Terminal Killer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: terminal-killer Version: 1.2.0 The skill is designed to execute shell commands directly, which is a high-risk capability by nature. It attempts to mitigate this with dangerous command detection and an approval workflow. However, a critical vulnerability exists in `scripts/detect-command.js` and `scripts/exec-command.js` (and other execution paths) where user-controlled shell initialization files (e.g., `~/.zshrc`, `~/.bashrc`) are sourced via `execSync` before executing `which` or the user's command. This means any malicious code in these config files could be executed during the command detection phase, even if the user's input is not ultimately approved for execution, leading to a potential Remote Code Execution (RCE) vulnerability. While the author explicitly states the skill does not perform external API calls or data exfiltration, the inherent risk of direct shell execution with full user environment and the specific RCE vulnerability during detection make it suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A short input judged to be a command could modify or delete files, install packages, push code, contact remote hosts, or run arbitrary local programs under the user's account.
The skill makes direct command execution the default for inputs it classifies as commands, rather than requiring explicit approval for every shell operation.
Use when user input appears to be a shell command to skip AI processing and run immediately.
Require explicit user confirmation for command execution, especially mutating, network, package-manager, privileged, or destructive commands; show the exact command, working directory, and environment before running.
Even detection logic can invoke the shell on user-controlled text, increasing the chance of unintended command execution.
The detector shells out with an unescaped user-derived command token while deciding whether input is a command, so shell metacharacters can be parsed before the normal execution decision or approval path.
execSync(`${initCmd}which ${cmd}`, { stdio: 'ignore', timeout: 5000 });Replace shell-based PATH checks with safe APIs such as execFile/spawn with argument arrays or direct filesystem PATH scanning, and validate command names against a strict safe pattern.
Executed commands can use the same credentials and privileges available in the user's normal terminal.
Commands run after shell initialization and inherit the user's full environment, which may include tokens, API keys, cloud profiles, or other privileged configuration.
const fullCommand = initCmd + command; ... env: process.env // Inherit current environment
Use this only if you are comfortable granting terminal-equivalent privileges; consider running it in a sandbox or with a reduced environment.
Private command history is used as local context for routing decisions, although no external transmission is shown in the provided code.
The detector reads recent shell history to improve classification. This is disclosed and bounded to recent entries, but shell history can contain sensitive commands or arguments.
path.join(os.homedir(), '.zsh_history'), ... fs.readFileSync(historyFile, 'utf8')
Avoid installing if your shell history may contain secrets, or disable history matching / reduce its scope.
Users may believe there will be a reliable audit trail of executed commands when the supplied code does not show one.
The provided source files do not implement writing this audit log, so the documented safety/audit control is unsupported by the artifacts.
All executed commands are logged to: ~/.openclaw/logs/terminal-killer.log
Implement the audit log before release or remove the claim; users should not rely on logging unless they verify it works.
An SSH, docker, shell, or similar session may continue independently until the user closes it.
For interactive commands on Linux, the skill can launch a detached terminal process. This is aligned with the interactive-terminal feature, but it can keep running after the main agent flow.
const proc = spawn(cmd, args, { detached: true, stdio: 'ignore' }); proc.unref();Ask before opening detached sessions and clearly show users how to stop or close any spawned terminal process.