Persistent Code Terminal
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: persistent-code-terminal Version: 1.2.0 The skill's core functionality involves executing arbitrary shell commands via `persistent-code-terminal-send.sh` and `persistent-code-terminal-codex-exec.sh`, driven by AI interpretation of user input (as instructed in `SKILL.md` and processed by `persistent-code-terminal-route.sh`). This design presents a significant Remote Code Execution (RCE) vulnerability if the AI agent can be prompted to generate and execute malicious commands. While the skill includes mitigating factors like Codex's `--sandbox workspace-write` flag, opt-in auto-routing (`openclaw.config.dev.json`), and security advisories in `README.md`, the direct execution of AI-generated commands without robust input sanitization for the commands themselves makes it a high-risk component. There is no evidence of intentional malicious behavior such as data exfiltration or backdoors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, Codex can edit files and run project commands without step-by-step prompts, within the configured sandbox and current workspace.
The Codex helper defaults to full-auto execution with workspace write access in the current directory. This is disclosed and core to the skill, but it gives the agent authority to modify project files.
DEFAULT_FLAGS=(--full-auto --sandbox workspace-write --cd "$(pwd)")
Use this only in repositories where automated edits are acceptable, keep the workspace sandbox enabled, and give explicit limits such as no push or no commit when desired.
If auto routing is enabled globally, coding commands may run from an unexpected non-repository directory, increasing the chance of modifying the wrong files.
The shown guard skips auto execution only when the directory is not a git repo and no global skill exists. That means a global install can allow the route flow to continue outside a git repository, which is broader than the documented git-repo safety filter.
if [ "$WORKING_DIR_IS_GIT_REPO" != "true" ] && [ "$GLOBAL_SKILL_EXISTS" != "true" ]; then ... auto execution skipped.
Leave autoCodeRouting disabled unless needed, and update the route guard to require a git repository for all auto-execution paths unless the user explicitly selects a target directory.
A stale terminal marker could make the skill start follow-up or retry actions while another code-modifying task is still running, creating conflicting edits or misleading summaries.
The auto loop treats any non-null lastExitCode from read.sh as completion. Because read.sh derives lastExitCode from the latest sentinel in the captured tmux pane, a reused session can pick up an old sentinel and cause the auto loop to report success or retry before the current Codex command has actually finished.
exit_token="$(printf '%s\n' "$read_json" | parse_last_exit_from_read_json)"; if [ -n "$exit_token" ] && [ "$exit_token" != "null" ]; then ... return 0
Tie completion markers to a per-command ID or capture baseline, and avoid auto-retry/auto-routing in important branches until this is fixed.
If you ask it to commit or push, it may change remote repositories using your configured Git identity.
The skill acknowledges that workflows may perform privileged actions such as git push, which would use the user's existing repository credentials and permissions. This is expected for the coding workflow but high-impact.
For network/privileged actions (for example `git push`), follow active Codex approval/sandbox policy.
Use feature branches, avoid main/master unless explicit, and require confirmation for push operations in sensitive repositories.
Commands that print tokens, logs, or untrusted instructions could be shown to the agent later through summary/read output.
The summary command captures recent tmux pane output and returns it as recentOutput. This is useful for observability but can bring old terminal output, secrets, or untrusted text back into the agent context.
CAPTURED="$(tmux capture-pane -pt "$SESSION" -S "-$LINES")" ... "recentOutput": "$(pct_json_escape "$CAPTURED")"
Avoid printing secrets in this terminal, clear or kill sessions when done, and review summary output before relying on it.
A build, dev server, or Codex task may continue after you close the chat or disconnect from SSH.
The skill intentionally keeps tmux sessions alive across disconnects and chat turns. This persistence is disclosed and central to the purpose, but users should be aware that commands can continue running.
keep long-running tasks alive (dev server, watch mode, etc.)
Use the list/status/summary tools to monitor sessions and the kill script to stop sessions you no longer need.