openclaw/docs/tools/elevated.md

---
summary: "Elevated exec mode and /elevated directives"
read_when:
  - Adjusting elevated mode defaults, allowlists, or slash command behavior
title: "Elevated Mode"
---

# Elevated Mode (/elevated directives)

## What it does

- `/elevated on` runs on the gateway host and keeps exec approvals (same as `/elevated ask`).
- `/elevated full` runs on the gateway host **and** auto-approves exec (skips exec approvals).
- `/elevated ask` runs on the gateway host but keeps exec approvals (same as `/elevated on`).
- `on`/`ask` do **not** force `exec.security=full`; configured security/ask policy still applies.
- Only changes behavior when the agent is **sandboxed** (otherwise exec already runs on the host).
- Directive forms: `/elevated on|off|ask|full`, `/elev on|off|ask|full`.
- Only `on|off|ask|full` are accepted; anything else returns a hint and does not change state.

## What it controls (and what it doesn’t)

- **Availability gates**: `tools.elevated` is the global baseline. `agents.list[].tools.elevated` can further restrict elevated per agent (both must allow).
- **Per-session state**: `/elevated on|off|ask|full` sets the elevated level for the current session key.
- **Inline directive**: `/elevated on|ask|full` inside a message applies to that message only.
- **Groups**: In group chats, elevated directives are only honored when the agent is mentioned. Command-only messages that bypass mention requirements are treated as mentioned.
- **Host execution**: elevated forces `exec` onto the gateway host; `full` also sets `security=full`.
- **Approvals**: `full` skips exec approvals; `on`/`ask` honor them when allowlist/ask rules require.
- **Unsandboxed agents**: no-op for location; only affects gating, logging, and status.
- **Tool policy still applies**: if `exec` is denied by tool policy, elevated cannot be used.
- **Separate from `/exec`**: `/exec` adjusts per-session defaults for authorized senders and does not require elevated.

## Resolution order

1. Inline directive on the message (applies only to that message).
2. Session override (set by sending a directive-only message).
3. Global default (`agents.defaults.elevatedDefault` in config).

## Setting a session default

- Send a message that is **only** the directive (whitespace allowed), e.g. `/elevated full`.
- Confirmation reply is sent (`Elevated mode set to full...` / `Elevated mode disabled.`).
- If elevated access is disabled or the sender is not on the approved allowlist, the directive replies with an actionable error and does not change session state.
- Send `/elevated` (or `/elevated:`) with no argument to see the current elevated level.

## Availability + allowlists

- Feature gate: `tools.elevated.enabled` (default can be off via config even if the code supports it).
- Sender allowlist: `tools.elevated.allowFrom` with per-provider allowlists (e.g. `discord`, `whatsapp`).
- Unprefixed allowlist entries match sender-scoped identity values only (`SenderId`, `SenderE164`, `From`); recipient routing fields are never used for elevated authorization.
- Mutable sender metadata requires explicit prefixes:
  - `name:<value>` matches `SenderName`
  - `username:<value>` matches `SenderUsername`
  - `tag:<value>` matches `SenderTag`
  - `id:<value>`, `from:<value>`, `e164:<value>` are available for explicit identity targeting
- Per-agent gate: `agents.list[].tools.elevated.enabled` (optional; can only further restrict).
- Per-agent allowlist: `agents.list[].tools.elevated.allowFrom` (optional; when set, the sender must match **both** global + per-agent allowlists).
- Discord fallback: if `tools.elevated.allowFrom.discord` is omitted, the `channels.discord.allowFrom` list is used as a fallback (legacy: `channels.discord.dm.allowFrom`). Set `tools.elevated.allowFrom.discord` (even `[]`) to override. Per-agent allowlists do **not** use the fallback.
- All gates must pass; otherwise elevated is treated as unavailable.

## Logging + status

- Elevated exec calls are logged at info level.
- Session status includes elevated mode (e.g. `elevated=ask`, `elevated=full`).
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+								---
-												fix: rename bash tool to exec (#748) (thanks @myfunc)

											
										
										
											2026-01-12 02:49:55 +00:00
+								summary: "Elevated exec mode and /elevated directives"
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+								read_when:
 								  - Adjusting elevated mode defaults, allowlists, or slash command behavior
-												Docs: add nav titles across docs (#5689)


											
										
										
											2026-01-31 16:04:03 -05:00
+								title: "Elevated Mode"
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+								---
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+								# Elevated Mode (/elevated directives)
 								## What it does
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												fix: cover elevated ask approvals (#1636)


											
										
										
											2026-01-24 21:12:46 +00:00
+								- `/elevated on` runs on the gateway host and keeps exec approvals (same as `/elevated ask`).
-												feat: add elevated ask/full modes

											
										
										
											2026-01-22 05:32:13 +00:00
+								- `/elevated full` runs on the gateway host **and** auto-approves exec (skips exec approvals).
 								- `/elevated ask` runs on the gateway host but keeps exec approvals (same as `/elevated on`).
-												fix: cover elevated ask approvals (#1636)


											
										
										
											2026-01-24 21:12:46 +00:00
+								- `on`/`ask` do **not** force `exec.security=full`; configured security/ask policy still applies.
-												feat: add exec host approvals flow

											
										
										
											2026-01-18 04:27:33 +00:00
+								- Only changes behavior when the agent is **sandboxed** (otherwise exec already runs on the host).
-												feat: add elevated ask/full modes

											
										
										
											2026-01-22 05:32:13 +00:00
+								- Directive forms: `/elevated on|off|ask|full`, `/elev on|off|ask|full`.
 								- Only `on|off|ask|full` are accepted; anything else returns a hint and does not change state.
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
-												fix: tighten group elevated targeting

											
										
										
											2026-01-08 22:57:08 +01:00
+								## What it controls (and what it doesn’t)
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												feat: add per-agent elevated controls

											
										
										
											2026-01-09 20:42:16 +00:00
+								- **Availability gates**: `tools.elevated` is the global baseline. `agents.list[].tools.elevated` can further restrict elevated per agent (both must allow).
-												feat: add elevated ask/full modes

											
										
										
											2026-01-22 05:32:13 +00:00
+								- **Per-session state**: `/elevated on|off|ask|full` sets the elevated level for the current session key.
 								- **Inline directive**: `/elevated on|ask|full` inside a message applies to that message only.
-												fix: honor mention-bypass for group commands

											
										
										
											2026-01-09 02:52:44 +01:00
+								- **Groups**: In group chats, elevated directives are only honored when the agent is mentioned. Command-only messages that bypass mention requirements are treated as mentioned.
-												fix: cover elevated ask approvals (#1636)


											
										
										
											2026-01-24 21:12:46 +00:00
+								- **Host execution**: elevated forces `exec` onto the gateway host; `full` also sets `security=full`.
 								- **Approvals**: `full` skips exec approvals; `on`/`ask` honor them when allowlist/ask rules require.
-												feat: add exec host approvals flow

											
										
										
											2026-01-18 04:27:33 +00:00
+								- **Unsandboxed agents**: no-op for location; only affects gating, logging, and status.
-												fix: rename bash tool to exec (#748) (thanks @myfunc)

											
										
										
											2026-01-12 02:49:55 +00:00
+								- **Tool policy still applies**: if `exec` is denied by tool policy, elevated cannot be used.
-												docs: clarify command authorization for exec directives

											
										
										
											2026-01-26 22:18:36 +00:00
+								- **Separate from `/exec`**: `/exec` adjusts per-session defaults for authorized senders and does not require elevated.
-												docs: clarify elevated sandbox behavior

											
										
										
											2026-01-08 23:17:02 +01:00
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+								## Resolution order
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
+. Inline directive on the message (applies only to that message).
 . Session override (set by sending a directive-only message).
-												feat: wire multi-agent config and routing

Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>

											
										
										
											2026-01-09 12:44:23 +00:00
+. Global default (`agents.defaults.elevatedDefault` in config).
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
 								## Setting a session default
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												feat: add elevated ask/full modes

											
										
										
											2026-01-22 05:32:13 +00:00
+								- Send a message that is **only** the directive (whitespace allowed), e.g. `/elevated full`.
 								- Confirmation reply is sent (`Elevated mode set to full...` / `Elevated mode disabled.`).
-												feat: add exec host approvals flow

											
										
										
											2026-01-18 04:27:33 +00:00
+								- If elevated access is disabled or the sender is not on the approved allowlist, the directive replies with an actionable error and does not change session state.
-												fix: relax slash command parsing

											
										
										
											2026-01-08 03:22:14 +01:00
+								- Send `/elevated` (or `/elevated:`) with no argument to see the current elevated level.
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
 								## Availability + allowlists
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												feat: wire multi-agent config and routing

Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>

											
										
										
											2026-01-09 12:44:23 +00:00
+								- Feature gate: `tools.elevated.enabled` (default can be off via config even if the code supports it).
 								- Sender allowlist: `tools.elevated.allowFrom` with per-provider allowlists (e.g. `discord`, `whatsapp`).
-												fix(security): tighten elevated allowFrom sender matching

											
										
										
											2026-02-22 21:58:40 +01:00
+								- Unprefixed allowlist entries match sender-scoped identity values only (`SenderId`, `SenderE164`, `From`); recipient routing fields are never used for elevated authorization.
 								- Mutable sender metadata requires explicit prefixes:
 								  - `name:<value>` matches `SenderName`
 								  - `username:<value>` matches `SenderUsername`
 								  - `tag:<value>` matches `SenderTag`
 								  - `id:<value>`, `from:<value>`, `e164:<value>` are available for explicit identity targeting
-												feat: add per-agent elevated controls

											
										
										
											2026-01-09 20:42:16 +00:00
+								- Per-agent gate: `agents.list[].tools.elevated.enabled` (optional; can only further restrict).
 								- Per-agent allowlist: `agents.list[].tools.elevated.allowFrom` (optional; when set, the sender must match **both** global + per-agent allowlists).
-												docs: update Slack/Discord allowFrom references

											
										
										
											2026-02-15 03:48:40 +01:00
+								- Discord fallback: if `tools.elevated.allowFrom.discord` is omitted, the `channels.discord.allowFrom` list is used as a fallback (legacy: `channels.discord.dm.allowFrom`). Set `tools.elevated.allowFrom.discord` (even `[]`) to override. Per-agent allowlists do **not** use the fallback.
-												feat: add per-agent elevated controls

											
										
										
											2026-01-09 20:42:16 +00:00
+								- All gates must pass; otherwise elevated is treated as unavailable.
-												docs: split elevated directives

											
										
										
											2026-01-04 05:21:12 +00:00
 								## Logging + status
-												chore: Run `pnpm format:fix`.

											
										
										
											2026-01-31 21:13:13 +09:00
-												fix: rename bash tool to exec (#748) (thanks @myfunc)

											
										
										
											2026-01-12 02:49:55 +00:00
+								- Elevated exec calls are logged at info level.
-												feat: add elevated ask/full modes

											
										
										
											2026-01-22 05:32:13 +00:00
+								- Session status includes elevated mode (e.g. `elevated=ask`, `elevated=full`).