ClawHub

Safe Exec Wrapper

v1.0.0

Protect against prompt injection from shell command output. Wrap untrusted commands (curl, API calls, reading user-generated files) with UUID-based security boundaries. Use when executing commands that return external/untrusted data that could contain prompt injection attacks.

1· 1.7k·8 current·8 all-time
by@jmceleney
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, and the included script are coherent: a wrapper that prints a security preamble, UUID-marked boundaries, runs the user command, and reports exit code. No unrelated credentials, endpoints, or excessive installs are requested.
Instruction Scope
SKILL.md only instructs copying the script into PATH and wrapping untrusted commands. It does not ask the agent to read unrelated files or exfiltrate data. However the script exposes a --uuid override (useful for testing) which, if misused (or passed by an attacker-controllable input), could subvert the protection. Also the instructions do not call out the script's assumptions about available uuid generation utilities.
Install Mechanism
No packaged install spec; SKILL.md uses a simple copy to ~/.local/bin which is low-risk. The code itself is a small shell script — nothing is downloaded from external URLs or written to unexpected system locations.
!
Credentials
The script relies on environment/system utilities to generate a UUID (reads /proc/sys/kernel/random/uuid or calls uuidgen or python3) but the skill metadata does not declare these as required. If none of these are available, the UUID variable may be empty, producing predictable markers (e.g., <<<STDOUT:>>>), which defeats the entire security model. The --uuid override also allows callers to supply a known UUID, which is dangerous if that value can be influenced by untrusted inputs.
Persistence & Privilege
Skill is not always-included, requests no persistent presence or elevated privileges, and does not alter other skills' configurations.
What to consider before installing
This wrapper is conceptually appropriate and low-risk in terms of installs or hidden network calls, but you should not install it without addressing a couple of practical issues: - Confirm UUID generation: ensure the target environment reliably provides one of /proc/sys/kernel/random/uuid, uuidgen, or python3. If UUID generation can fail, the script may emit empty or predictable markers and the protection is void. Prefer failing loudly (exit) if a UUID cannot be generated. - Avoid --uuid misuse: do not let untrusted inputs or external code supply the --uuid argument. Treat --uuid as a testing/debug option only. Consider removing or restricting it before production use. - Agent enforcement: the script prints a preamble that tells an LLM to ignore untrusted data, but the script does not enforce that at the model level — your agent runtime must be configured to parse and respect the markers (i.e., treat content inside the markers as data, not instructions). The wrapper alone cannot protect an agent that ignores markers. - Operational hygiene: ensure the wrapper is used with a fresh UUID per execution and avoid reusing static UUIDs. Add explicit checks (abort if UUID is empty) and consider logging or audit trails for command invocations. If you can confirm the environment has reliable UUID generation and you control how --uuid is used (or remove that option), the skill is reasonable to install. If not, do not rely on it for prompt-injection protection.

Like a lobster shell, security has layers — review code before you run it.

latestvk977236zpmgh5gdkkk8pk5p5ad80jz81

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments