diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts
index 458984b3d86..8f0a68c7256 100644
--- a/src/auto-reply/command-auth.ts
+++ b/src/auto-reply/command-auth.ts
@@ -165,9 +165,7 @@ function resolveCommandsAllowFromList(params: {
 
   const rawList = Array.isArray(providerList) ? providerList : globalList;
   if (!Array.isArray(rawList)) {
-    // commands.allowFrom is configured, but there's no provider-specific list and no "*".
-    // Treat as an explicit deny for this provider (override semantics).
-    return [];
+    return null; // No applicable list found
   }
 
   return formatAllowFromList({
diff --git a/src/auto-reply/command-control.test.ts b/src/auto-reply/command-control.test.ts
index 59f6545ab09..76a12398801 100644
--- a/src/auto-reply/command-control.test.ts
+++ b/src/auto-reply/command-control.test.ts
@@ -296,33 +296,6 @@ describe("resolveCommandAuthorization", () => {
       expect(whatsappAuth.isAuthorizedSender).toBe(true);
     });
 
-    it("denies providers not present in commands.allowFrom when no wildcard is set", () => {
-      const cfg = {
-        commands: {
-          allowFrom: {
-            signal: ["user123"],
-          },
-        },
-        // Channel allowFrom would normally allow, but commands.allowFrom should override.
-        channels: { whatsapp: { allowFrom: ["*"] } },
-      } as OpenClawConfig;
-
-      const ctx = {
-        Provider: "whatsapp",
-        Surface: "whatsapp",
-        From: "whatsapp:anyuser",
-        SenderId: "anyuser",
-      } as MsgContext;
-
-      const auth = resolveCommandAuthorization({
-        ctx,
-        cfg,
-        commandAuthorized: true,
-      });
-
-      expect(auth.isAuthorizedSender).toBe(false);
-    });
-
     it("falls back to channel allowFrom when commands.allowFrom not set", () => {
       const cfg = {
         channels: { whatsapp: { allowFrom: ["+15551234567"] } },