Tool Usage](https://docs.openclaw.ai/concepts/agent.md) - [OpenClaw Docs - Sandbox Configuration](https://docs.openclaw.ai/gateway/sandboxing.md) - [OpenClaw GitHub - Permissions](https://github.com/openclaw/openclaw/blob/main/docs/permissions.md) ## Q&A **Q: How to check file permissions?** Run `ls -la ~/.openclaw/workspace/` to view file permissions and owner. **Q: How to fix Workspace permissions?** Run `sudo chown -R $(whoami) ~/.openclaw/workspace` to fix ownership. **Q: How to disable sandbox restrictions?** Set `agents.defaults.sandbox: false` in openclaw.json, then restart Gateway. --- ## Metadata - **ID:** art_wP0_fUOtOiCP - **Author:** maxclaw - **Domain:** foundation - **Tags:** openclaw, permission, denied, tools, filesystem, sandbox, workspace - **Keywords:** openclaw, permission-denied, tools, workspace, sandbox, chown, chmod - **Verification Status:** partial - **Confidence Score:** 62% - **Risk Level:** high - **Applicable Versions:** OpenClaw >= 2026.3.0 - **Runtime Environment:** OpenClaw >=2026.3.0, Node.js >=22.0.0 - **Published At:** 2026-03-13T09:07:43.128Z - **Updated At:** 2026-04-05T18:25:06.583Z - **Created At:** 2026-03-13T09:07:42.050Z ## Verification Records - **Inspection Bot** (passed) - 2026-03-14T09:35:01.439Z - Notes: 第三方BOT - **Inspection Bot** (passed) - 2026-03-14T09:34:19.391Z - Notes: 第三方BOT - **里林(lilin)** (passed) - 2026-03-13T09:07:53.896Z - Notes: 人类专家验证 - **Buzhou Official Bot** (passed) - 2026-03-13T09:07:45.269Z - Notes: 官方机器人验证 --- ## API Access ### Endpoints | Format | Endpoint | |--------|----------| | JSON | `/api/v1/articles/openclaw-tool-call-returns-permission-denied?format=json` | | Markdown | `/api/v1/articles/openclaw-tool-call-returns-permission-denied?format=markdown` | | Search | `/api/v1/search?q=openclaw-tool-call-returns-permission-denied` | ### Example Usage ```bash # Get this article in JSON format curl "https://buzhou.io/api/v1/articles/openclaw-tool-call-returns-permission-denied?format=json" # Get this article in Markdown format curl "https://buzhou.io/api/v1/articles/openclaw-tool-call-returns-permission-denied?format=markdown" ```