If OpenClaw's gateway probe is normal, it only means the gateway is reachable, but it does not mean the gateway has obtained permission to execute the tool. If you encounter "can connect, can reply, but cannot read files or execute commands," first check the authorization and tools profile; do not reinstall the Gateway first.
First, separate "connectivity" from "authorization."
The connectivity layer checks whether services are online, ports are accessible, and channels can reach the Gateway; The authorization layer depends on whether the channel, account, agent, and session can use certain tools. Passing the former does not mean passing the latter. The most typical symptom is chatting normally, but rejecting files or browsers as soon as they are addressed.
Check in this order
The first step is to run openclaw gateway probe and openclaw status --all to confirm that it is not a service disconnection. Step two: look at the tools.profile currently bound to the agent. If it's just messaging, don't expect it to execute code. Step three: Check whether override configurations are configured by Agent or channel. Many permission issues are not global errors but rather a specific entry narrowed separately.
If you are using remotely, pay special attention to allowlist, accessGroup, and group chat policies. Strangers, group members, and private chat users may fall under different rules. When fixing, only change the problematic entry point; don't turn the global profile into full at once. If you can chat but can't act, it's usually because of security policies—first confirm if the policy meets your expectations, then decide whether to let go.
