OpenShell should fail fast on malformed generated commands and hard-abort repeated tool loops

[Kaspnov]

Summary

OpenShell currently accepts clearly malformed/generated shell commands and hands them to /bin/sh; repeated identical failed tool calls are only warned on rather than hard-aborted. In a chat-surface session this can create a long-running “typing/processing” wedge when a model repeatedly emits malformed commands derived from executable-looking placeholder text.

Observed behaviour

During a chat session using openai-codex/gpt-5.5 as the default model, the assistant repeatedly attempted malformed shell/tool commands. The runtime passed these through far enough that the turn did not fail fast. The loop detector warned after repeated identical tool calls, but did not abort the turn.

Examples of command patterns that should be rejected before shell execution:

• literal placeholder tokens in executable positions or args, e.g. <name>, <workflow-id>
• unclosed quotes
• trailing escapes
• unterminated backticks / command substitutions

One contributing source was bundled skill/help text containing executable-looking placeholder examples such as workflow install <name> and workflow run <workflow-id> "<task>". The model copied the placeholders literally.

Expected behaviour

OpenShell should fail closed before invoking /bin/sh when the command contains obviously non-runnable generated placeholders or malformed shell syntax.

Repeated identical tool calls in a single turn should hard-abort the turn after the configured threshold rather than only warning, especially when the repeated call is failing or malformed.

Why this matters

This is not model-specific. GPT-5.5 made the issue visible, but the runtime should guard against any model emitting placeholder/syntax-garbage commands. Without fail-fast behaviour, a chat surface can appear wedged and keep showing a long-running processing state.

Local mitigation tested

A local runtime patch added preflight rejection for:

• literal <placeholder> tokens
• unclosed quotes
• trailing backslash escapes
• unterminated backticks

and changed repeated identical tool-call detection from warn-only to hard-abort. After restart, openclaw health --json returned live/ready and chat replies recovered.

Suggested fix

1. Add OpenShell preflight validation before shell invocation for generated-command hazards.
2. Treat repeated identical tool calls as a hard turn-abort after threshold, with a clear user-visible/tool-visible error.
3. Consider linting bundled skills/help examples so placeholder commands are not presented in a copy-executable form unless clearly quoted as non-runnable syntax.

Environment

• OpenClaw installed via package manager
• Host OS: macOS arm64
• Default model at time: openai-codex/gpt-5.5

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still lacks OpenShell/SSH exec preflight for malformed generated command text, while the repeated-tool hard-abort part overlaps related open loop-detection work in #58726, #56403, and #60248.

Reproducibility: yes. for source reproduction: a command such as workflow install <name> or an unterminated quote flows through OpenShell prepareExec into the SSH /bin/sh -c wrapper without validation. I did not run a live OpenShell session because this review was read-only.

Next step
Safe candidate for the OpenShell preflight portion only; the broader repeated-loop policy should stay with the linked loop-detection items.

Review details

Best possible solution:

Add narrow OpenShell/SSH exec-command validation before remote shell invocation, and leave generic repeated-tool abort policy to the existing loop-detection cluster.

Do we have a high-confidence way to reproduce the issue?

Yes for source reproduction: a command such as workflow install <name> or an unterminated quote flows through OpenShell prepareExec into the SSH /bin/sh -c wrapper without validation. I did not run a live OpenShell session because this review was read-only.

Is this the best way to solve the issue?

Yes, with a split boundary. The narrow maintainable fix is OpenShell/SSH exec preflight; enabling or hard-aborting generic repeated tool calls should be resolved through the linked loop-detection items.

Acceptance criteria:

• pnpm test extensions/openshell/src/openshell-core.test.ts src/agents/sandbox/ssh.test.ts
• pnpm exec oxfmt --check --threads=1 extensions/openshell/src/backend.ts extensions/openshell/src/openshell-core.test.ts src/agents/sandbox/ssh.ts src/agents/sandbox/ssh.test.ts CHANGELOG.md
• pnpm check:changed via Testbox before handoff if code/tests changed

What I checked:

• current_main_checked: Checked the read-only worktree on current main; it remained clean at a4c1c28. (a4c1c28a1731)
• openshell_exec_accepts_raw_command: OpenShell prepareExec forwards params.command directly into buildExecRemoteCommand after sandbox setup, with no placeholder or shell-syntax preflight in this path. (extensions/openshell/src/backend.ts:222, a4c1c28a1731)
• ssh_wrapper_delegates_to_shell: The shared SSH helper builds cd && params.command and passes the result as /bin/sh -c body, so malformed generated shell text still reaches the remote shell wrapper. (src/agents/sandbox/ssh.ts:82, a4c1c28a1731)
• tests_cover_wrapping_not_rejection: Current OpenShell/SSH tests assert env/workdir wrapping for normal commands, but there is no rejection coverage for , , unclosed quotes, trailing escapes, or unterminated substitutions. (extensions/openshell/src/openshell-core.test.ts:61, a4c1c28a1731)
• generic_repeat_still_warn_only: Loop detection remains disabled by default, and the generic_repeat detector is still explicitly warning-only once warningThreshold is reached. (src/agents/tool-loop-detection.ts:33, a4c1c28a1731)
• warnings_do_not_block: runBeforeToolCallHook blocks only critical loop results; warning-level loop results are logged and execution continues. (src/agents/pi-tools.before-tool-call.ts:424, a4c1c28a1731)

Likely related people:

• steipete: Peter Steinberger introduced the OpenShell sandbox backend, remote OpenShell mode, and core SSH sandboxing that define the affected command-exec boundary. (role: introduced behavior and likely follow-up owner; confidence: high; commits: d8b927ee6a9f, ae7f18e5033d, b8bb8510a2a3; files: extensions/openshell/src/backend.ts, src/agents/sandbox/ssh.ts, src/agents/sandbox/ssh-backend.ts)
• vincentkoc: Vincent Koc recently split OpenShell backend types and reduced SSH import seams touching the central files for this boundary. (role: recent adjacent maintainer; confidence: medium; commits: ce32697250d5, 7198a9f0eeed; files: extensions/openshell/src/backend.ts, extensions/openshell/src/backend.types.ts, src/agents/sandbox/ssh.ts)
• Sk Akram: Sk Akram introduced the stuck-loop detection and backoff infrastructure relevant to the repeated-tool half of the report. (role: adjacent loop-detection feature history; confidence: medium; commits: e5eb5b3e43d7; files: src/agents/tool-loop-detection.ts, src/agents/tool-loop-detection.test.ts, src/agents/pi-tools.before-tool-call.ts)

Remaining risk / open question:

• The global repeated-tool hard-abort policy overlaps open loop-detection items and should not be mixed into an OpenShell-only repair without maintainer judgment.
• Preflight rules need to stay narrow so legitimate shell syntax such as intentional redirection or literal angle-bracket arguments is not rejected accidentally.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4c1c28a1731.