openclaw - 💡(How to fix) Fix [Feature]: Add `before_tool` hook for mandatory pre-execution checks [1 participants]

Summary

Add a before_tool hook that fires before tool execution, allowing agents to enforce mandatory pre-checks (e.g., safety assessment, backup) before system-changing operations.

Problem to solve

There is currently no way to intercept tool execution before it happens. The current hook system supports only post-execution or startup triggers (such as boot-md, bootstrap-extra-files, command-logger, session-memory). As a result, it is not possible to guarantee mandatory pre-checks before potentially dangerous or impactful operations, which reduces system safety and composability.

Our workaround of using a separate Safety Agent (with sessions_spawn) is fragile, as it relies on correct agent behavior rather than enforcing policy at the framework level.

Proposed solution

Introduce a before_tool hook in the hooks configuration schema. This hook should trigger before any tool is executed and allow matching on specific tool types/names. If matched, it must execute a configurable action (e.g., spawn a Safety Agent, enforce policy, block, prompt for confirmation).

Proposed interface (in JSON):

{
  "hooks": {
    "internal": {
      "entries": {
        "before-tool": {
          "enabled": true,
          "match": {
            "tools": ["write", "edit", "apply_patch", "gateway", "cron"]
          },
          "action": "spawn-agent",
          "agentId": "safety"
        }
      }
    }
  }
}

This expands the hooks system, enabling agents and policies to intercept and control potentially dangerous operations in a programmatic, auditable way.

Alternatives considered

Relying on agents to call a Safety Agent before actions is error-prone. Post-execution hooks can't prevent undesired changes. Prohibiting risky tools globally would overly constrain functionality. There's no native, systematic way to enforce such a check per tool invocation.

Impact

Affected: All platform users who run agents with system-modifying capabilities or sensitive operations. Severity: High in environments with multiple contributors or where system state integrity is crucial. Frequency: Whenever system-altering tools are invoked. Consequence: Without a mandatory pre-check, critical safety measures can be bypassed leading to outages or misconfiguration.

Evidence/examples

Workaround example config, direct agent calls to safety checks, logs of missed calls. Consider the value of pre-commit hooks in git, or admission controllers in Kubernetes as prior art.

Additional information

This should remain backward compatible with the existing hook schema. Consider opt-in with "enabled": true to allow gradual rollout.