Overview
The code execution skill is one of OpenClaw's most productive capabilities. The AI agent can not only write code but also run it in a secure sandbox environment, observe the output, and iteratively improve based on results. This "write — execute — observe — improve" loop dramatically increases the accuracy of AI agents when handling technical problems.
Execution Architecture
The code execution skill is built on top of OpenClaw's sandbox isolation environment. The Pi SDK's direct embedding architecture eliminates inter-process communication overhead from code generation to execution request delivery. The execution flow is as follows:
- The AI agent generates a code snippet
- The code is submitted through the sandbox's container execution module
- The container runs the code in an isolated environment
- The output (stdout, stderr, exit code) is returned to the agent
- The agent decides on the next action based on the results
Basic Configuration
skills:
codeExec:
enabled: true
sandbox:
containerExec: true
image: openclaw/code-sandbox:latest
timeout: 30s
memoryLimit: 256m
cpuLimit: 0.5
languages:
- python
- javascript
- bash
- typescript
Supported Programming Languages
Python
Python is the most commonly used execution language. The sandbox image comes with Python 3.11 runtime and popular scientific computing libraries preinstalled.
skills:
codeExec:
python:
version: "3.11"
preinstalledPackages:
- numpy
- pandas
- matplotlib
- requests
allowPipInstall: false
maxOutputSize: 1MB
allowPipInstall controls whether additional Python packages can be installed at execution time. It is disabled by default for security reasons. If enabled, it is recommended to use it with a package allowlist.
JavaScript / TypeScript
The Node.js runtime supports executing JavaScript and TypeScript code.
skills:
codeExec:
javascript:
runtime: node
version: "20"
allowNpmInstall: false
esModules: true
Bash
Shell script execution is supported, but command scope is restricted by sandbox path constraints.
skills:
codeExec:
bash:
allowedCommands:
- ls
- cat
- grep
- awk
- sed
- curl
deniedCommands:
- rm
- dd
- mkfs
Security Mechanisms
Container Isolation
Each code execution runs in an independent container instance. After the container is destroyed, all changes in the execution environment are cleared. This means malicious code cannot have a persistent impact on the host system.
Network Control
By default, code execution containers have no network access. If network requests are needed (e.g., calling external APIs), you can explicitly enable restricted network mode:
skills:
codeExec:
network:
mode: restricted
allowedHosts:
- "api.example.com"
- "pypi.org"
maxBandwidth: 10MB
Resource Limits
The sandbox enforces strict resource limits on code execution:
- Time limit: 30 seconds by default; the container is forcibly terminated on timeout
- Memory limit: 256MB by default, preventing memory leaks and memory bombs
- CPU limit: Limits CPU usage ratio, preventing abuse such as cryptomining
- Output limit: Maximum output size limit, preventing log bombs
- Filesystem: Limits the total size of writable files
System Call Filtering
Containers use seccomp profiles to restrict available system calls, blocking dangerous operations such as fork bombs, direct device access, and more.
Execution Modes
Single Execution
The most basic mode — submit code and get output. Suitable for simple calculations, data processing, and result verification.
Interactive Session
OpenClaw supports interactive sessions that maintain execution state. Variables and state are shared across multiple code executions, similar to a Jupyter Notebook experience.
skills:
codeExec:
interactiveSession:
enabled: true
maxDuration: 600s
persistState: true
Interactive session state is maintained through the container's continued operation. The container is reclaimed after the session times out.
File Output
Code execution can produce file output (such as charts, CSV data, etc.). Output files are mapped back to the host system through mounted directories and then sent to users via the messaging tool.
skills:
codeExec:
outputDir: /tmp/openclaw/code-output
allowedOutputTypes:
- "*.png"
- "*.csv"
- "*.json"
- "*.txt"
maxOutputFileSize: 5MB
Channel Integration
Code Formatting
Different channels have different formatting requirements for code display. The system automatically formats code output based on channel type:
- Discord: Uses Markdown code blocks with syntax highlighting
- Telegram: Wraps code in
<pre>tags - Slack: Uses Slack's native code block format
- WhatsApp: Uses monospace font markup
Output Truncation
When code output exceeds a channel's message length limit, the system automatically truncates it and appends a "view full output" prompt. The complete output can be sent as a file attachment.
Use Cases
Common application scenarios for the code execution skill include:
- Data analysis: Processing CSV/JSON data and generating statistical reports
- Mathematical computation: Precise numerical calculations, avoiding AI model arithmetic errors
- Chart generation: Creating visualizations using libraries like matplotlib
- Prototype validation: Quickly verifying the correctness of code logic
- Automation scripts: Executing file processing, format conversion, and other automation tasks
Monitoring and Auditing
All code executions are fully logged, including the submitted code, execution output, resource usage, and execution duration. Administrators can review execution history to identify abuse.
skills:
codeExec:
audit:
enabled: true
logCode: true
logOutput: true
retentionDays: 30
Summary
The code execution skill upgrades the AI agent from "can only talk" to "can talk and do." Through OpenClaw's sandbox isolation mechanism, code execution runs in a secure and controlled environment, letting users enjoy powerful capabilities without worrying about security risks.