Safe Exec.Bak

Security checks across malware telemetry and agentic risk

Overview

SafeExec is a local shell safety wrapper, but its approval controls can be weakened or bypassed in agent and non-interactive use.

Review before installing. Use this only if you are comfortable with a local tool that can execute arbitrary shell commands and whose safeguards depend on environment variables and pending request files. Keep SAFE_EXEC_AUTO_CONFIRM unset, avoid agent-driven use of safe-exec-approve, do not treat the audit log as tamper-proof, and require explicit human review for sudo, deletion, firewall, service, or other system-changing commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (13)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This script is presented as an approval gate, but in non-interactive mode it explicitly skips confirmation and proceeds to execute the queued command. In the context of a safety wrapper for dangerous shell commands, that defeats the human-approval security boundary and allows any process able to invoke the script with the right environment or terminal conditions to run high-risk commands without real approval.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The approval helper directly executes the stored command via eval, so it is not just recording approval but also acting as a command runner. This broadens the attack surface significantly, because any weakness in request creation, file integrity, or approval flow becomes immediate arbitrary shell execution under the user's privileges.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The code contradicts its own safety comments and weakens protection for dangerous commands based solely on a context string. In this skill, downgrading risk for CRITICAL commands and then routing them through weaker handling creates a realistic approval-bypass path if an attacker can influence SAFEXEC_CONTEXT or user-provided context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation promotes SAFE_EXEC_AUTO_CONFIRM to automatically approve LOW/MEDIUM risk commands without prominently warning that MEDIUM includes privileged or system-modifying actions such as sudo, firewall, service, or cron changes. In an agent context, reducing user confirmation for these actions weakens a key safety boundary and can allow unintended persistence or system changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The non-interactive mode description says the system will skip secondary confirmation for agent calls, but it does not sufficiently warn that this removes an important safeguard exactly in the highest-risk automation scenario. In agent environments, bypassing confirmation can turn misclassification or prompt-driven abuse into real command execution affecting data and system integrity.

Vague Triggers

Low

Confidence: 90% confidence
Finding: The activation phrase "Enable SafeExec" is presented as a plain natural-language trigger with no scoped command syntax, which can overlap with ordinary conversation. In agent environments that map chat text directly to actions, this creates a prompt/command ambiguity risk where an unrelated quoted or relayed phrase could enable the skill unintentionally.

Vague Triggers

Low

Confidence: 95% confidence
Finding: The approval phrases `approve req_xxxxx` and `reject req_xxxxx` are underspecified and usable as ordinary text, so they may be triggered accidentally or via prompt injection, copied logs, or quoted conversation. Because approval directly authorizes pending dangerous commands, ambiguous parsing here can defeat the intended human-in-the-loop control.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The installation trigger phrase is broad natural language that could be invoked accidentally in normal conversation. In agentic systems, underspecified trigger phrases increase the risk of unintended installation of code from a remote repository without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Phrases like 'Enable SafeExec' or 'Start SafeExec' are common conversational utterances and may overlap with ordinary discussion rather than deliberate authorization. If the platform treats such phrases as executable triggers, this can activate command interception or behavior-changing hooks unintentionally.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The wrapper takes user-supplied context and exports it as an environment variable, which can expose potentially sensitive prompts, secrets, or operational context to child processes and logs without explicit disclosure or minimization. In an agent setting, environment variables are commonly inherited broadly, so this can unintentionally widen data exposure beyond the intended safe-exec boundary.

Missing User Warnings

High

Confidence: 99% confidence
Finding: In non-interactive mode the script prints that confirmation is being skipped and then continues execution. For a tool whose purpose is to provide human oversight for dangerous commands, this creates an approval bypass that is especially risky in automated agent workflows, CI jobs, or any environment where stdin is not a terminal.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script allows medium- and high-risk commands to execute immediately when confirmation keywords appear in SAFEXEC_CONTEXT, without an interactive approval at execution time. In an agent setting, contextual text is often model- or user-influenced, so treating keyword presence as authorization makes prompt/context injection capable of triggering destructive shell execution.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: |------|------|--------| | `SAFE_EXEC_DISABLE` | 全局禁用 SafeExec | 未设置 | | `OPENCLAW_AGENT_CALL` | 标识 Agent 调用（自动检测） | 自动 | | `SAFE_EXEC_AUTO_CONFIRM` | 自动批准 LOW/MEDIUM 风险 | 未设置 | | `SAFEXEC_CONTEXT` | 用户上下文信息 | 空 | **使用示例：**
Confidence: 92% confidence
Finding: AUTO_CONFIRM

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal