#Exec approval not working - still being prompted

1 messages Β· Page 1 of 1 (latest)

native jacinth
#

Have a little wrapper, around maton

cat personal-maton
#!/usr/bin/env bash
set -euo pipefail

MATON_API_KEY="$(cat "$HOME/.config/maton/api_key")"

exec /usr/bin/curl -sS
-H "Authorization: Bearer ${MATON_API_KEY}"
"$@"

my exec approvals is:

"main": {
"allowlist": [
{
"pattern": "/home/ubuntu/.local/bin/personal-maton",
"source": "allow-always",
"lastUsedAt": 1777263569917,
"id": "097ccaef-d225-48ca-8949-d2e5a415bed7",
"lastUsedCommand": "/home/ubuntu/.local/bin/personal-maton "https://ctrl.maton.ai/connections\"",
"lastResolvedPath": "/home/ubuntu/.local/bin/personal-maton"
},
{
"pattern": "/usr/bin/jq",
"source": "allow-always",
"id": "608bfc13-dcee-4159-9378-f0f155bedd6f"
}
]
}

when the agent tries to run:

{
"command": "/home/ubuntu/.local/bin/personal-maton \\n -H "Maton-Connection: 70d253c5-9" \\n "https://gateway.maton.ai/airtable/v0/appp9eE3Radadadasd/Transactions?maxRecords=1&view=All Transactions Hermes&filterByFormula=AND({Primary Category}%3DBLANK()%2C NOT(FIND("Hide"%2C ARRAYJOIN({Tags}))))""
}

it still prompts me every time πŸ™

with ~/.local/bin/personal-maton "https://ctrl.maton.ai/connections" this one did work but the more complicated airtable one always prompts πŸ™

OpenClaw 2026.4.23 (a979721)

plain knotBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> βœ… Mark Solution

hard meteorBOT
#

This is probably the shell-syntax guard, not the path allowlist failing.

Your β€œcomplicated” URL contains literal ( and ) in:

filterByFormula=AND(...BLANK()...NOT(FIND(...ARRAYJOIN(...))))

In allowlist mode, OpenClaw can treat raw shell text containing shell-control / expansion-ish characters like ( and ) as an allowlist miss, even when the executable path itself is allowlisted. So the simple command matches:

/home/ubuntu/.local/bin/personal-maton "https://ctrl.maton.ai/connections"

…but the Airtable one trips the conservative parser.

Try fully URL-encoding the formula parentheses too:

# 
filterByFormula=AND%28%7BPrimary%20Category%7D%3DBLANK%28%29%2C%20NOT%28FIND%28%22Hide%22%2C%20ARRAYJOIN%28%7BTags%7D%29%29%29%29

So the command has no literal ( / ).

Best long-term pattern: put the Airtable-specific call behind a second tiny wrapper with the header + query construction inside the script, then allowlist that wrapper path. Don’t allowlist bash/sh just to bypass this β€” that weakens the approval model a lot.

Useful docs: https://docs.openclaw.ai/tools/exec-approvals and https://docs.openclaw.ai/tools/exec-approvals-advanced 🦐

native jacinth
#

that was it omg thank you

hard meteorBOT
#

Nice, glad that was it πŸŽ‰

If this fixed it, please right-click the solution message β†’ Apps β†’ βœ… Mark Solution so Answer Overflow indexes it for the next person who hits the same exec-approval weirdness. 🦐