ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Safe Exec 0.3.2

Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agents need to execute shell commands that may be dangerous (rm -rf, dd, fork bombs, system directory modifications) or require human oversight. Provides multi-level risk assessment (CRITICAL/HIGH/MEDIUM/LOW), in-session notifications, pending request management, and non-interactive environment support for agent automation.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 2k · 18 current installs · 20 all-time installs
by@Lucky-2968
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (SafeExec) align with the shipped scripts and docs: there are multiple shell scripts for interception, approval, listing pending requests, and audit logging. However the SKILL.md claims it will “automatically monitor all shell commands” system-wide as a Skill (not a plugin). That capability normally requires either modifying shell startup files, wrapping executables, or being integrated in the host runtime — none of which are declared explicitly. The repository includes wrapper scripts and link/installation guidance (symlinks, PATH changes, OpenClaw config edits), so behavior is plausible, but the SKILL.md overstates 'automatic' system-wide interception without detailing the required host changes.
!
Instruction Scope
Runtime instructions tell the agent/user to install via ClawdHub or git clone and then enable SafeExec so it will 'monitor all shell commands' and intercept dangerous ones. The docs and scripts reference persistent file locations (~/.openclaw/safe-exec/, ~/.openclaw/safe-exec-audit.log, pending/), cron jobs (monitoring), and monitoring of OpenClaw sessions/GitHub issues. The instruction set therefore encourages creating long-lived files, cron/monitoring tasks, and potentially reading OpenClaw session data. The SKILL.md does not require or declare any credentials for external notification channels (Feishu/GitHub) yet the monitoring code and docs describe sending notifications and calling APIs — that scope creep (reading session messages and posting external notifications) is not clearly scoped or constrained in the skill metadata.
Install Mechanism
Registry shows no install spec (instruction-only), which is lower risk. The package itself contains many script files (safe-exec.sh and helpers) and tooling; installation guidance in SKILL.md recommends git clone from GitHub or using ClawdHub. There are no opaque remote downloads or binary installers in the metadata. That said, the SKILL.md suggests an in-chat 'Help me install...' action that will cause the agent/system to fetch & install the skill — you should confirm what exact URL and code will be fetched by that mechanism (the docs reference a GitHub repo but the registry 'Source' is 'unknown' and homepage is empty).
!
Credentials
The skill metadata declares no required environment variables or credentials, but the documentation lists configuration variables (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM, SAFE_EXEC_FEISHU_GROUP, SAFE_EXEC_AUDIT_LOG) and monitoring features that post to Feishu/GitHub and read OpenClaw session data. The skill may rely on existing OpenClaw CLI/credentials on the host to access session history or send notifications, which is not documented in the registry metadata. In short: no explicit credential requests is plausible, but the code/docs indicate access to external services and agent session content — that access is not declared and thus disproportionate to what the metadata advertises.
Persistence & Privilege
The skill does not request always: true and does not declare elevated privileges. However it writes persistent data under ~/.openclaw/, creates cron/monitoring scripts, and provides non-interactive (agent) bypass behavior (OPENCLAW_AGENT_CALL) that automatically skips confirmations for agent calls. Those are significant operational behaviors: the skill establishes ongoing local presence and can change runtime behavior for automated agent runs. This persistence is expected for a protection tool, but it increases blast radius if the skill were malicious or misconfigured.
What to consider before installing
Things to check before installing: - Source authenticity: SKILL.md and READMEs reference a GitHub repo (OTTTTTO/safe-exec) but the registry shows 'Source: unknown' and no homepage. Verify the canonical repository URL and the publisher identity before installing. - Read the scripts (especially scripts/safe-exec.sh and scripts/safe-exec-ai-wrapper.sh): the package is script-based — inspect what it writes to ~/.openclaw/, what commands it executes, and whether it modifies shell startup files or PATH/symlinks. - Understand how 'automatic monitoring' is implemented: the skill claims to intercept all shell commands. Confirm whether it requires modifying shell rc files, replacing executables, adding wrappers to PATH, or editing OpenClaw config. Any of those actions change system behavior and should be allowed only with explicit user consent. - Non-interactive/agent behavior: changelog and docs say agent (non-interactive) calls can bypass human confirmation (OPENCLAW_AGENT_CALL). If you expect agents to be constrained, this default bypass undermines protection — review and test the non-interactive logic. - External integrations and credentials: unified-monitor and notification docs mention Feishu and GitHub and reading OpenClaw session contents. Determine if the code will use existing OpenClaw CLI credentials or ask for tokens. If the skill can read agent session content, that may expose sensitive conversations — only install if you trust the skill and its maintainer. - Test in a sandbox first: try installing in an isolated environment or container, exercise interception/approval flows, and verify audit logs and cleanup behavior. - Audit log permissions: audit logs store executed commands; ensure log files have appropriate file permissions and rotation to avoid leaking sensitive command contents. - Prefer manual install: rather than the one-click in-chat install, consider cloning the repository yourself, reviewing the code, and installing with explicit, audited steps. If you cannot confirm the publisher identity or cannot review the scripts, treat this skill as higher risk and avoid enabling it on production or sensitive machines.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970d71bvyw4gdx8twat46tbvx80h7g8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SafeExec - Safe Command Execution

Provides secure command execution capabilities for OpenClaw Agents with automatic interception of dangerous operations and approval workflow.

Features

  • 🔍 Automatic danger pattern detection - Identifies risky commands before execution
  • 🚨 Risk-based interception - Multi-level assessment (CRITICAL/HIGH/MEDIUM/LOW)
  • 💬 In-session notifications - Real-time alerts in your current terminal/session
  • User approval workflow - Commands wait for explicit confirmation
  • 📊 Complete audit logging - Full traceability of all operations
  • 🤖 Agent-friendly - Non-interactive mode support for automated workflows
  • 🔧 Platform-agnostic - Works independently of communication tools (Feishu, Telegram, etc.)

Quick Start

Installation (One Command)

The easiest way to install SafeExec:

Just say in your OpenClaw chat:

Help me install SafeExec skill from ClawdHub

OpenClaw will automatically download, install, and configure SafeExec for you!

Alternative: Manual Installation

If you prefer manual installation:

# Using ClawdHub CLI
export CLAWDHUB_REGISTRY=https://www.clawhub.ai
clawdhub install safe-exec

# Or download directly from GitHub
git clone https://github.com/OTTTTTO/safe-exec.git ~/.openclaw/skills/safe-exec
chmod +x ~/.openclaw/skills/safe-exec/safe-exec*.sh

Enable SafeExec

After installation, simply say:

Enable SafeExec

SafeExec will start monitoring all shell commands automatically!

How It Works

Once enabled, SafeExec automatically monitors all shell command executions. When a potentially dangerous command is detected, it intercepts the execution and requests your approval through in-session terminal notifications.

Architecture:

  • Requests stored in: ~/.openclaw/safe-exec/pending/
  • Audit log: ~/.openclaw/safe-exec-audit.log
  • Rules config: ~/.openclaw/safe-exec-rules.json

Usage

Enable SafeExec:

Enable SafeExec

Turn on SafeExec

Start SafeExec

Once enabled, SafeExec runs transparently in the background. Agents can execute commands normally, and SafeExec will automatically intercept dangerous operations:

Delete all files in /tmp/test

Format the USB drive

SafeExec detects the risk level and displays an in-session prompt for approval.

Risk Levels

CRITICAL: System-destructive commands (rm -rf /, dd, mkfs, etc.) HIGH: User data deletion or significant system changes MEDIUM: Service operations or configuration changes LOW: Read operations and safe file manipulations

Approval Workflow

  1. Agent executes a command
  2. SafeExec analyzes the risk level
  3. In-session notification displayed in your terminal
  4. Approve or reject via:
    • Terminal: safe-exec-approve <request_id>
    • List pending: safe-exec-list
    • Reject: safe-exec-reject <request_id>
  5. Command executes or is cancelled

Example notification:

🚨 **Dangerous Operation Detected - Command Intercepted**

**Risk Level:** CRITICAL
**Command:** `rm -rf /tmp/test`
**Reason:** Recursive deletion with force flag

**Request ID:** `req_1769938492_9730`

ℹ️  This command requires user approval to execute.

**Approval Methods:**
1. In terminal: `safe-exec-approve req_1769938492_9730`
2. Or: `safe-exec-list` to view all pending requests

**Rejection Method:**
 `safe-exec-reject req_1769938492_9730`

Configuration

Environment variables for customization:

  • SAFE_EXEC_DISABLE - Set to '1' to globally disable safe-exec
  • OPENCLAW_AGENT_CALL - Automatically enabled in agent mode (non-interactive)
  • SAFE_EXEC_AUTO_CONFIRM - Auto-approve LOW/MEDIUM risk commands

Examples

Enable SafeExec:

Enable SafeExec

After enabling, agents work normally:

Delete old log files from /var/log

SafeExec automatically detects this is HIGH risk (deletion) and displays an in-session approval prompt.

Safe operations pass through without interruption:

List files in /home/user/documents

This is LOW risk and executes without approval.

Global Control

Check status:

safe-exec-list

View audit log:

cat ~/.openclaw/safe-exec-audit.log

Disable SafeExec globally:

Disable SafeExec

Or set environment variable:

export SAFE_EXEC_DISABLE=1

Reporting Issues

Found a bug? Have a feature request?

Please report issues at: 🔗 https://github.com/OTTTTTO/safe-exec/issues

We welcome community feedback, bug reports, and feature suggestions!

When reporting issues, please include:

  • SafeExec version (run: grep "VERSION" ~/.openclaw/skills/safe-exec/safe-exec.sh)
  • OpenClaw version
  • Steps to reproduce
  • Expected vs actual behavior
  • Relevant logs from ~/.openclaw/safe-exec-audit.log

Audit Log

All command executions are logged with:

  • Timestamp
  • Command executed
  • Risk level
  • Approval status
  • Execution result
  • Request ID for traceability

Log location: ~/.openclaw/safe-exec-audit.log

Integration

SafeExec integrates seamlessly with OpenClaw agents. Once enabled, it works transparently without requiring changes to agent behavior or command structure. The approval workflow is entirely local and independent of any external communication platform.

Platform Independence

SafeExec operates at the session level, working with any communication channel your OpenClaw instance supports (webchat, Feishu, Telegram, Discord, etc.). The approval workflow happens through your terminal, ensuring you maintain control regardless of how you're interacting with your agent.

Support & Community

License

MIT License - See LICENSE for details.

Files

36 total
Select a file
Select a file to preview.

Comments

Loading comments…