v2.0.0

Safe Shell

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:58 AM.

Analysis

The skill is intended to be a read-only shell helper, but its included safety validator is broader than its “zero modification” claims and could approve unsafe shell patterns if used before execution.

GuidanceReview this skill carefully before installing. It is not clearly malicious, but do not rely on its “safe shell” guarantees as a complete sandbox. Use it only with explicit command review, avoid reading secrets or environment variables unnecessarily, and prefer a stricter implementation that only permits exact read-only commands and arguments.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

safe-shell.js

const ALLOWED_COMMANDS = [... 'ping', 'ifconfig', 'ip', ...]; ... trimmed.startsWith(cmd + ' ')

The validator approves any command that starts with an allowed word such as `ip`, rather than restricting exact read-only subcommands and arguments. If this result is trusted before an exec tool runs the command, broader shell operations could be treated as safe.

User impactA user or agent could believe a command is safely read-only when the validator may allow broader command forms that can affect the local environment.

RecommendationUse exact command-and-argument allowlists, parse commands instead of matching prefixes, and require explicit user approval before any actual shell execution.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

“零破坏风险：完全禁止任何修改、删除、执行危险操作” ... “命令链拦截：禁止 `| xargs`, `; && ||` 等命令链接”

The documentation makes very strong safety guarantees, but the included validator does not show comprehensive enforcement for command chaining, shell metacharacters, or all write paths.

User impactThe strong safety wording may cause users to over-trust shell execution decisions that are not fully enforced by the provided code.

RecommendationTone down absolute safety claims unless they are fully enforced, and document remaining limits and required user review clearly.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: https://github.com/your-repo/safe-shell

The source is not identified and the homepage appears to be a placeholder, which limits provenance review even though no dependency-install behavior is shown.

User impactUsers have less assurance about who maintains the skill and where the reviewed source is hosted.

RecommendationPrefer a skill version with a real source repository, maintainer identity, and release history before relying on it for shell safety.