Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
exec-guard
v1.0.6Safe command execution for AI agents with timeout control, 8KB ring buffer memory protection, background process management, and multi-agent sharing via HTTP...
⭐ 0· 288·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, and included code implement a command execution / background process manager with an HTTP API and CLI as advertised. Required items are proportional to the described function (child_process usage, ring buffer, tree-kill for process termination). No unrelated credentials or external services are requested.
Instruction Scope
Runtime instructions permit arbitrary system commands, background tasks, and an HTTP API that exposes process lists, logs, and terminate actions. The service inherits the host process environment and returns process output via HTTP endpoints — this can leak sensitive files or environment secrets if commands or output contain them. The SKILL.md and agent guide do not specify authentication, network binding restrictions, or advice to restrict exposure of the HTTP server.
Install Mechanism
No remote download/install spec is present; the package contains Node.js source and package files bundled in the skill. There is no install step that fetches code from arbitrary URLs. Risk from install mechanism is low, though running the included Node code will execute locally.
Credentials
The skill declares no required env vars, but its implementation merges process.env into child processes by default. That is functional for running commands but gives any invoked command access to all host environment variables (potentially including secrets). The ability to accept an 'env' override also allows callers to inject new sensitive values; neither behavior is unjustified for a command executor but broad and potentially dangerous without access controls.
Persistence & Privilege
The skill is not always-on and is user-invocable, and model invocation is allowed (default). While autonomous invocation is the platform default and not a defect alone, combining autonomous invocation with the ability to start an HTTP server and run arbitrary system commands increases blast radius. There is no documented authentication for the HTTP API or instructions to bind to localhost only.
Assessment
This skill appears to implement exactly what it claims — a general-purpose command executor and background process manager — which inherently grants the ability to run arbitrary system commands and read their outputs. Before installing or enabling it, consider: 1) Network exposure: run the HTTP mode only bound to localhost or behind a firewall and add authentication; the skill's docs do not describe auth. 2) Principle of least privilege: run inside an isolated container or dedicated service account to limit file and credential access. 3) Environment leakage: child processes inherit process.env — do not run it on hosts holding sensitive environment variables unless you accept the risk. 4) Audit and limits: set strict max-process, timeouts, and logging retention; review code for any hidden telemetry or externally contacting behavior (package files are present but verify dependencies in package-lock.json). 5) Source trust: there's no homepage and the owner is unknown — prefer packages from known authors or verify signatures. If you need this capability but want lower risk, restrict HTTP mode, require authentication, or use CLI-only invocation in an isolated environment. Additional information that would raise confidence: a known upstream repository/homepage, published release on a reputable host, and a documented authentication or binding configuration for the HTTP server.Like a lobster shell, security has layers — review code before you run it.
latestvk97fz07yvfe7mg1bwtq4k8vwnx83re5p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.