Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Safe Exec.Bak
v1.0.0Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...
⭐ 0· 59·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim a local command-approval/monitoring tool — included scripts implement an approval flow, pending queue, and audit log which is coherent. However the SKILL.md repeatedly states SafeExec "automatically monitors all shell command executions" and "runs transparently in the background" while the shipped code contains no persistent monitoring daemon or cron job; instead it provides CLI wrapper scripts. That mismatch (advertised system-wide monitoring vs. wrapper-based invocation) is a design/claims inconsistency. Also SKILL.md metadata declares a required binary 'jq' and a git install source, but higher-level registry metadata (in the provided summary) listed none — another inconsistency.
Instruction Scope
Runtime instructions ask OpenClaw/agents to 'Enable SafeExec' and promise to intercept all shell commands. The actual scripts operate by creating pending JSON files and executing approved commands; there is no code that hooks into all user shells shown in the bundle. The approval/execute flow uses eval to run commands read from pending JSON files (unsafe if those files are tampered with). The SKILL.md claims no monitoring and no network access, which matches the codebase review, but it also suggests in-session notifications and 'automatic monitoring' that would require integration not present in the code. The instructions also recommend one-click install via ClawdHub which will 'automatically download, install and configure' — that presumes platform integration steps that are not visible here and could alter behavior.
Install Mechanism
There is no complex install spec in the registry, but SKILL.md suggests git cloning from GitHub (a standard public source) and making scripts executable. That's low-to-moderate risk but depends on trusting the GitHub repo. No third-party binary downloads or obscure URLs were observed in the shipped files. The SKILL.md metadata includes an 'install' git entry pointing to github.com/OTTTTTO/safe-exec.git which is reasonable; still confirm that the repo you clone matches the code you inspected.
Credentials
Declared environment variables are modest (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM). That is appropriate for a local approval tool. However behavior tied to those env vars is significant: OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM will make the workflow non-interactive (the scripts treat calls with these set as non-interactive and may skip human confirmation). The skill claims no credentials/network access which matches the code. The mismatch between top-level registry 'required binaries: none' and SKILL.md 'requires: jq' is a small but important inconsistency to resolve before trusting the install.
Persistence & Privilege
The skill writes to user-owned paths (~/.openclaw/safe-exec/, audit log). That is expected. There is no 'always: true' flag. However the README/SKILL.md make broad claims about background monitoring and automatic interception 'in the background' but the code shows only CLI wrappers and no persistent monitor; if an installation path or platform integration step attempts to add shell hooks or a background process to achieve global interception, that would increase privilege and must be reviewed. Also agent-mode auto-bypass increases blast radius for autonomous agents if OPENCLAW_AGENT_CALL is set by agents.
What to consider before installing
Key things to check before installing:
1) Resolve metadata mismatches: SKILL.md declares 'jq' and a git install; the registry listed none — ensure the actual install process will provide jq and uses the GitHub URL you reviewed.
2) Understand how "automatic monitoring" is implemented: the shipped code shows CLI wrappers and pending files, not a background daemon or shell hooks. Ask/inspect any platform integration that claims to "monitor all shell commands" — that step could add persistent hooks or cron jobs.
3) Audit the core scripts (especially safe-exec.sh and the request creation code). The approval executor uses eval on command text read from JSON files; ensure pending files cannot be modified by untrusted parties (file permissions) and that commands are sanitized.
4) Be cautious about agent-mode auto-bypass: OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM cause confirmation to be skipped (non-interactive). If agents are untrusted or multi-tenant, this can let agents run commands without human approval for LOW/MEDIUM risk. Prefer keeping auto-confirm disabled unless you fully trust the agents.
5) Verify pending and audit directories permissions (only user-writable) and rotate/backup audit logs. Don't install system-wide or enable automatic shell hooking without a code review.
6) If you plan to install from the GitHub URL, compare the remote repo contents with the archive reviewed here to ensure no post-publish changes.
If you want, I can: (a) point out exact lines in safe-exec.sh where eval/command execution happens, (b) list needed hardening changes (e.g., avoid eval, use safe exec arrays, check file ownership), or (c) produce a short checklist to use when reviewing the remote repo prior to cloning.Like a lobster shell, security has layers — review code before you run it.
latestvk97bt40cfw56c0bzevpaaxdj2583dxam
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
SAFE_EXEC_DISABLErequiredOPENCLAW_AGENT_CALLrequiredSAFE_EXEC_AUTO_CONFIRMrequired