OpenClaw Sandbox vs Approvals vs Tool Policy: Three Different Safety Layers When an OpenClaw command gets blocked, the tempting reaction is to look for one magic switch. Turn off the sandbox. Enable elevated mode. Change approvals. Add the tool to an allowlist. I get why that happens, but it is usually the wrong debugging model. OpenClaw has three separate safety layers that can all affect the same moment: sandboxing, tool policy, and exec approvals. They sound related because they are all safety controls. They are not interchangeable. The shortest version is this: sandboxing decides where tools run, tool policy decides which tools exist, and approvals decide whether a host exec command is allowed to proceed. If you understand that split, most “why did OpenClaw block this?” incidents become much less mysterious. This post is docs-grounded and deliberately practical. If you want the deeper single-topic guide for approvals afterward, read OpenClaw Exec Approvals .…