approval.py only wired to terminal_tool; MCP-wrapped commands bypass dangerous-command + Smart-mode gate

[jcbcly]

Summary

In v2026.5.7 ("Tenacity"), tools/approval.py is only consulted from tools/terminal_tool.py:1827. MCP wrappers (ssh, docker, etc.) call subprocess.run directly with no gate — the agent can route any destructive command through an MCP and the approval system never sees it (no regex check, no Smart-mode prompt, no audit entry).

Repro

1. Set approvals.mode: smart (or manual) on the active profile.
2. Configure any shell-wrapping MCP (ssh, docker, the official @modelcontextprotocol/server-filesystem, etc.).
3. Issue a chat request that exercises a destructive command via the MCP path, e.g. "Run docker compose down -v in /path/to/stack on host X via ssh."
4. Observe: command executes, no approval prompt, zero audit entries. The equivalent command via terminal_tool correctly fires the gate.

Root cause

grep -rn "detect_dangerous_command\|check_approval" hermes-agent/tools/ shows only terminal_tool.py as the consumer. No shared interception layer for MCP-spawned subprocesses.

Local workaround

Patched our 4 highest-risk MCPs (ssh, docker, truenas, kopia) with a Python shim that imports detect_hardline_command + detect_dangerous_command via sys.path injection (MCPs run in a separate venv) and calls them before subprocess.run. Tier-1 only — regex gate + hardline floor + per-profile mode resolution. Smart-mode aux-LLM is not invoked (would require gateway-side IPC we don't have), so the shim hard-denies on regex hit in smart/manual; UX is a downgrade vs. the terminal_tool prompt-and-confirm.

Suggested fix

Either (A) move the gate into a transport layer wrapping every MCP's subprocess spawn so wrappers inherit the check automatically, or (B) expose /api/approval/check from the gateway so MCPs can call it synchronously over local IPC. Option B preserves the prompt UX for MCP-routed dangerous commands.

Environment

• Hermes Agent v2026.5.7 ("Tenacity")
• Linux (Ubuntu 24.04 ARM, DGX OS)
• Affected MCPs in our deployment: ssh, docker, truenas, kopia (all Python, share a separate venv from hermes-agent)

Happy to share shim source + threat-model notes for the filesystem MCP if useful.

[vgudur-dev]

This is a textbook OWASP ASI-05 (Excessive Agency) + ASI-03 (Indirect Prompt Injection) compound vulnerability — the MCP transport layer becomes an unmonitored privilege escalation path.

Your Option A (transport-layer gate wrapping every MCP subprocess spawn) is the right architecture. For the semantic layer beyond regex, OWASP Agent Memory Guard implements exactly this pattern — a pre-execution scan that sits between the agent's tool dispatch and the actual subprocess call:

from agent_memory_guard import MemoryGuard

guard = MemoryGuard()

def mcp_transport_gate(mcp_name: str, command: str, args: dict) -> bool:
    """Universal gate for all MCP-spawned subprocesses.
    Replaces per-MCP shims with a single interception point."""
    
    # Combine command + args into scannable payload
    payload = f"{mcp_name}:{command} {json.dumps(args)}"
    
    # Semantic scan catches encoded/obfuscated destructive commands
    # that regex misses (e.g., base64-encoded rm -rf via docker exec)
    result = guard.scan(payload)
    
    if result.flagged:
        # Route to approval system (your Option B IPC)
        return request_approval(mcp_name, command, result.reason)
    
    # Also run existing regex gate for known patterns
    if detect_dangerous_command(command):
        return request_approval(mcp_name, command, "regex_match")
    
    return True  # Allow

This gives you:

1. Regex floor (your existing detect_hardline_command + detect_dangerous_command) — zero-latency, catches known patterns
2. Semantic ceiling (AMG scan) — catches obfuscated/encoded commands that route through MCP to evade the regex layer (the exact attack vector you identified)

For validating that the gate actually blocks the bypass paths, AgentThreatBench has a data_exfil eval task that tests exactly this class of MCP-routed exfiltration:

pip install inspect-ai
inspect eval inspect_evals/agent_threat_bench_data_exfil --model openai/gpt-4.1-mini

References:

• OWASP Agent Memory Guard — pip install agent-memory-guard (v0.2.2)
• AgentThreatBench — adversarial eval for MCP bypass/exfiltration
• OWASP ASI-05 + ASI-03 compound: MCP as unmonitored privilege escalation path

[alt-glitch]

Related: #16462 (feature request describing the same MCP approval bypass gap), #21849 (RFC for per-tool permission gating), #14669 (user confirmation for MCP tools). See also #22535 (ACP stdio MCP gating) and #32705 (approval revocation + MCP audit).

This issue provides concrete repro steps and root cause analysis for the gap identified in #16462.

[teknium1]

Thanks for the precise report and the shim writeup, @jcbcly — the behavior is exactly as you describe. Verified on main: tools/mcp_tool.py dispatches session.call_tool() with a circuit breaker but no approval gate, so a destructive op routed through a shell-wrapping MCP (ssh, docker, etc.) never reaches detect_dangerous_command.

We're declining this as out of scope under SECURITY.md, and it's worth being precise about why, because your diagnosis is correct — the disposition is a threat-model call, not a dispute of the facts.

Per SECURITY.md §2.4 (verbatim): "The approval gate detects common destructive shell patterns and prompts the operator before execution. Shell is Turing-complete; a denylist over shell strings is structurally incomplete. The gate catches cooperative-mode mistakes, not adversarial output." And §3.2: "Bypasses of in-process heuristics (§2.4) — approval-gate regex bypasses ... These components are not boundaries; defeating them is not a vulnerability under this policy."

The approval gate is a convenience layer over the trusted local backend, not an adversarial boundary. Routing around it through an MCP tool is the same class as routing around it with bash -c, a script file, base64/eval, or any other indirection — structurally incomplete by design, not a specific oversight. The CVSS-relevant trust boundary for running untrusted MCP servers or untrusted input is terminal-backend isolation (§2.2 / §4): run a Docker/Modal/Daytona/Singularity backend, where OS-level isolation — not the in-process gate — enforces the boundary.

On the suggested fixes: both (A) a transport-layer gate matching shell-like tool names and (B) a /api/approval/check IPC endpoint share the same structural limit — they're a denylist over which MCP tools "look" exec-shaped. An MCP whose exec tool is named terminal_run with arg input, or one that takes a structured argv it assembles internally, sails straight through. Adding a hardcoded name/arg allowlist to a layer the policy explicitly documents as non-boundary buys a false sense of "MCP is now gated" without raising the actual bar, and it becomes a maintenance burden as MCP tool naming conventions drift.

Per §3.2, in-process hardening ideas are still welcome as regular issues/PRs — the approval gate can always catch more cooperative-mode patterns — they just don't go through the disclosure channel or receive a security framing. If you want cooperative-mode coverage parity for your own deployment, your shim approach is reasonable; we'd just scope any upstream version as a best-effort UX feature, not a security boundary. Appreciate the careful analysis.