openclaw - 💡(How to fix) Fix [Bug]: exec tool security/ask parameter not ignored for normal tool calls despite documentation

Bug type

Documentation vs implementation mismatch (security regression)

Summary

The exec tool documentation states that the security parameter is "Ignored for normal tool calls", but the runtime implementation honors model-passed security and ask parameters via minSecurity()/maxAsk() merge, making it impossible to prevent models (especially GPT-5.5) from triggering approval flows.

Steps to reproduce

1. Configure tools.exec.security: "full" and tools.exec.ask: "off" (or run openclaw exec-policy preset yolo)
2. Set exec-approvals.json defaults to security: "full", ask: "off", askFallback: "full"
3. Use GPT-5.5 as model (it frequently passes ask: "on-miss" + security: "allowlist" in exec tool calls)
4. Agent attempts any exec with heredoc (python3 - <<PY ... PY)
5. Approval is triggered every time: "Warning: heredoc execution requires explicit approval in allowlist mode."

Expected behavior

Per docs:

security: Ignored for normal tool calls. gateway / node security is controlled by tools.exec.security and ~/.openclaw/exec-approvals.json

Model-passed security and ask parameters should be ignored for non-elevated exec calls. The configured policy should be authoritative.

Actual behavior

In bash-tools-MqL7r1OX.js (v2026.5.7):

// Line 1943
let security = minSecurity(configuredSecurity, normalizeExecSecurity(params.security) ?? configuredSecurity);
// Line 1946  
let ask = maxAsk(configuredAsk, normalizeExecAsk(params.ask) ?? configuredAsk);

params.security and params.ask come directly from the model tool call arguments. minSecurity takes the stricter value, so model-passed allowlist always wins over configured full. maxAsk takes the stricter value, so model-passed on-miss always wins over configured off.

Additionally, requiresHeredocApproval is checked when hostSecurity === "allowlist", creating an unavoidable approval for any heredoc command.

Why this matters

GPT-5.5 frequently auto-fills the security and ask optional parameters in exec tool calls (observed in ~50% of calls). Once the model sees an approval-pending response in its context, it begins consistently passing these parameters in all subsequent calls, creating an approval storm that makes the agent unusable.

No configuration (tools.exec.*, exec-approvals.json defaults, exec-policy preset yolo, or * allowlist wildcard) can prevent this because the merge logic always honors the model stricter choice.

Proposed fix

For non-elevated exec calls, ignore params.security and params.ask — use only the configured/resolved policy:

// Only honor model-passed security/ask when elevated
let security = elevatedRequested ? minSecurity(configuredSecurity, ...) : configuredSecurity;
let ask = elevatedRequested ? maxAsk(configuredAsk, ...) : configuredAsk;

This aligns with the documentation and prevents models from overriding operator security policy.

Environment

• OpenClaw: 2026.5.7
• OS: macOS 26.4.1 (arm64)
• Model: GPT-5.5 (via OpenAI provider)
• Gateway: local, loopback, token auth
• Exec policy: YOLO preset applied (security: full, ask: off, askFallback: full)

Related issues

• #58881 (tools.exec.ask=off ignored — same family)
• #58691 (canonical tracker for exec policy precedence)
• #59510 (simplify exec approval process)
• Comment by @madsmith in #58691: "the LLM can, and likely will, generate an exec tool call that auto-fills in security"