OpenClaw Security Flaw: Sub-agents Bypass Exec Approvals, Enabling Unauthorized Command Execution & File Writes

A critical security vulnerability has been identified in OpenClaw (version 2026.2.3-1). Sub-agents created via the `sessions_spawn` function can completely bypass the configured execution approval mechanism. This flaw allows these sub-agents to execute arbitrary commands, including file write operations, without triggering any user consent or approval requests, effectively defeating the core security model.

**Steps to Reproduce:**
1. Configure strict exec approvals in `~/.openclaw/exec-approvals.json` with an 'allowlist' security policy.
2. From the main session, running a command like `date` correctly triggers an approval request.
3. From a sub-agent spawned via `sessions_spawn`, running the same `date` command executes immediately without any approval.
4. From the sub-agent, running a command like `echo test | tee /tmp/file.txt` also executes without approval, successfully creating a file on the system.

**Security Impact:**
- **Critical Severity:** This provides a direct vector for attackers or malicious code to bypass all approval workflows by spawning a sub-agent.
- Sub-agents can execute arbitrary commands, including file writes, without user consent.
- This completely defeats the purpose of the approval-based security model and violates the principle of least privilege.

**Expected Behavior:** All sessions, including main and sub-agents, should inherit and respect the same security context and approval policies defined for the parent agent.

**Proposed Solution:** Sub-agents must inherit the parent session's security policies. Execution approvals should apply uniformly to all session types, and mechanisms like `safeBins` should not create a bypass path for sub-agents.

**Environment:** OpenClaw 2026.2.3-1, macOS (Darwin 24.6.0 arm64).