Safe Exec 0.3.2

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a safe shell-command wrapper, but its approval controls can be bypassed too easily for a tool that is meant to protect dangerous command execution.

Review this carefully before installing. The skill is not proven malicious, but do not rely on it as a strong safety boundary unless you remove or restrict the context-based downgrade, SAFE_EXEC_AUTO_CONFIRM/OPENCLAW_AGENT_CALL approval skipping, and global disable behavior. Install only in an environment where you control the agent prompts, environment variables, and approval flow, and treat the bundled monitoring and publishing docs/tools as out of scope for the core safety wrapper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (38)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document introduces the skill as a unified monitor for GitHub issues and OpenClaw comments, which materially conflicts with the declared skill purpose of safe shell command execution and approval workflows. This kind of manifest-to-behavior mismatch can mislead users and reviewers, conceal unrelated surveillance/notification capabilities, and increase the chance that the skill is granted permissions or trust under false pretenses.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Monitoring GitHub issues, inspecting OpenClaw comments, and forwarding notifications to Feishu are broad capabilities unrelated to safe command execution. In the context of a security-sensitive execution skill, these extra behaviors expand data access and exfiltration surface without a clear need-to-have relationship, making the skill more dangerous than advertised.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented workflow centers on monitoring GitHub/OpenClaw activity and sending Feishu alerts rather than enforcing safe command execution. This mismatch undermines trust boundaries: operators may install or approve the skill expecting command-risk controls while actually enabling session inspection and outbound notifications.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The report states that dangerous operations still require prior user approval, but the documented behavior allows confirmation to be skipped purely by setting environment variables such as OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM. In an agent-executed or attacker-influenced environment, these variables can weaken or completely bypass the human-oversight control the skill claims to enforce, enabling dangerous commands to run without an actual interactive confirmation step.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: SAFE_EXEC_AUTO_CONFIRM introduces a generic manual bypass that is broader than the stated purpose of controlled approval workflow and human oversight. Because environment variables are easy to set by wrappers, subprocesses, or compromised execution contexts, this creates an approval-bypass path that undermines the safety guarantees of the skill.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This documentation introduces a GitHub issue polling and Feishu notification subsystem inside a skill whose declared purpose is safe command execution and approval workflows. That scope mismatch is dangerous because it expands the skill's effective capabilities to network monitoring, persistence via cron, and outbound messaging, which increases attack surface and creates opportunities for covert data exfiltration or unauthorized automation under a trusted skill name.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documented capability to query GitHub and push notifications to Feishu is not justified by the advertised purpose of safe command execution. In a security-sensitive agent environment, undocumented or weakly justified external communication channels are risky because they can be repurposed for surveillance, beaconing, or exfiltration while appearing to be part of a trusted safety tool.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The release notes document a global `--disable` switch that bypasses all safety checks and directly executes commands, which undermines the skill's stated purpose of guarded command execution with approval workflow. In an agent setting, a simple off-switch can be abused or accidentally left disabled, turning a safety wrapper into a pass-through for destructive shell commands.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The documentation claims complete audit tracing while elsewhere stating that only limited `bypassed` events are logged when protection is disabled. This creates a misleading security assurance gap: operators may believe they have full forensic visibility when command details and approval context may be missing or incomplete.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The FAQ explicitly suggests users can 'directly execute commands (bypass safe-exec)', which undermines the core safety control this skill is supposed to provide. In an agent-execution context, documentation that normalizes bypassing the wrapper increases the chance that operators or downstream agents will execute dangerous shell commands without approval, auditing, or risk checks.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script explicitly disables interactivity when OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM is set, then proceeds to mark the request approved and execute the stored command without human confirmation. In a tool whose stated purpose is human oversight for dangerous commands, this defeats the approval boundary and allows queued destructive commands to run automatically in exactly the automation contexts where extra safeguards are needed.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The script is presented as an approval mechanism, but its behavior in non-interactive mode is to skip confirmation and continue toward execution, which is inconsistent with the security promise implied by its name and description. That mismatch is dangerous because callers may rely on it as a safety gate while an attacker or misconfigured automation can invoke it in a context that silently removes the human-in-the-loop control.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script uses SAFEXEC_CONTEXT text matching to downgrade risk and directly execute HIGH and MEDIUM risk commands without an approval step. Because this context is external input and the confirmation keywords are configurable, an agent or caller can inject the phrase and bypass the core safety guarantee that risky commands require human approval.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: When SafeExec is disabled, the wrapper logs a bypass event and then executes any command via eval with no protection. A disable switch may be acceptable for administration, but in a tool marketed as safe execution it creates an easy path to defeat enforcement if other components or users can toggle it.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The status/help text tells users that dangerous commands will be intercepted and require approval, but the implementation later auto-executes some risky commands after context-based downgrade. This mismatch is security-relevant because operators may rely on a stronger approval model than the code actually enforces.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: This script generates a second executable helper that changes git remotes and pushes code/tags to GitHub, which is unrelated to the stated purpose of safe command execution and oversight. In an agent skill, unrelated publication automation expands the trust boundary and can facilitate unintended exfiltration of local repository contents to an external service if invoked by automation or user confusion.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script offers to stage all changes and create a commit automatically with `git add -A` and `git commit`, altering repository state beyond the advertised safety-monitoring role. In a skill context, this can cause accidental inclusion of sensitive files or unintended source-control changes, especially because `git add -A` is broad and interactive approval is minimal.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The SafeExec branding and safety-oriented framing can lower operator suspicion while the script proceeds to prepare publication workflows and later creates a push script that modifies remotes and sends code externally. This mismatch is dangerous because users may trust the tool as protective infrastructure rather than scrutinize it as a deployment utility with outbound effects.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This script adds repository publication functionality that is outside the stated purpose of a 'safe command execution' skill. In an agent-skill context, bundling code-publishing behavior increases the attack surface and can enable unintended exfiltration or propagation of code if invoked by an agent or operator who assumes the skill only performs guarded local execution.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script can modify the Git remote and push code and tags to GitHub, which is not justified by the skill's advertised safety and risk-gated shell-execution purpose. In a trusted agent environment, this kind of capability is sensitive because it can publish local contents to an external service or redirect pushes to an attacker-controlled repository if parameters are manipulated or the script is used unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The changelog explicitly states that agent calls automatically bypass confirmation, which weakens the core human-approval control for dangerous command execution. In a skill whose purpose is to gate risky shell actions, silently skipping confirmation in agent/non-interactive contexts can allow destructive commands to run without meaningful human oversight, especially if an attacker can influence environment variables or execution context.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The release note includes a natural-language installation trigger phrase that is broad enough to plausibly overlap with ordinary user conversation. In agent ecosystems that map free-form utterances to skill actions, this can cause unintended installation or invocation flows, especially because the phrase is presented as a recommended command without any scoping, confirmation wording, or namespace constraints.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The update phrase is similarly broad and conversational, which increases the chance that a user's ordinary request could be interpreted as an operational command by an agent or orchestration layer. In the context of a skill that manages command execution, unintended updates are particularly risky because they may change executable logic or trust boundaries without deliberate operator intent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The installation phrase is broad enough to be triggered during ordinary conversation, which creates a prompt-injection and accidental-install risk. A skill that can auto-install and enable itself based on casual language lowers the bar for unintended execution of network and shell actions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Commands like 'Enable SafeExec', 'Turn on SafeExec', and 'Start SafeExec' are ambiguous and could be triggered by benign discussion, quoted text, or adversarial prompt content. Because enabling changes shell-command mediation globally, ambiguous activation semantics create an avoidable privilege and configuration risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal