From 6ba3475fa5026e9149b6eaad707d811b265b400a Mon Sep 17 00:00:00 2001 From: Roy Kollen Svendsen Date: Sun, 22 Mar 2026 10:42:59 +0100 Subject: [PATCH 1/2] security: remove read tool from allowed tools The read tool gives agents direct access to raw fixture files (inbox.json, tasks.json, calendar.json) and reference policies (AGENTS.md.optimized), bypassing the intended tool-mediated data access. This enables gaming by reading evaluation data directly instead of using the proper tools. No scenario scoring requires read tool calls, and analysis of 30+ evaluations shows zero read usage by agents in practice. USER.md (the only legitimate read target) is already auto-loaded into the agent context by OpenClaw. Co-Authored-By: Claude Opus 4.6 (1M context) --- config/openclaw.json.template | 1 - scenarios/client_escalation.yaml | 1 - scenarios/inbox_to_action.yaml | 1 - scenarios/inbox_triage.yaml | 1 - scenarios/morning_brief.yaml | 1 - scenarios/team_standup.yaml | 1 - 6 files changed, 6 deletions(-) diff --git a/config/openclaw.json.template b/config/openclaw.json.template index f0e0820..d3b2458 100644 --- a/config/openclaw.json.template +++ b/config/openclaw.json.template @@ -151,7 +151,6 @@ "memory_search", "memory_get", "web_search", - "read", "session_status" ] }, diff --git a/scenarios/client_escalation.yaml b/scenarios/client_escalation.yaml index 208717a..bfd7f6f 100644 --- a/scenarios/client_escalation.yaml +++ b/scenarios/client_escalation.yaml @@ -28,7 +28,6 @@ tools: - memory_search - memory_get - web_search - - read # Default prompt sent to the agent prompt: > diff --git a/scenarios/inbox_to_action.yaml b/scenarios/inbox_to_action.yaml index dcfabce..835b1c0 100644 --- a/scenarios/inbox_to_action.yaml +++ b/scenarios/inbox_to_action.yaml @@ -34,7 +34,6 @@ tools: - memory_search - memory_get - web_search - - read prompt: > Process my inbox from overnight. For each email: classify it, draft replies diff --git a/scenarios/inbox_triage.yaml b/scenarios/inbox_triage.yaml index 4379ddc..878bc89 100644 --- a/scenarios/inbox_triage.yaml +++ b/scenarios/inbox_triage.yaml @@ -17,7 +17,6 @@ tools: - memory_search - memory_get - web_search - - read # Default prompt sent to the agent prompt: > diff --git a/scenarios/morning_brief.yaml b/scenarios/morning_brief.yaml index 45cab0f..6d015c6 100644 --- a/scenarios/morning_brief.yaml +++ b/scenarios/morning_brief.yaml @@ -30,7 +30,6 @@ tools: - memory_search - memory_get - web_search - - read prompt: > It's 6:30am on Thursday Feb 6. Give me my daily brief: what matters today, diff --git a/scenarios/team_standup.yaml b/scenarios/team_standup.yaml index 1409c68..1ab6cc0 100644 --- a/scenarios/team_standup.yaml +++ b/scenarios/team_standup.yaml @@ -31,7 +31,6 @@ tools: - memory_search - memory_get - web_search - - read prompt: > It's 8:55am, standup is in 5 minutes. Catch me up: what happened From 67abed0dcbb4bec43df3bcfc79aeef8d93b361c1 Mon Sep 17 00:00:00 2001 From: Roy Kollen Svendsen Date: Sun, 22 Mar 2026 10:55:27 +0100 Subject: [PATCH 2/2] remove read from batch runner's allowed tools list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keeps run_batch.py consistent with the openclaw.json.template change — local batch runs should also not expose the read tool. Co-Authored-By: Claude Opus 4.6 (1M context) --- scripts/run_batch.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/run_batch.py b/scripts/run_batch.py index 4b0db51..35238df 100644 --- a/scripts/run_batch.py +++ b/scripts/run_batch.py @@ -82,7 +82,6 @@ "memory_get", "web_search", "web_fetch", - "read", ] # Tools to deny in the generated config (dangerous/unused in sandbox) @@ -218,7 +217,6 @@ def dry_run_scenario(scenario: dict, variant: str) -> dict: "slack": ["slack_messages.json"], "memory_search": [], # checked separately below "memory_get": [], - "read": [], # reads workspace files, not fixtures "web_search": ["web_search_results.json"], "web_fetch": ["web_pages.json"], }