Hey, this is a known bug. Right now hooks only enforce the deny permission. Both allow and ask are basically ignored.
What’s happening in your case:
Hook 1 beforeMCPExecution, allow for yapi_ tools: Returning allow from a hook does not override Cursor’s MCP approval system. The two permission paths, hooks and the built-in MCP approval flow, are separate. So your approval mode, like ask everything or use allow-list, still applies no matter what the hook returns.
Hook 2 beforeShellExecution, ask for dangerous commands: The ask permission is not enforced for shell execution. In run everything mode the command runs and ignores the ask response from your hook.
Workarounds:
- For MCP auto-approval: add the yapi_ tools to the MCP allowlist in Cursor Settings instead of relying on hooks.
- For blocking dangerous commands: use
denyinstead ofask. It’s the only permission that works reliably right now.
Same issue reported in several threads:
- Hook ASK output not stopping agent
- Hooks return ALLOW but MCP tool still requires manual approval / gets skipped
The team is aware of this. No ETA yet, but your report helps with prioritization.