Feature: Add denylist support for exec-approvals

[aaroneden]

Summary

Add denylist support to exec-approvals, complementing the existing allowlist. This enables "allow everything except X" policies.

Use Case

I want to:

• Allow all commands to run without prompts
• Except block/prompt for specific dangerous commands like:
  • gog gmail send (sending emails)
  • gog gmail delete (deleting emails)
  • beeper-send.sh (sending messages)

Currently, exec-approvals only supports:

• security: "deny" - block all
• security: "allowlist" - allow only listed commands
• security: "full" - allow everything

There's no way to say "allow everything except these specific patterns."

Proposed Solution

Add a denylist array to exec-approvals config:

{
  "defaults": {
    "security": "denylist",
    "ask": "on-match",
    "denylist": [
      {
        "id": "DENY-EMAIL-SEND",
        "pattern": "/opt/homebrew/bin/gog",
        "argsMatch": "gmail send",
        "reason": "Sending emails requires approval"
      },
      {
        "id": "DENY-EMAIL-DELETE",
        "pattern": "/opt/homebrew/bin/gog", 
        "argsMatch": "gmail delete",
        "reason": "Use 'gmail archive' instead"
      },
      {
        "id": "DENY-BEEPER-SEND",
        "pattern": "*/beeper-send.sh",
        "reason": "Sending messages requires approval"
      }
    ]
  }
}

Key additions:

• security: "denylist" mode - allow everything except matches
• argsMatch field - match against command arguments, not just binary path
• ask: "on-match" - prompt when denylist matches (vs blocking outright)

Current Workarounds

1. Use security: "full" and hope agent guardrails work (unreliable)
2. Use security: "allowlist" with a massive list of safe commands (tedious)
3. Create wrapper scripts (fragile)

Environment

• OpenClaw 2026.1.30
• macOS

[SmallNew2003]

+1 for this feature!

My use case is slightly different but the same need:

• Allow all common commands to run freely
• Block only extremely dangerous disk operations: dd, mkfs.*, fdisk, parted, wipefs, etc.

Currently using a massive allowlist (300+ commands) as a workaround, but it's tedious to maintain and easy to miss edge cases.

A denylist mode would be much more practical for "allow everything except these few dangerous patterns" scenarios.

[AUTHENSOR]

This is a common pain point. The allow-everything-except pattern is what most developers actually want, because maintaining an exhaustive allowlist is impractical and a full deny breaks the workflow.

Your proposed denylist approach is solid. A few thoughts from building a similar system:

Pattern matching on arguments, not just binary paths, is the right call. The same binary (gog) can be safe or dangerous depending on arguments. Matching on the full command string with regex gives you the granularity you need without maintaining separate entries for every subcommand.

The tri-state model (allow / deny / require-approval) covers more ground than just deny. Your ask: "on-match" is essentially "require-approval," which is the right default for most denylist matches. Hard-deny should be reserved for things that are never acceptable (like rm -rf / or posting credentials). Everything else benefits from a human confirmation step rather than a hard block, because sometimes the agent has a legitimate reason.

Deny-by-default is safer than denylist-by-default. With a denylist approach, anything you forgot to add is allowed. With deny-by-default, anything you forgot to add is blocked. The tradeoff is more upfront config work, but it means a novel attack vector does not automatically get through. Worth considering as an option alongside the denylist mode.

Credential file patterns deserve special handling. Regardless of the security mode, access to .env, .aws/credentials, *.pem, and similar files should probably be blocked by default. These are the most common real-world incidents with AI agents, and they are almost never something you want to allow.

For reference, SafeClaw implements this as a standalone policy engine with YAML-defined rules. Policies support allow/deny/require-approval per action type with regex pattern matching on arguments. It evaluates in sub-millisecond and logs every decision to an audit trail. The deny-by-default model means the config starts safe and you explicitly open up what the agent needs.

The argsMatch field in your proposal is the right abstraction. One suggestion: support full regex rather than just substring matching. Patterns like gmail (send|delete|trash) are more maintainable than separate entries for each subcommand.

[ai-cre]

CRE has this. always_block patterns in rules.json with regex matching. Plus always_allow and needs_llm_review layers. Works as OpenClaw plugin. https://github.com/tech-and-ai/claude-rule-enforcer

[Artyomkun]

Comment:

This is a well-defined, one-day task — denylist support for exec-approvals.

• ✅ Clear use case
• ✅ Existing workarounds (300+ allowlist entries) prove the need
• ✅ Community discussion already shaped the design (argsMatch, ask/deny)
• ✅ Reference implementation exists (CRE plugin)

Next step: Someone pick this up and open a PR. It's not complex, just needs implementing.

Let's close this after a PR is merged. 🔧