OpenClaw adds Auto exec approvals with guardian-agent review

• OpenClaw shipped an opt-in auto mode for exec approvals that inserts model review between deterministic allowlists and human prompts, according to vincent_koc's launch post and the official blog post.
• In the docs for the exec tool, tools.exec.mode now spans deny, allowlist, ask, auto, and full, and auto is defined as running safe matches directly while routing everything else through a native auto reviewer before asking a human.
• The release framing is explicitly enterprise-oriented: the blog post says policy runs first, low-risk misses can be reviewed by a model, and uncertain cases still fall back to a person, which matches steipete's repost of the guardian-agent description.
• OpenClaw presented Auto alongside a broader 2026.5.28 release that openclaw's release post says added Claude Opus 4.8 support, while openclaw's performance post claims faster cold and warm turns plus a much smaller fresh install.

You can read the announcement, inspect the exec mode docs, and check the approvals docs for the stricter-of policy merge. The adjacent 2026.5.28 drop also shipped a sub-agent inspector and gateway hot path work that makes the approval story easier to debug and a little less sluggish.

OpenClaw's new pitch is simple: keep YOLO-style full-trust execution as an option, but add a middle layer for people who want the agent's proposed system calls screened before the user gets interrupted. The official announcement says auto is opt-in for now, and says it may become a safer default later if the public test goes well.

The same post ties the design to Codex Guardian. OpenClaw says OpenAI-backed sessions can already use Codex-native reviewed approvals through the Codex harness, and this release brings that approval shape to OpenClaw host exec for any model, not just one provider's stack.

The mechanics are more concrete in the docs than in the tweets:

• In the exec tool docs, auto is the normalized policy knob between ask and full.
• Deterministic allowlist and safe-bin matches run immediately, per the exec docs.
• Remaining exec requests go to a native auto reviewer before a person is asked, again per the exec docs.
• The announcement says the reviewer gets a bounded packet with command details and environment context, then can allow one low-risk execution.
• Approval outcomes include allow-once, allow-always, and deny, according to the announcement.
• The exec approvals docs say effective policy is the stricter of tools.exec.* and approvals defaults, and a host-local approvals file can still force ask: "always" even when session defaults request on-miss.
• If no UI or approval client responds, the announcement says fallback uses the host's configured setting.

That keeps the interesting boundary in place: model review can reduce prompt spam, but the local approvals state still wins when the operator has pinned a stricter posture.

Auto mode landed inside a busier 2026.5.28 cycle than the safety tweet alone suggests. openclaw's release post says the same release added Claude Opus 4.8 support, Krea image generation through fal, faster gateway, plugin, and session hot paths, and Discord progress drafts that now show commentary.

The performance post added numbers. openclaw's performance post claims 14.5 percent faster cold turns, 16.0 percent faster warm turns, a 52.8 percent smaller fresh install, and package roots dropping from 371 to 300, while the companion release-size blog post says the fresh install footprint fell to 361.7 MiB and the unique dependency root count fell 19 percent from 5.27.

The debugging side also got better. openclaw's /subagents post points to a new /subagents view, and the sub-agent docs say it can list child runs, inspect metadata, and show tool logs on demand instead of polling. openclaw's gateway hot path post ties the speed work to less repeated metadata, config, plugin, and session-store work during active runs, which lines up with the gateway protocol docs exposing path-scoped config lookup and session APIs that were likely expensive enough to matter in the hot path.