Allowlisted commands still trigger approval prompts for complex arguments (2026.2.25)

[xrom2863]

Summary

In 2026.2.25, commands that are explicitly in the exec-approvals allowlist still trigger approval prompts when their arguments contain shell-like characters (backticks, $, backslashes, etc.).

Steps to reproduce

1. Set tools.exec.security=allowlist with ask=on-miss
2. Add /opt/homebrew/bin/gh to the allowlist (via Always Allow or exec-approvals.json)
3. Run a simple command: /opt/homebrew/bin/gh issue view 26044 --repo openclaw/openclaw → passes without approval ✅
4. Run a command with complex body: /opt/homebrew/bin/gh issue comment 26044 --repo openclaw/openclaw --body "Some text with \backticks` and $variables"` → triggers approval prompt ❌

Expected behavior

Once a binary path is explicitly allowlisted, it should be trusted regardless of argument content. The user has already made the trust decision by adding it to the allowlist.

Actual behavior

Allowlisted commands are re-evaluated based on argument content, triggering unexpected approval prompts for complex but legitimate arguments.

Impact

This undermines trust in the allowlist system. Users expect to build up a library of approved commands and not worry about them later. Unpredictable approval prompts for already-approved binaries create a "cry wolf" effect where users stop carefully reviewing approvals.

Suggestion

• Allowlisted binaries (explicit path match in exec-approvals.json) should bypass argument inspection
• Or at minimum, argument-based flags should be a separate, opt-in layer (e.g. strictArgCheck: true)
• The existing obfuscation detection for interpreters (python3 -c, perl -e) is reasonable — but extending it to all binaries seems overly broad

Environment

• OpenClaw 2026.2.25
• macOS 15.7.4 (arm64)
• Companion app: KatClaw (native macOS frontend)

[xrom2863]

Bump — no response since filing on Feb 26. Repro is straightforward:

1. Allowlist a binary (e.g. /usr/bin/git)
2. Run it with complex arguments (pipes, redirects, quoted strings)
3. Approval prompt still fires despite the binary being allowlisted

This affects KatClaw's "Always Allow" feature — users expect that allowlisting a binary means it's allowed regardless of arguments. The current behavior is confusing and generates unnecessary approval popups.

Tested on 2026.2.25, haven't verified if 2026.3.2 changed anything. Can retest if needed.

[xrom2863]

Still hitting this on 2026.3.13. Latest example: gog (Gmail CLI) is on the allowlist by full path, but every invocation triggers an approval prompt because the email body arguments contain shell-like characters (quotes, backticks, etc.).

This makes Moderate security mode impractical for any tool that passes rich text as arguments. The allowlist trust decision should apply to the binary, not its arguments.

Would love to see allowlisted binaries bypass argument inspection — or at minimum make it opt-in with a flag like strictArgCheck: true.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[xrom2863]

Still relevant — this continues to affect KatClaw users in Moderate security mode. Complex arguments (paths with spaces, quoted strings, flags with values) still trigger approval prompts even when the base command is allowlisted. Any update on this?

[xrom2863]

Bumping again — this is becoming more pressing as OpenClaw's security story matures.

SecretRef (Keychain-backed secrets) is already in main, and PathGuard (filesystem access control, PR #39764) is close to merging. Together with exec allowlists, these three form the security triad for safe agent deployment.

But the allowlist's inability to parse chained commands (&&, ||, |, ;) undermines the whole stack. An agent in Moderate mode can have PathGuard restricting file access and secrets locked in Keychain, but still gets unnecessary approval popups for perfectly safe command chains like:

/usr/bin/git add . && /usr/bin/git commit -m "update"

...even though both /usr/bin/git invocations are individually allowlisted.

Proposal: Parse shell operators and validate each command segment independently against the allowlist, rather than matching the entire string as one opaque entry. This would make Moderate mode practical for real-world agent workflows where chaining is the norm.

With SecretRef + PathGuard + proper exec allowlisting, OpenClaw would have a genuinely complete security model. Right now this is the gap.

[xrom2863]

@joshavant — would appreciate your eyes on this given your work on the secrets/security layer. This is the last piece of the puzzle for a complete security model alongside SecretRef and PathGuard.

[Ar3ss12]

@xrom2863
There's a big problem with banning commands, because they can all be bypassed using a command like python -c "command"
You've forgotten that PowerShell commands work the same way, and besides, nothing's stopping him from writing the code to a file and running it.

[xrom2863]

@Ar3ss12 Valid point — interpreter bypass is a fundamental limitation of command-level security. If /usr/bin/python3 is allowlisted, python3 -c "import os; ..." goes right through. Same with node -e, ruby -e, bash -c, etc.

But these are two different problems at two different layers:

1. Allowlist parsing (this issue) — chained commands like git add . && git commit trigger false approval prompts even when both binaries are allowlisted. This is a UX problem that makes Moderate mode impractical for everyday workflows.

2. Interpreter bypass (your point) — a fundamentally harder architecture problem. No command-level allowlist can fully solve this.

The real answer is defense in depth — which is exactly where the security triad comes in:

• PathGuard (your PR Feature/pathguard 39674 #39764) protects file access at the tool level, regardless of how creative the exec command gets. Even if an agent crafts an interpreter one-liner to read a file, PathGuard blocks the file operation independently.
• Exec allowlist blocks unknown binaries from running at all — reduces attack surface even if imperfect.
• SecretRef/Key Protection keeps secrets out of config files, so even reading openclaw.json reveals nothing useful.

No single layer is bulletproof. Together they make exploitation significantly harder. The interpreter bypass is actually one of the strongest arguments for PathGuard — it protects files even when exec gets creative.

Fixing the allowlist parsing here doesn't solve the interpreter problem, but it eliminates a real source of friction that pushes users toward Full Access mode (which bypasses everything). That's a net security loss.

[exisz]

Related: PR #60709 adds a tools.exec.obfuscationCheck: false config option that disables the obfuscation detection heuristic. While this doesn't fix the false positive patterns directly, it provides an opt-out for users who manage security through allowlists and standard approval flow.