Summary
PraisonAI gates dangerous tools (file writes, deletes, shell/code execution) behind an interactive approval prompt. The first approval of a tool is cached for the remainder of the run and silently reused for all later invocations of that tool with arbitrary, unreviewed arguments.
Root cause
ApprovalRegistry.is_already_approved (src/praisonai-agents/praisonaiagents/approval/registry.py, around line 181) returns True whenever the tool name is present in a per-run context set. The cache is keyed on tool name only — arguments are not part of the key.
approve_sync / approve_async (around lines 224-226 / 278-279) short-circuit on that cache before the approval backend is consulted.
clear_approved (around lines 186-187) is the only routine that clears the cache, but it is never invoked in the shipped library (only in tests). The cache persists for the entire agent run and is inherited by child tasks via contextvars.
Critical-tier tools (execute_command, execute_code) are exempt from the cache. But high-risk tools like write_file are not.
Proof of concept
from praisonaiagents.approval.registry import ApprovalRegistry
from praisonaiagents.approval.protocols import ApprovalDecision, ApprovalRequest
class CountingBackend:
def __init__(self): self.prompts = []
def request_approval_sync(self, request):
self.prompts.append((request.tool_name, dict(request.arguments)))
return ApprovalDecision(approved=True, reason="human approved")
backend = CountingBackend()
reg = ApprovalRegistry()
reg.set_backend(backend)
reg.add_requirement("write_file", "high")
d1 = reg.approve_sync("agent", "write_file", {"path": "/tmp/safe.txt", "content": "hi"})
# Human prompted — approves a benign write
d2 = reg.approve_sync("agent", "write_file", {"path": "/etc/crontab", "content": "* * * * * root evil"})
# NO prompt — auto-approved from cache
assert len(backend.prompts) == 1
assert d2.reason == "Already approved in context"
Negative control: execute_command (critical) re-prompts on every call — 2 prompts for 2 calls.
Impact
A write_file approval for a benign path authorizes every later write_file call in the session with arbitrary arguments. A model steered by malicious input can write to sensitive locations with no further human prompt.
Suggested fix
- Include arguments in the approval cache key, or re-prompt on argument change.
- Expire the cache per-call or per-turn.
- Do not inherit the cache into child tasks.
Summary
PraisonAI gates dangerous tools (file writes, deletes, shell/code execution) behind an interactive approval prompt. The first approval of a tool is cached for the remainder of the run and silently reused for all later invocations of that tool with arbitrary, unreviewed arguments.
Root cause
ApprovalRegistry.is_already_approved(src/praisonai-agents/praisonaiagents/approval/registry.py, around line 181) returnsTruewhenever the tool name is present in a per-run context set. The cache is keyed on tool name only — arguments are not part of the key.approve_sync/approve_async(around lines 224-226 / 278-279) short-circuit on that cache before the approval backend is consulted.clear_approved(around lines 186-187) is the only routine that clears the cache, but it is never invoked in the shipped library (only in tests). The cache persists for the entire agent run and is inherited by child tasks viacontextvars.Critical-tier tools (
execute_command,execute_code) are exempt from the cache. But high-risk tools likewrite_fileare not.Proof of concept
Negative control:
execute_command(critical) re-prompts on every call — 2 prompts for 2 calls.Impact
A
write_fileapproval for a benign path authorizes every laterwrite_filecall in the session with arbitrary arguments. A model steered by malicious input can write to sensitive locations with no further human prompt.Suggested fix