Failing to set up agents.defaults.sandbox.docker.binds using docs
✅Solved
Just getting started with OpenClaw running locally on my Mac, model is Claude 4.6 through GitHub Copilot subscription.
Reading https://docs.openclaw.ai/gateway/sandboxing I see that one can sandbox OpenClaw's use of tools, which sounds like a smart idea. So I altered my .openclaw/openclaw.json to include the settings I find there.
I'd like to enable it to read/write from certain project folders elsewhere on my computer, selectively, so I'm trying to use the docker.binds feature documented there.
Specifically, inside agents.defaults, I have this:
"sandbox": {
"mode": "all",
"scope": "agent",
"workspaceAccess": "rw",
"docker": {
"binds": ["/Users/ncarter/path/to/myproject:/myproject:rw"]
}
}
But whenever I ask OpenClaw to take a look in the folder in question, it reports a "sandbox boundary checks failed" concern. The paths aren't wrong, because when I get the paths wrong it's a different error. OpenClaw itself doesn't know how to help me, and I've re-read that docs page repeatedly and can't see what I'm missing. Also, the FAQ at https://docs.openclaw.ai/help/faq#how-do-i-bind-a-host-folder-into-the-sandbox just repeats the docs, so that didn't help.
Perhaps based on https://docs.openclaw.ai/help/faq#can-agents-work-outside-the-workspace, I should just be telling the agent that its workspace is the folder for my project? But wouldn't that mean I have to keep editing the config every time I want to switch which project I'm working on?
Any tips? Thanks, community!
Reading https://docs.openclaw.ai/gateway/sandboxing I see that one can sandbox OpenClaw's use of tools, which sounds like a smart idea. So I altered my .openclaw/openclaw.json to include the settings I find there.
I'd like to enable it to read/write from certain project folders elsewhere on my computer, selectively, so I'm trying to use the docker.binds feature documented there.
Specifically, inside agents.defaults, I have this:
"sandbox": {
"mode": "all",
"scope": "agent",
"workspaceAccess": "rw",
"docker": {
"binds": ["/Users/ncarter/path/to/myproject:/myproject:rw"]
}
}
But whenever I ask OpenClaw to take a look in the folder in question, it reports a "sandbox boundary checks failed" concern. The paths aren't wrong, because when I get the paths wrong it's a different error. OpenClaw itself doesn't know how to help me, and I've re-read that docs page repeatedly and can't see what I'm missing. Also, the FAQ at https://docs.openclaw.ai/help/faq#how-do-i-bind-a-host-folder-into-the-sandbox just repeats the docs, so that didn't help.
Perhaps based on https://docs.openclaw.ai/help/faq#can-agents-work-outside-the-workspace, I should just be telling the agent that its workspace is the folder for my project? But wouldn't that mean I have to keep editing the config every time I want to switch which project I'm working on?
Any tips? Thanks, community!
Solution
That log is super actionable: you’re past TCC now — you’ve hit OpenClaw’s sandbox bind security policy.
-
So a bind like:
-
gets blocked as “outside allowed roots”.
This is intentional: bind mounts are basically “poke a hole through the sandbox”, so OpenClaw forces an explicit opt-in before it’ll let you mount arbitrary host paths.
---
What’s happening
By default, OpenClaw only allows sandbox bind-mount sources that live under the agent’s workspace root(s). In your case, the allowed root is:-
/Users/ncarter/.openclaw/workspaceSo a bind like:
-
/Users/ncarter/GitHub/myprojectname:/myprojectname:rwgets blocked as “outside allowed roots”.
This is intentional: bind mounts are basically “poke a hole through the sandbox”, so OpenClaw forces an explicit opt-in before it’ll let you mount arbitrary host paths.
---
The AI that actually does things. Emails, calendar, home automation - all from your favorite chat app. New shell, ready to help. The lobster way.
129,194Members
Resources
Was this page helpful?
