`I am sandboxed` 无法安装依赖时的权限/审批排查清单

• You can run `openclaw status` and view gateway config on the host.
• You have sudo/admin rights on the target machine for package installation.

1. Reproduce with one explicit command request (e.g., install gh/vercel) and capture the exact refusal text in logs.
2. Check runtime mode via `openclaw status`; if command execution is sandboxed/denied, adjust policy to allow approved host-side commands rather than broad unrestricted execution.
3. Install required CLIs manually on host (outside agent turn), then let agent invoke them only for project-local tasks.
4. For sensitive commands, keep ask/approval enabled and validate command scope before confirming.

• Do not switch permanently to fully unrestricted execution in production without threat review.
• Exact policy knobs depend on deployment profile/version and should be matched with current docs（需验证）。

This tip is aggregated from community/public sources and preserved with attribution.