v1.0.0

Safe Exec.Bak

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

SafeExec is mostly coherent as a local command-safety wrapper, but its approval path can execute pending shell commands without an interactive human check in agent mode, and its install/provenance metadata is inconsistent.

GuidanceOnly install this if you are comfortable with a skill that can execute shell commands under your user account. Before enabling it, verify the source/version, make sure agents cannot approve their own dangerous commands, and treat the audit and pending-request files as sensitive local data.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/safe-exec-approve.sh

if [[ -n "$OPENCLAW_AGENT_CALL" ]] || [[ -n "$SAFE_EXEC_AUTO_CONFIRM" ]]; then
    IS_INTERACTIVE=false
fi
...
echo "🤖 非交互式环境 - 自动跳过确认"
...
eval "$COMMAND"

The approval helper disables interactive confirmation when called in agent/auto-confirm mode and then executes the stored command via eval.

User impactA pending dangerous shell command could be executed from an agent/non-interactive approval flow without a separate human yes/no prompt, undermining the safety layer the skill is meant to provide.

RecommendationRequire a verified human approval channel for HIGH/CRITICAL commands, prevent agents from approving their own pending requests, and avoid using eval where a safer argv-based execution path is possible.

Agent Goal Hijack

SeverityMediumConfidenceMediumStatusConcern

CHANGELOG.md

Context-aware risk assessment: Detect user confirmation keywords ... HIGH + confirmation → LOW (direct execution)

The documented design allows contextual confirmation words to downgrade high-risk commands to direct execution rather than requiring a separate approval step.

User impactIf confirmation wording is supplied through agent-controlled or untrusted context, a risky command may be treated as safer than it is.

RecommendationDo not downgrade HIGH/CRITICAL risk based on free-form context; use a structured, authenticated approval event that is separate from normal prompt or context text.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

"install": [{ "id": "git", "kind": "git", "url": "https://github.com/OTTTTTO/safe-exec.git" }]

The skill advertises a GitHub install path even though the registry metadata says there is no install spec and the source is unknown; the bundled _meta.json also differs from the evaluated registry identity.

User impactFor a tool that can run shell commands, unclear package identity and installation provenance make it harder for a user to verify what they are installing.

RecommendationAlign the registry metadata, SKILL.md, and _meta.json; declare the install source and required jq binary consistently; use a pinned release or commit for manual git installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Requests stored in: `~/.openclaw/safe-exec/pending/` ... Audit log: `~/.openclaw/safe-exec-audit.log`

The skill persistently stores pending command requests and audit logs containing command activity.

User impactLocal logs and pending request files may reveal sensitive command arguments, paths, or operational details if the machine or home directory is shared.

RecommendationKeep the log directory private, avoid putting secrets directly in shell commands, and provide clear log rotation/cleanup guidance.