Safe Exec Wrapper
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent command-output wrapper, but it still runs the underlying command and should be treated as a prompt-boundary aid rather than a sandbox or absolute guarantee.
This appears safe to install if you understand its limits. Use it to label untrusted command output, but continue to review the actual command before running it, especially if the command can modify files, contact services, or use credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A dangerous or privileged command remains dangerous even when wrapped; only the output is labeled as untrusted.
The wrapper directly executes the supplied command and arguments. This is central to the skill's purpose, but it means safe-exec is not a sandbox or allowlist.
# Execute command - stdout and stderr stream naturally "$@"
Apply normal user approval and scoping to the underlying command, especially for commands that modify files, access accounts, or use credentials.
Over-trusting the wrapper could lead a user or agent to run untrusted commands or process hostile output with less caution than warranted.
The security framing is strong. The implementation is consistent with the purpose, but users should understand it as a prompt-injection mitigation aid, not a complete guarantee that untrusted output can never influence an agent.
This wrapper creates boundaries using random UUIDs that attackers cannot guess, making it impossible to forge closing markers.
Treat safe-exec as defense-in-depth: keep reviewing untrusted output, avoid exposing secrets to untrusted commands, and do not rely on it as a sandbox.
Using a fixed or attacker-influenced UUID would make the output markers easier to imitate.
The script allows a caller-supplied UUID. This can be useful for testing, but if a predictable or externally influenced UUID is used, the boundary-forgery protection is weakened.
if [[ "$1" == "--uuid" ]]; then
UUID="$2"
shift 2Use the default random UUID generation for normal operation; reserve --uuid for controlled testing and consider validating the UUID format.
If added, the agent may keep applying this behavior in future sessions or tasks.
The skill suggests a persistent agent-instruction integration. It is disclosed and narrowly scoped to wrapping untrusted command output.
Add to SOUL.md or agent instructions: ```markdown When executing shell commands that may produce untrusted output, wrap them with `safe-exec`
Only add the persistent instruction if you want this ongoing behavior, and keep it scoped to untrusted command output.