Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Feature] Hook: tool:before-execute event for exec/tool pre-execution interception [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#52108Fetched 2026-04-08 01:15:34
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
1
Author
Lrs-GreenBottleLrs-GreenBottle
Participants
Lrs-GreenBottleLrs-GreenBottleRyceRyce
Timeline (top)
commented ×1cross-referenced ×1labeled ×1subscribed ×1

Add a hook event that fires before AI executes a tool or exec command, enabling pre-execution approval/interception

Error Message

// - Return { approved: false, reason: "..." } → deny + return error to AI

Root Cause

Use case: A "wake-up-rec" skill that wants to enforce screen capture + user confirmation before any file deletion or exec. Today this is impossible because the hook fires on the user's message (before the AI decides on exec), not on the AI's decision to actually run exec.

Code Example

// Hook handler signature
const handler: HookHandler = async (event) => {
  if (event.type !== "tool" || event.action !== "before-execute") {
    return;
  }
  
  const ctx = event.context as {
    toolName: string,      // "exec", "browser", etc.
    command?: string,      // for exec: the actual shell command
    args?: object,        // tool arguments
    sessionKey: string,
  };
  
  // Hook can:
  // - Return { approved: true } → allow execution
  // - Return { approved: false, reason: "..." } → deny + return error to AI
  // - Modify args (sanitize commands) before execution
  // - Inject approval workflow (e.g. send Feishu message, await user reply)
};
RAW_BUFFERClick to expand / collapse

Summary

Add a hook event that fires before AI executes a tool or exec command, enabling pre-execution approval/interception

Problem to solve

AI agents can autonomously decide to execute shell commands or tools (via exec tool). Currently there is no mechanism to intercept this decision point. The existing hook system only fires on message:preprocessed and agent:bootstrap events — these intercept user messages but cannot see when the AI itself decides to call a tool or run exec.

The security problem: when a user implicitly authorizes an action (e.g. "yes delete those files" or "clean up that folder"), the AI may immediately execute exec calls without any confirmation prompt. The message:preprocessed hook only sees the user's original message — it cannot detect that the AI has decided to run exec, and cannot inject a skill call or approval step before the exec actually fires.

Use case: A "wake-up-rec" skill that wants to enforce screen capture + user confirmation before any file deletion or exec. Today this is impossible because the hook fires on the user's message (before the AI decides on exec), not on the AI's decision to actually run exec.

Proposed solution

Introduce a new hook event tool:before-execute (or exec:before) that fires when the AI decides to execute a tool or run exec, before the actual execution happens.

Proposed API:

// Hook handler signature
const handler: HookHandler = async (event) => {
  if (event.type !== "tool" || event.action !== "before-execute") {
    return;
  }
  
  const ctx = event.context as {
    toolName: string,      // "exec", "browser", etc.
    command?: string,      // for exec: the actual shell command
    args?: object,        // tool arguments
    sessionKey: string,
  };
  
  // Hook can:
  // - Return { approved: true } → allow execution
  // - Return { approved: false, reason: "..." } → deny + return error to AI
  // - Modify args (sanitize commands) before execution
  // - Inject approval workflow (e.g. send Feishu message, await user reply)
};

This enables:

  1. Pre-execution approval hooks (confirm before dangerous exec)
  2. Command sanitization/filtering
  3. Audit logging of all exec calls
  4. Rate limiting on exec calls per session

The hook should support both sync (allow/deny immediately) and async (await external approval) patterns.

Alternatives considered

  1. exec-approvals.json (current): Works for approval but requires a separate daemon socket process, and has limitations with async approval flows and Feishu integration.

  2. Text injection via message:preprocessed: Hooks inject text into the user's message to suggest calling a skill, but the AI can ignore this and execute exec directly. Not enforceable.

  3. System prompt rules: Adding "always confirm before exec" to SOUL.md — relies on AI self-discipline, not enforceable, and wastes tokens.

  4. Mandatory skill invocation via hook: Having the hook inject a skill call like skill:approve-exec before every exec — hacky and fragile.

None of these provide a genuine pre-execution interception point. Only a dedicated hook event can achieve that.

Impact

Affected users: Anyone running OpenClaw agents with exec tool access, especially in shared/group environments.

Severity: High for security-conscious deployments. Currently if the AI decides to run an exec, no hook can stop it.

Frequency: The gap manifests whenever the AI autonomously decides to execute a command in response to user intent (which is the primary use case for AI agents).

Consequences: Without this, dangerous operations (file deletion, system config changes) cannot be intercepted and confirmed before execution, creating a security gap.

Evidence/examples

Example scenario:

  1. User says "clean up those leftover files in workspace"
  2. AI understands intent, decides to run rm -rf ~/.openclaw/workspace/trading-hub
  3. message:preprocessed hook only sees the user's message — no "delete" keyword is matched (the word "clean up" is not in the hook's trigger list)
  4. AI executes rm command directly — no interception possible

The hook system correctly identifies the message, but the decision to execute exec is made inside the AI's reasoning process, invisible to the hook.

OpenClaw hooks documentation: https://docs.openclaw.ai/automation/hooks Current supported events: agent:bootstrap, gateway:startup, message:preprocessed, message:sent, command

Additional information

No response

extent analysis

Fix Plan

To introduce a new hook event tool:before-execute that fires before the AI executes a tool or runs an exec command, follow these steps:

  • Update the hook system to include the new event type tool:before-execute.
  • Modify the AI's execution logic to trigger the tool:before-execute hook before executing any tool or exec command.
  • Implement the hook handler function with the proposed API:
const handler: HookHandler = async (event) => {
  if (event.type !== "tool" || event.action !== "before-execute") {
    return;
  }
  
  const ctx = event.context as {
    toolName: string,      // "exec", "browser", etc.
    command?: string,      // for exec: the actual shell command
    args?: object,        // tool arguments
    sessionKey: string,
  };
  
  // Example approval logic
  if (ctx.toolName === "exec" && ctx.command.includes("rm")) {
    // Inject approval workflow (e.g. send Feishu message, await user reply)
    const approval = await requestUserApproval(ctx.sessionKey, ctx.command);
    if (!approval) {
      return { approved: false, reason: "User denied approval" };
    }
  }
  
  return { approved: true };
};
  • Register the hook handler function with the hook system.

Verification

To verify that the fix worked, test the following scenarios:

  • Trigger the AI to execute a tool or exec command that requires approval (e.g. rm command).
  • Verify that the tool:before-execute hook is triggered and the approval workflow is injected.
  • Test both sync and async approval patterns.
  • Verify that the AI executes the tool or exec command only after approval is granted.

Extra Tips

  • Ensure that the hook system is properly configured and registered with the AI's execution logic.
  • Consider implementing additional security measures, such as audit logging and rate limiting, to further enhance the security of the AI system.
  • Refer to the OpenClaw hooks documentation for more information on implementing and configuring hooks: https://docs.openclaw.ai/automation/hooks

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#autograd error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix [Feature] Hook: tool:before-execute event for exec/tool pre-execution interception [1 comments, 2 participants]