How to Add Human Approval Before AI Executes Tools with OpenClaw Plugin Hooks
I woke up at 3 AM to find my AI agent had emailed my boss about a “critical production issue” that was actually just a false positive. The AI had autonomously decided to send an email using the messaging tool—without my knowledge or consent.
That’s when I realized: giving AI agents unrestricted tool access is a recipe for disaster.
The Problem: “Act First, Apologize Later”
Traditional AI agents operate on a simple but dangerous principle:
+-------------+ +-------------+ +-------------+| AI Decides | --> | Executes | --> | Apologizes|| to Act | | Tool | | if Wrong |+-------------+ +-------------+ +-------------+ | v [Irreversible Action]This flow works fine for read-only operations. But when AI has access to:
- File system (delete, modify)
- External APIs (send emails, post to Slack)
- Database operations (drop tables, update records)
- Cloud resources (spin up instances, change configs)
…you can’t afford to let it “oops, my bad” its way through production.
I’ve seen AI agents:
- Delete important log files while trying to “clean up”
- Send test messages to production channels
- Modify database records based on incomplete context
- Trigger expensive API calls without understanding the cost
The core issue: AI lacks the full context to make safe decisions every time.
The Solution: OpenClaw’s before_tool_call Hook
OpenClaw 2026.3.28 introduced Plugin Approval Hooks—a native solution for human-in-the-loop tool execution.
Instead of AI executing tools immediately, the before_tool_call hook intercepts every tool request:
+-------------+ +-------------+ +-------------+| AI Decides | --> | Hook | --> | Wait for || to Act | | Intercepts | | Approval |+-------------+ +-------------+ +-------------+ | | v v [Pauses Execution] [User Reviews] | v +-------------+ | Approve or | | Deny | +-------------+ | +--------------------------+ v [Execute Tool] OR [Cancel]How It Works
- AI decides to call a tool (e.g.,
file_write,send_email) - The
before_tool_callhook catches the request - A confirmation prompt appears in your configured channel
- You review the action and approve or deny
- Only approved actions execute
This transforms AI from an autonomous actor into a supervised assistant.
Setting Up Approval Hooks
Here’s how to configure approval hooks in OpenClaw:
plugins: approval: enabled: true channels: - telegram - discord timeout: 300 # seconds to wait for approval require_approval_for: - file_write - file_delete - send_email - send_message - database_write - api_callThe configuration is straightforward:
enabled: trueactivates the approval systemchannelsdefine where approval requests appeartimeoutsets how long to wait before auto-denyrequire_approval_forlists tools that need human confirmation
Approval Methods
OpenClaw supports three approval channels:
1. Telegram Buttons
┌─────────────────────────────────┐│ AI wants to execute: ││ Tool: file_delete ││ Path: /logs/production.log ││ Reason: "Cleaning old logs" ││ ││ [Approve] [Deny] │└─────────────────────────────────┘2. Discord Interactive UI
AI Tool Request━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Tool: send_emailSubject: Critical Production Issue
⚠️ This action requires approval[Approve] [Deny] [View Details]3. Chat Command
Simply type /approve or /deny in any connected chat channel.
Why This Matters for Production
I run automated AI sessions 24/7 for monitoring and maintenance tasks. Before approval hooks, I had to:
- Constantly check logs for unexpected actions
- Wake up to “fix” AI mistakes
- Restrict AI to read-only operations (limiting usefulness)
With approval hooks:
Before After------ -----☑ AI deletes wrong file ☑ AI asks before deletion☑ AI sends embarrassing email ☑ Email requires approval☑ AI makes unauthorized API call ☑ API calls are reviewed☑ 24/7 babysitting required ☑ Sleep peacefullyThe architecture is designed natively—not as a post-hoc patch. This means:
- No performance overhead for approved tools
- Approval state persists across session restarts
- Works with all tool types (custom plugins included)
Common Mistakes to Avoid
I’ve made these mistakes so you don’t have to:
Mistake 1: Disabling Hooks for Convenience
plugins: approval: enabled: false # Never disable in production!Yes, approval prompts add friction. But that friction is your safety net. In production, never disable approval hooks.
Mistake 2: Not Configuring Timeout Properly
plugins: approval: timeout: 300 # 5 minutes - reasonable for most cases # timeout: 0 # DANGER: Waits forever, blocks all execution # timeout: 10 # Too short: You'll miss approvalsToo short = missed approvals, blocked operations. Too long = stalled agents. Find the right balance for your workflow.
Mistake 3: Assuming AI Context Is Sufficient
Even with approval hooks, review the actual action:
AI: "I want to delete temp file /tmp/cache"You: [Approve] ← Too quick!
Reality: /tmp/cache was a symlink to /production/dataResult: Production data deletedAlways verify the tool parameters, not just the AI’s explanation.
Mistake 4: Not Using Selective Approval
You don’t need approval for every tool. Configure selectively:
plugins: approval: require_approval_for: - file_delete # Needs approval - database_write # Needs approval - send_email # Needs approval # file_read # No approval needed (read-only) # http_get # No approval needed (read-only)Read-only operations are generally safe. Focus approval on mutating actions.
Real-World Example: Prevented Disaster
Here’s what happened last week:
[2026-03-22 14:32:15] AI: Detected disk space issue[2026-03-22 14:32:16] AI: Proposing file_delete on /var/log/app/*.log[2026-03-22 14:32:16] Hook: Approval required[2026-03-22 14:32:45] Human: Denied - logs needed for audit[2026-03-22 14:33:02] AI: Proposing alternative: compress old logs[2026-03-22 14:33:02] Hook: Approval required[2026-03-22 14:33:15] Human: Approved[2026-03-22 14:33:16] AI: Compressed logs successfullyWithout the approval hook, AI would have deleted audit logs—a compliance violation. The hook gave me a chance to guide AI toward a better solution.
Integration with Existing Workflows
If you’re already using OpenClaw for automation:
workflows: daily_cleanup: schedule: "0 3 * * *" tools: - file_delete - api_call # AI runs autonomously - risky!workflows: daily_cleanup: schedule: "0 3 * * *" tools: - file_delete - api_call plugins: approval: enabled: true channels: - telegram # AI asks permission - safe!The migration is simple: add the plugins section to your workflow config.
Architecture Details
For those interested in how this works under the hood:
┌─────────────────────────────────────────────────────────┐│ AI Agent ││ ┌─────────────────────────────────────────────────┐ ││ │ "I need to call file_delete tool" │ ││ └─────────────────────────────────────────────────┘ │└─────────────────────────────────────────────────────────┘ │ v┌─────────────────────────────────────────────────────────┐│ before_tool_call Hook ││ ┌─────────────────────────────────────────────────┐ ││ │ 1. Intercept tool call │ ││ │ 2. Extract tool name and parameters │ ││ │ 3. Check if approval required │ ││ │ 4. If yes: send approval request │ ││ │ 5. Wait for response (up to timeout) │ ││ │ 6. Return approved/denied to agent │ ││ └─────────────────────────────────────────────────┘ │└─────────────────────────────────────────────────────────┘ │ ┌──────────────────┴──────────────────┐ v v┌─────────────────┐ ┌─────────────────┐│ Approved │ │ Denied ││ Execute Tool │ │ Return Error ││ Continue Flow │ │ AI Handles It │└─────────────────┘ └─────────────────┘The hook sits between the AI agent and tool execution, giving it complete control over what gets through.
Best Practices
Based on my experience running this in production:
-
Start Conservative: Enable approval for all tools, then selectively disable for read-only operations.
-
Set Reasonable Timeouts: 5 minutes (300s) works well for interactive sessions. For scheduled tasks, consider longer timeouts or pre-approval.
-
Use Multiple Channels: Configure both Telegram and Discord so you don’t miss approvals when away from one device.
-
Review Before Approving: Don’t blindly click approve. Check the tool name, parameters, and AI’s reasoning.
-
Log All Decisions: Keep a record of approvals and denials for auditing.
plugins: approval: logging: enabled: true file: /var/log/openclaw/approvals.log format: json- Implement Pre-Approval for Routine Tasks: For predictable scheduled operations, use pre-approval rules:
plugins: approval: pre_approval: - tool: file_delete pattern: "/tmp/*" auto_approve: true # Safe: deleting temp files - tool: file_delete pattern: "/production/*" auto_approve: false # Requires manual approvalConclusion
Plugin Approval Hooks solve the fundamental problem of AI autonomy in production: trust. Instead of hoping AI makes the right decision every time, you enforce human oversight for every significant action.
The feature transforms AI agents from potential liabilities into trustworthy assistants. For teams running scheduled tasks or autonomous agents, approval hooks provide the peace of mind needed to sleep soundly while AI works.
The days of “AI decided to email my boss at 3 AM” are over. Now, AI asks first—and that makes all the difference.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
If you’re running AI agents in production without approval hooks, you’re one wrong decision away from a disaster. OpenClaw’s before_tool_call hook is simple to set up and provides essential safety. Don’t wait for AI to make a mistake you can’t undo.
Comments