In affected versions of openclaw, sandboxed leaf subagents could still access the subagents control surface and resolve against the parent requester scope instead of remaining confined to their own session tree.

A low-privilege sandboxed leaf worker could steer or kill a sibling run owned by the same requester and cause that sibling to execute with its own broader tool policy. This is a sandbox and session-scope boundary bypass.

Leaf subagents retained the subagents tool, and subagent control requests were authorized against the parent requester scope rather than the caller's own spawned descendants. The control path prevented only self-targeting, not cross-sibling steering.

OpenClaw now removes subagents control access from leaf subagents by default, scopes subagent control to the caller's own descendants, and rejects steer and kill requests that target runs outside that descendant tree. The fix shipped in openclaw@2026.3.11.

Upgrade to 2026.3.11 or later.