GHSA-h2w2-v7j6-xqm4: npm PraisonAI AgentLoop onToolCall approval runs after tool execution

The published npm package praisonai exports createAgentLoop(), whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI’s generateText() wrapper with the caller’s executable tools first, receives toolResults, and only then calls onToolCall().

Because AI SDK generateText() executes tools with an execute function as part of the generation call, onToolCall can deny a tool only after the sensitive side effect has already happened. PraisonAI then returns finishReason: "tool_rejected", which is a false security signal: the rejected tool already ran.

The PoV is deterministic and local-only. It uses mock AI SDK modules, no live model call, no API key, and no network target. The tool increments an in-memory counter rather than touching the filesystem or executing commands.