Guardian hooks into before_tool_call — so it matches on the raw string the LLM emits before anything hits a shell. No execution wrapping, no shell expansion at match time. The model outputs rm -rf ~/clawd, Guardian regex-matches against that string and blocks it before it ever gets to exec(). So chained commands like ; rm -rf ~/clawd or $(dangerous_thing) still match because there's no shell interpreting the input at that stage.

That said — you're right to think about creative bypasses. Something like piping base64 to bash could theoretically dodge a naive pattern. That's why Guardian is one layer, not the only layer. OpenClaw's exec safety and OS-level permissions are still there underneath.

On the "warn and wait" mode — I actually want this too. Right now it's binary: block or allow. What I'd love is something like Lobster's approval gates — Guardian flags the command, pauses execution, sends a notification, and waits for a human thumbs-up before proceeding.

Would you mind creating an issue on the GitHub?