Remove skill prelude exec allowlist

[jesse-merhi]

Summary

• Remove the skillPrelude exec allowlist compatibility path for cat SKILL.md && printf ... && <skill-wrapper> chains.
• Keep direct trusted skill wrapper execution allowed while making old skill prelude chains go through the normal approval flow.
• Add a changelog entry for the exec approvals behavior change.

This removes behavior introduced by #57839.

Why

The old compatibility path existed for agents that displayed a skill file through shell before running the skill wrapper, for example:

cat SKILL.md && printf '---CMD---' && <skill-wrapper> ...

That pattern is no longer the contract. Current skill instructions tell agents to load SKILL.md with the read tool, then run the actual skill executable. Keeping an exec-approval exception for the display prelude means allowlist evaluation has to recognize adjacent cat/printf commands and prove they reach a later trusted wrapper. That is extra command-chain policy for a legacy presentation pattern, not trust in the executable itself.

After this change, autoAllowSkills and explicit allowlist entries apply to the real skill command only. If an agent still emits the old prelude chain, the prelude commands are evaluated like any other shell commands instead of inheriting trust from the wrapper.

Verification

• pnpm docs:list
• TMPDIR="$(realpath "${TMPDIR:-/tmp}")" pnpm test -- src/infra/exec-approvals-analysis.test.ts src/agents/bash-tools.exec.approval-id.test.ts src/agents/system-prompt.test.ts
• pnpm tsgo:core
• pnpm tsgo:core:test
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/agents/bash-tools.exec.approval-id.test.ts src/infra/exec-approvals-allowlist.ts src/infra/exec-approvals-analysis.test.ts src/infra/exec-approvals-analysis.ts
• git diff --check
• pnpm changed:lanes --json
• TMPDIR="$(realpath "${TMPDIR:-/tmp}")" pnpm check:changed

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR removes the legacy cat SKILL.md && printf ... && <skill-wrapper> exec-approval allowlist path, updates focused exec-approval tests, and adds a changelog entry.

Reproducibility: yes. Current-main source and tests show the old cat SKILL.md && printf ... && <wrapper> chain is accepted when it reaches a trusted wrapper; I verified this by source and test inspection rather than executing tests because the checkout review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The patch is narrow, source-aligned, and well-covered for normal review; the remaining issue is an intentional compatibility decision rather than a correctness defect.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply because this is a member-authored PR with the protected maintainer label; the PR body and ClawSweeper timeline provide targeted validation instead.

Risk before merge

• Existing allowlist setups with ask=off that still emit cat SKILL.md && printf ... && <skill-wrapper> will fail closed instead of auto-running until the agent switches to the read-tool-first flow or the operator explicitly allowlists the prelude commands.

Maintainer options:

1. Accept the hardening (recommended)
   Land the PR if maintainers intentionally accept that old skill-prelude chains now require normal approval or migration to the read-tool-first flow.
2. Keep a temporary bridge
   If upgrade friction is not acceptable, retain a bounded compatibility path or explicit deprecation mechanism and test both legacy and strict behavior.
3. Pause for runtime proof
   If supported agents may still emit the old chain, pause until a real skill invocation confirms the read-then-exec contract is active in the affected runtime.

Next step before merge
No repair job is needed; exact-head automerge or maintainer merge gates should own the intentional compatibility break.

Security
Cleared: The diff removes an exec approval compatibility exception and adds no dependencies, workflows, credential handling, package resolution changes, or downloaded execution path.

Review details

Best possible solution:

Land the narrow deletion through the existing maintainer/automerge gate if maintainers accept the compatibility break, preserving direct wrapper trust and the focused regression tests.

Do we have a high-confidence way to reproduce the issue?

Yes. Current-main source and tests show the old cat SKILL.md && printf ... && <wrapper> chain is accepted when it reaches a trusted wrapper; I verified this by source and test inspection rather than executing tests because the checkout review is read-only.

Is this the best way to solve the issue?

Yes, if maintainers accept the compatibility tradeoff. The PR removes the legacy special case, keeps direct wrapper execution covered, and aligns with the read-tool-first skill contract without adding another config path.

Label justifications:

• P2: This is normal-priority exec approval hardening with limited but real operator compatibility impact.
• merge-risk: 🚨 compatibility: Merging intentionally stops old skill-prelude wrapper chains from auto-running in setups that previously relied on the compatibility exception.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is narrow, source-aligned, and well-covered for normal review; the remaining issue is an intentional compatibility decision rather than a correctness defect.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Not applicable: The external-contributor proof gate does not apply because this is a member-authored PR with the protected maintainer label; the PR body and ClawSweeper timeline provide targeted validation instead.

What I checked:

• Current-main legacy behavior: Current main still has skillPrelude as an allowlist satisfaction kind and helper logic for recognizing cat <...>/SKILL.md plus marker prelude segments. (src/infra/exec-approvals-allowlist.ts:135, b79effefee92)
• Current-main prelude chain allowance: The existing source walks chained shell parts backwards and marks prelude-only entries as allowed when they reach a later trusted skill wrapper. (src/infra/exec-approvals-allowlist.ts:1333, b79effefee92)
• Current-main test proof: The current test suite explicitly expects cat SKILL.md && printf ... && <wrapper> to be allowlist-satisfied as ["skillPrelude", "skillPrelude", "allowlist"]. (src/infra/exec-approvals-analysis.test.ts:616, b79effefee92)
• Skill contract evidence: Current skill prompt contract tells agents to load a matching skill file with the read tool before following it, matching the PR's stated contract direction. (src/agents/skills/skill-contract.ts:50, b79effefee92)
• PR head source behavior: At the PR head, skillPrelude is gone from the satisfaction union and chained allowlist evaluation returns false on the first unsatisfied segment instead of granting a prelude exception. (src/infra/exec-approvals-allowlist.ts:134, 0ca7f3e8ef91)
• PR head test coverage: The PR head keeps direct wrapper execution covered without prompting and adds coverage that a legacy display prelude requires approval or fails allowlist evaluation when only the wrapper is allowlisted. (src/agents/bash-tools.exec.approval-id.test.ts:1231, 0ca7f3e8ef91)

Likely related people:

• scoootscooob: The legacy cat SKILL.md && printf ... prelude allowance appears to have been introduced in the merged shell-side exec guardrail work that this PR explicitly removes. (role: introduced behavior; confidence: high; commits: dd9d0bdd8ef6; files: src/infra/exec-approvals-allowlist.ts, src/infra/exec-approvals-analysis.test.ts, src/agents/bash-tools.exec.approval-id.test.ts)
• steipete: Recent exec-approval history shows repeated maintenance and test stabilization around the affected approval suites and allowlist behavior. (role: recent area contributor; confidence: medium; commits: 3455c857a02e, f76883d46c97, dd16080af788; files: src/agents/bash-tools.exec.approval-id.test.ts, src/infra/exec-approvals-allowlist.ts)
• vincentkoc: History shows adjacent exec-approval and allowlist type extraction work on the same source modules. (role: adjacent owner; confidence: medium; commits: d9a3ecd109ee, 2d53ffdec1da; files: src/infra/exec-approvals-allowlist.ts, src/infra/exec-approvals.ts, src/infra/exec-approvals.types.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b79effefee92.

[Copilot]

Pull request overview

This PR tightens exec approval security semantics by removing the legacy “skill prelude” allowlist compatibility path (the cat SKILL.md && printf ... && <skill-wrapper> shell chain) while improving approval UX and hardening durable approval binding across gateway/node/macOS implementations.

Changes:

• Remove the skill-prelude allowlist compatibility behavior; only direct trusted skill wrapper execution is treated as trusted.
• Add request-scoped approval decisions and command-span highlighting in exec approval prompts (UI + gateway + macOS).
• Harden durable allow-always behavior by restricting when it can be offered/persisted and by incorporating additional binding context (cwd/env) plus safer shell-wrapper parsing.

Reviewed changes

Copilot reviewed 75 out of 75 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
ui/src/ui/views/exec-approval.ts	Render command spans + honor request-scoped allowed decisions
ui/src/ui/views/exec-approval.test.ts	UI unit coverage for spans + decision visibility
ui/src/ui/views/exec-approval.browser.test.ts	Browser coverage for span rendering
ui/src/ui/controllers/exec-approval.ts	Parse commandSpans + allowedDecisions from events
ui/src/ui/controllers/exec-approval.test.ts	Controller parsing tests for spans/decisions
ui/src/ui/app-gateway.node.test.ts	Gateway event routing coverage for commandSpans
ui/src/styles/components.css	Styling for highlighted command spans
src/node-host/invoke-system-run.ts	Gate durable exact approvals on allowlist analysis + bind persistence context
src/node-host/invoke-system-run-plan.ts	Safer shell/script operand detection (startup options, +o, clustered flags)
src/node-host/invoke-system-run-plan.test.ts	Coverage for new POSIX/fish startup/cluster parsing behaviors
src/node-host/invoke-system-run-allowlist.ts	Block exact durable approvals for unsafe wrapper/carrier contexts
src/node-host/exec-policy.ts	Update transport wrapper comment (/bin/sh -c)
src/infra/system-run-command.ts	Improved inline-command extraction for PowerShell/POSIX wrappers
src/infra/system-run-command.test.ts	Tests for inline-command extraction edge-cases
src/infra/shell-wrapper-resolution.ts	Wrapper resolution through carriers + safer PowerShell inline extraction
src/infra/shell-inline-command.ts	Expand inline-flag parsing (equals, clustered flags, stopAtFirstOperand)
src/infra/shell-inline-command.test.ts	Tests for new inline parsing behavior
src/infra/powershell-options.ts	Central PowerShell option/token helpers
src/infra/posix-shell-options.ts	Central POSIX shell startup/inline parsing helpers
src/infra/posix-shell-options.test.ts	Tests for POSIX shell option parsing helpers
src/infra/node-shell.ts	Use /bin/sh -c transport for non-Windows
src/infra/node-shell.test.ts	Update tests for /bin/sh -c
src/infra/fish-shell-options.ts	Fish startup/inline option detection helper
src/infra/fish-shell-options.test.ts	Tests for fish startup/inline detection
src/infra/exec-wrapper-resolution.ts	Re-export new wrapper/carrier helper APIs
src/infra/exec-wrapper-resolution.test.ts	Tests for new carrier/wrapper detection functions
src/infra/exec-command-resolution.test.ts	Update allowlist expectations for busybox login-shell case
src/infra/exec-approvals.ts	Durable approval binding changes + allowed decision resolution changes
src/infra/exec-approvals-store.test.ts	Tests for durable approvals bound to cwd/env + normalization behavior
src/infra/exec-approvals-policy.test.ts	Update durable pattern tests to new hashing scheme
src/infra/exec-approvals-analysis.ts	Remove skillPrelude from satisfaction types + tag analysis sources
src/infra/exec-approvals-analysis.test.ts	Remove skill prelude allowlist path + expand safe wrapper fixtures
src/infra/exec-approval-forwarder.test.ts	Extend forwarded approval text helper to allow request overrides
src/infra/command-explainer/types.ts	Add executableSpan for command steps
src/infra/command-explainer/index.ts	Export formatCommandSpans
src/infra/command-explainer/format.ts	Convert explainer executable spans into exec approval spans
src/infra/command-explainer/format.test.ts	Tests for span formatting behavior
src/infra/command-explainer/extract.ts	Populate executableSpan + detect shared carrier inline-eval
src/infra/command-explainer/extract.test.ts	Update tests for attached inline flags parsing behavior
src/infra/command-carriers.ts	Track sudo/doas/env/exec metadata for safer wrapper detection
src/infra/approval-view-model.test.ts	Coverage for approval view commandAnalysis pass-through
src/gateway/server-methods/server-methods.test.ts	Validation + allowedDecisions/commandSpans behavior coverage
src/gateway/server-methods/exec-approval.ts	Propagate allowedDecisions + commandSpans; improved unavailable-decision errors
src/gateway/protocol/schema/exec-approvals.ts	Add commandSpans + allowedDecisions to request schema
src/agents/bash-tools.exec.approval-id.test.ts	Update tests for durable approval patterns + skill prelude behavior
src/agents/bash-tools.exec-host-shared.ts	Helper for persistence-scoped allowed decisions
src/agents/bash-tools.exec-host-shared.test.ts	Tests for persistence-scoped decisions helper
src/agents/bash-tools.exec-host-node.ts	Advertise allowedDecisions based on durable persistence availability
src/agents/bash-tools.exec-host-node.test.ts	Node-host tests updated for new decisions + durable binding
src/agents/bash-tools.exec-host-node-phases.ts	Derive allowAlwaysAvailable + bind durable checks to sanitized env/cwd
src/agents/bash-tools.exec-host-gateway.ts	Disable allow-always when persistence unavailable; bind durable persistence context
src/agents/bash-tools.exec-host-gateway.test.ts	Gateway-host tests for allowAlwaysAvailable + unsafe startup shells
src/agents/bash-tools.exec-approval-request.ts	Send commandSpans + allowedDecisions; lazy-load explainer runtime
src/agents/bash-tools.exec-approval-request.test.ts	Tests for lazy import + spans + allowedDecisions propagation
src/agents/bash-tools.exec-approval-request.runtime.ts	Runtime span resolution via command explainer
extensions/canvas/src/host/a2ui/.bundle.hash	Bundle hash update
docs/tools/exec.md	Document autoAllowSkills applies to real executables only
docs/tools/exec-approvals.md	Document no special-casing of skill file preambles
docs/.generated/plugin-sdk-api-baseline.sha256	Plugin SDK API baseline hash update
CHANGELOG.md	Changelog entries for skill prelude removal + UI highlighting
apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift	Swift protocol model includes commandSpans
apps/macos/Tests/OpenClawIPCTests/ExecHostRequestEvaluatorTests.swift	Tests for unavailable allow-always + exact durable allow-always
apps/macos/Tests/OpenClawIPCTests/ExecApprovalPromptLayoutTests.swift	Tests for request-scoped decisions + deny preservation
apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift	Durable pattern binding tests + unsafe wrapper rejection tests
apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift	Persist durable approvals with cwd/env + enforce allowed decisions
apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift	Add env sanitizer for durable-binding context
apps/macos/Sources/OpenClaw/ExecShellWrapperParser.swift	Safer POSIX inline extraction (no -lc shortcut)
apps/macos/Sources/OpenClaw/ExecHostRequestEvaluator.swift	Deny unavailable decisions (e.g., allow-always when not available)
apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift	Request-scoped decisions in native prompt + mapping to buttons
apps/macos/Sources/OpenClaw/ExecApprovals.swift	Durable command approval helper + allowlist entry source support
apps/macos/Sources/OpenClaw/ExecApprovalEvaluation.swift	Durable exact approvals + binding env/cwd incorporated in evaluation

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Gilded Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: hums during re-review.
Image traits: location CI tidepool; accessory commit compass; palette sunrise gold and clean white; mood focused; pose sitting proudly on a smooth stone; shell soft speckled shell; lighting moonlit rim light; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Gilded Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[jesse-merhi]

/clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=0ca7f3e8ef9121dda2da9084f7e286f9d5dea436)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-21T01:03:36Z
Merge commit: e964987cd20e

What merged:

• The PR removes the legacy cat SKILL.md && printf ... && <skill-wrapper> exec-approval allowlist path, updates focused exec-approval tests, and adds a changelog entry.
• Reproducibility: yes. Current-main source and tests show the old cat SKILL.md && printf ... && <wrapper> c ... ed this by source and test inspection rather than executing tests because the checkout review is read-only.

Automerge notes:

• PR branch already contained follow-up commit before automerge: Remove skill prelude exec allowlist

The automerge loop is complete.

Automerge progress:

• 2026-05-21 00:38:10 UTC review queued 95cd4bfdf655 (queued)

• 2026-05-21 00:45:20 UTC review passed 95cd4bfdf655 (structured ClawSweeper verdict: pass (sha=95cd4bfdf65598e62c0eb6cdf52f2e1f092fa...)

• 2026-05-21 00:45:39 UTC repair queued 95cd4bfdf655 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220

• 2026-05-21 00:48:17 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 automerge-openclaw-openclaw-84570

• 2026-05-21 00:48:29 UTC validation plan (passed) in 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 00:48:34 UTC Codex write preflight (passed) in 18s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 danger-full-access

• 2026-05-21 00:54:22 UTC Codex edit 1 9b6fba4aa141 (complete) in 6m 5s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 exit 0

• 2026-05-21 00:57:27 UTC validation and review 1 0ca7f3e8ef91 (complete) in 9m 10s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 already-current

• 2026-05-21 00:57:33 UTC repair completed 0ca7f3e8ef91 (branch updated) in 9m 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 initial automerge rebase is delegated to Codex repair

• 2026-05-21 00:57:33 UTC review queued 0ca7f3e8ef91 (after repair)

• 2026-05-21 01:03:24 UTC automerge wait 0ca7f3e8ef91 (ready) in 15m 7s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 checks and exact-head review are ready

• 2026-05-21 01:03:25 UTC repair finished 0ca7f3e8ef91 (pushed) in 15m 9s Run: https://github.com/openclaw/clawsweeper/actions/runs/26198581220 repair_contributor_branch

• 2026-05-21 01:03:22 UTC review passed 0ca7f3e8ef91 (structured ClawSweeper verdict: pass (sha=0ca7f3e8ef9121dda2da9084f7e286f9d5dea...)

• 2026-05-21 01:03:37 UTC merged 0ca7f3e8ef91 (merged by ClawSweeper automerge)