# OpenClaw Tools Documentation

## Overview

OpenClaw provides first-class agent tools for browser automation, canvas rendering, node management, and scheduled tasks. These replace legacy `openclaw-*` skills with typed implementations that don't require shell execution.

## Tool Access Control

### Global Configuration
Tools can be restricted via `tools.allow` and `tools.deny` in `openclaw.json`. Matching is case-insensitive, wildcards are supported, and deny rules take precedence.

### Tool Profiles
Base allowlists can be set with `tools.profile`:
- **minimal**: session status only
- **coding**: filesystem, runtime, sessions, memory, and image analysis
- **messaging**: messaging channels and session management
- **full**: unrestricted access

### Provider-Specific Policies
The `tools.byProvider` configuration narrows tool access for particular providers or model versions without affecting global settings.

### Tool Groups
Shorthand groups simplify policy configuration:
- `group:runtime` (exec, bash, process)
- `group:fs` (file operations)
- `group:sessions` (session management)
- `group:memory` (memory tools)
- `group:web` (web search and fetch)
- `group:ui` (browser and canvas)
- `group:automation` (cron and gateway)
- `group:messaging` (message delivery)

## Core Tools

**exec**: Execute shell commands with configurable timeout, background execution, and elevated privileges when allowed.

**process**: Manage background sessions with polling, logging, and termination.

**web_search / web_fetch**: Query the web and extract readable content from URLs.

**browser**: Control a dedicated browser instance for UI automation, screenshots, and PDF generation.

**canvas**: Render and interact with node canvas presentations.

**nodes**: Discover paired nodes and capture camera/screen media with user consent.

**message**: Send communications across Discord, Slack, Teams, WhatsApp, and other platforms.

**cron**: Schedule and manage gateway jobs.

## Safety Practices

Direct system execution should only occur with explicit user consent. Media capture (camera/screen) requires foreground access and user approval.