OpenClaw Tool System

Tools turn OpenClaw from "can chat" into "can do." This chapter covers built-in capabilities and the crucial tool policies and approval gates.


What Can OpenClaw Do?

The agent can perform a range of real operations:

CapabilityExamples
Shell commandsRun scripts, manage files, invoke CLIs
Browser automationOpen pages, click, fill forms, scrape
EmailSend/receive, organize mail
CalendarCreate/query calendar events
File operationsRead/write, organize workspace files
Web scraping / formsPull data, auto-fill and submit forms
MediaSend/receive images, audio, documents

These let OpenClaw genuinely "run errands" for you — but they also mean it can change your system and accounts, so tool policies are essential.


Tool Policies & Approval Gates (Core Safety Mechanism)

OpenClaw governs high-risk actions with tool policies: you can require reads to pass automatically while sends/deletes/writes must be approved first.

agent wants to perform a tool action
   ├─ read (low risk)        → run automatically
   └─ send/delete/write      → pause, wait for your approval

These approval gates are OpenClaw's first line of defense. Follow a tighten-by-default principle:

deny high-risk by default → allow only clearly safe reads → require human approval for the rest

See Permissions & Security.


Configuring Policies in openclaw.json

Tool policies and approval rules live in the main openclaw.json. You can:

  • Set allow / ask / deny per tool
  • Distinguish read vs. write/send/delete
  • Force approval for risky platform actions (e.g., sending email, deleting files)

After configuring, verify the policy behaves as expected on a low-risk task in the Dashboard before granting more permissions.


Browser Automation

The browser tool lets OpenClaw operate the web like a human: search, navigate, click, fill forms, scrape. These tasks are memory-heavy — reserve 4GB+ RAM for browser automation.

Because the browser can log into your accounts and submit forms, be sure to put it behind approval gates to avoid real-world consequences from mistakes.


Extending Capabilities via Skills

Tools are "atomic capabilities"; composing multi-step flows into reusable procedures is what skills are for:

  • Skills are described in SKILL.md and shareable via ClawHub
  • The agent can even auto-draft a skill when one is missing
  • See Skills

Security warning: community skills are not sandboxed by default, and there have been many malicious ones. Review any third-party skill before installing — see Security.


Practical Tips

  • Start with tool policies as tight as possible, then loosen as needed
  • Keep all send / delete / pay / login actions behind human approval
  • Browser and shell are double-edged: powerful and risky — rehearse in an isolated environment / test accounts first
  • Turn repeated multi-step actions into skills to reduce errors and token use

Next Steps