Terminal Killer
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about being a shell command runner, but it can automatically execute broad local commands and reads shell environment/history, so it needs careful review before installation.
Install only if you intentionally want an agent to run local shell commands directly. Prefer requiring confirmation for all command execution, especially commands that write files, install packages, use credentials, contact networks, or affect shared systems. Be aware that it reads shell history, sources shell profile files, inherits environment variables, and the advertised audit log is not implemented in the supplied code.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A short input judged to be a command could modify or delete files, install packages, push code, contact remote hosts, or run arbitrary local programs under the user's account.
The skill makes direct command execution the default for inputs it classifies as commands, rather than requiring explicit approval for every shell operation.
Use when user input appears to be a shell command to skip AI processing and run immediately.
Require explicit user confirmation for command execution, especially mutating, network, package-manager, privileged, or destructive commands; show the exact command, working directory, and environment before running.
Even detection logic can invoke the shell on user-controlled text, increasing the chance of unintended command execution.
The detector shells out with an unescaped user-derived command token while deciding whether input is a command, so shell metacharacters can be parsed before the normal execution decision or approval path.
execSync(`${initCmd}which ${cmd}`, { stdio: 'ignore', timeout: 5000 });Replace shell-based PATH checks with safe APIs such as execFile/spawn with argument arrays or direct filesystem PATH scanning, and validate command names against a strict safe pattern.
Executed commands can use the same credentials and privileges available in the user's normal terminal.
Commands run after shell initialization and inherit the user's full environment, which may include tokens, API keys, cloud profiles, or other privileged configuration.
const fullCommand = initCmd + command; ... env: process.env // Inherit current environment
Use this only if you are comfortable granting terminal-equivalent privileges; consider running it in a sandbox or with a reduced environment.
Private command history is used as local context for routing decisions, although no external transmission is shown in the provided code.
The detector reads recent shell history to improve classification. This is disclosed and bounded to recent entries, but shell history can contain sensitive commands or arguments.
path.join(os.homedir(), '.zsh_history'), ... fs.readFileSync(historyFile, 'utf8')
Avoid installing if your shell history may contain secrets, or disable history matching / reduce its scope.
Users may believe there will be a reliable audit trail of executed commands when the supplied code does not show one.
The provided source files do not implement writing this audit log, so the documented safety/audit control is unsupported by the artifacts.
All executed commands are logged to: ~/.openclaw/logs/terminal-killer.log
Implement the audit log before release or remove the claim; users should not rely on logging unless they verify it works.
An SSH, docker, shell, or similar session may continue independently until the user closes it.
For interactive commands on Linux, the skill can launch a detached terminal process. This is aligned with the interactive-terminal feature, but it can keep running after the main agent flow.
const proc = spawn(cmd, args, { detached: true, stdio: 'ignore' }); proc.unref();Ask before opening detached sessions and clearly show users how to stop or close any spawned terminal process.