Safe Tool Executor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill claims to protect dangerous tool use, but the included implementation does not actually enforce approval or blocking and has unexplained wallet/signing capability signals.

Review carefully before installing. This does not look like data-stealing code, but it should not be trusted as a real safety gate for destructive tools until the approval and blocking logic is implemented and the unexplained wallet/signing capability signals are resolved.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If an agent relies on this as a safety gate, dangerous or unknown commands may be treated as allowed instead of requiring approval.

Why it was flagged

The execution path returns OK for every classified tool and defaults unknown tools to READ_ONLY, without calling requires_approval or blocking DELETE/DANGEROUS tiers.

Skill content

def execute(self, tool_name, args):
        tier = self.classify_tool(tool_name)
        return {'status': 'OK', 'tier': tier.name, 'tool': tool_name}
...
return ToolTier.READ_ONLY  # Default to safest

Recommendation

Do not rely on this as an enforcement layer until it denies unknown tools by default, blocks dangerous tiers, parses arguments safely, and requires explicit user approval before high-impact actions.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If those capabilities are actually enabled, the skill may involve wallet or credential authority without a clear purpose or scope.

Why it was flagged

These high-impact capability signals are not explained by the SKILL.md purpose, and the requirements metadata says there are no required env vars or primary credentials.

Skill content

- requires-wallet
- can-sign-transactions
- requires-sensitive-credentials

Recommendation

Clarify or remove these capability signals; if wallet signing is intended, document exact providers, scopes, approval prompts, and per-transaction confirmation requirements.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may not work as described unless those local services already exist and are trustworthy.

Why it was flagged

The documentation references local watchdog and Qdrant dependencies, but the registry requirements declare no required binaries, config paths, or install steps.

Skill content

VLS Watchdog | Active | `curl -s http://localhost:6333/collections/vls_watchdog` ... Qdrant | Running | `curl -s http://localhost:6333/collections`

Recommendation

Document the required local services, their expected configuration, and how users can verify they control the localhost endpoints.

#ASI09: Human-Agent Trust Exploitation

Medium

What this means

Users or agents may trust a safety guarantee that the supplied code does not actually provide.

Why it was flagged

The documentation promises deletion blocking and human approval, but the included implementation's execute method returns OK and does not perform that approval workflow.

Skill content

DELETE tool - BLOCKED without approval
result = executor.execute('rm', '/important/file.txt')
#  BLOCKED: requires human approval

Recommendation

Align the documentation with the implementation, add tests proving dangerous operations are blocked, and clearly disclose any limitations or placeholder behavior.