Feature: exec approvals — command-content deny patterns (not just binary path)

[blortski]

Summary

When security: allowlist is configured for exec approvals, patterns match against the resolved binary path (e.g., /bin/zsh). This means an agent can bypass the allowlist by running dangerous commands through an allowed shell:

exec: zsh -c "openclaw gateway stop"

/bin/zsh matches the allowlist, so the command executes — even though openclaw gateway stop should be blocked.

Requested Feature

Add deny patterns that match against the full command string, not just the binary path. These would be evaluated before the allowlist and would block matching commands regardless of how they're invoked.

Example config in exec-approvals.json:

{
  "agents": {
    "main": {
      "denylist": [
        { "pattern": "*openclaw gateway*" },
        { "pattern": "*npm install*openclaw*" },
        { "pattern": "*launchctl bootout*" }
      ],
      "allowlist": [...]
    }
  }
}

Use Case

An AI agent that runs inside the gateway needs shell access (zsh, bash) for legitimate work, but must be mechanically prevented from stopping/restarting the gateway it lives inside of. Soft rules (system prompt instructions) are insufficient — the agent has crashed its own gateway multiple times by bypassing written procedures under momentum pressure.

Current Workaround

• System prompt keyword scanning (agent checks for dangerous keywords before exec calls)
• Written rules in agent identity files
• These are soft guardrails only — not mechanical enforcement

Environment

• OpenClaw 2026.3.7
• macOS, launchd-managed gateway with KeepAlive
• Agent uses security: allowlist with ask: on-miss and askFallback: deny

[ai-cre]

This resonates. I hit the same wall - agents bypassing written procedures under "momentum pressure" is exactly what prompt-based rules can't stop. I built an open source two-layer gate for this: Layer 1 does content-level regex matching on the actual command string (not just binary paths), blocks in under 10ms. Layer 2 sends ambiguous commands to an LLM that reads the live conversation and checks "did the user actually ask for this?" Repeated L2 blocks auto-promote to L1 rules. https://github.com/tech-and-ai/claude-rule-enforcer - would be interested to see if the pattern works for OpenClaw's exec pipeline too.

[AzraelJi]

This blacklist interception is very important because there are simply too many whitelist lists

[ai-cre]

CRE does command-content deny patterns with regex. L1 matches against command content, not just binary paths. Fork bombs, disk wipes, force pushes, self-modification all blocked by pattern. https://github.com/tech-and-ai/claude-rule-enforcer

[ai-cre]

This bypass is exactly what CRE catches. CRE matches against the full command string, not the binary path. So zsh -c 'openclaw gateway stop' gets matched against deny patterns for 'openclaw gateway' regardless of how it's invoked. L1 regex runs on the raw command content in under 10ms. https://github.com/tech-and-ai/claude-rule-enforcer

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as duplicate of #6615: current main still lacks exec-approval denylist support, and the older open issue tracks denylist plus argument/content matching; this issue adds useful shell-wrapper context for that canonical thread.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Review details

Best possible solution:

Track denylist/full-command matching design in #6615, preserving this issue's deny-before-allowlist shell-wrapper bypass example as an implementation requirement.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows the missing denylist/config path and the existing executable-path allowlist behavior; a live gateway run was not needed to confirm the requested feature is absent.

Is this the best way to solve the issue?

Yes for cleanup. The narrowest maintainer action is to close this duplicate and keep the older open denylist issue as canonical, while preserving this report's concrete shell-wrapper security case there.

Security review:

Security review needs attention: The command-content authorization concern is real, but it should be handled through the canonical denylist/security-design issue rather than a separate duplicate thread.

• [medium] Command-content denylist remains unimplemented — src/infra/exec-approvals.ts:158
  Current exec approvals expose allowlist-only matching and no denylist field, so command-content blocking still needs design and implementation in the canonical tracker.
  Confidence: 0.86

What I checked:

• current policy modes: Exec security currently normalizes only deny, allowlist, and full; there is no denylist security mode. (src/infra/exec-approvals.ts:23, ac1e56f4ec48)
• current config shape: Per-agent exec approvals expose allowlist?: ExecAllowlistEntry[] but no denylist field. (src/infra/exec-approvals.ts:158, ac1e56f4ec48)
• allowlist matching behavior: matchAllowlist matches allowlist entries against the resolved executable path; argPattern is explicitly gated to Windows, so it does not provide the requested macOS full-command deny guard. (src/infra/exec-command-resolution.ts:342, ac1e56f4ec48)
• documented allowlist boundary: The advanced exec approvals docs describe allowlists as resolved executable path globs or bare command-name globs and state that arguments are otherwise the operator's responsibility. Public docs: docs/tools/exec-approvals-advanced.md. (docs/tools/exec-approvals-advanced.md:105, ac1e56f4ec48)
• canonical related issue: Feature: Add denylist support for exec-approvals #6615 is open and requests exec-approval denylist support with argument/content matching, which covers the same remaining product surface as this report; feat():The exec-approvals file now includes a blacklist feature. #47848 attempted a blacklist feature but was closed unmerged.

Likely related people:

• Peter Steinberger: Current blame and shortlog for the exec-approval policy, allowlist matcher, gateway host approval path, and docs point to Peter Steinberger through commit 7857dfa. (role: recent maintainer; confidence: medium; commits: 7857dfabcc6b; files: src/infra/exec-approvals.ts, src/infra/exec-approvals-allowlist.ts, src/infra/exec-command-resolution.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ac1e56f4ec48.