Back to skill

Security audit

Safe Exec 0.3.2

Security checks across malware telemetry and agentic risk

Overview

SafeExec is a real local command-safety wrapper, but its approval bypasses can let risky commands run without reliable human approval.

Install only if you are comfortable with a local shell wrapper that can execute arbitrary commands and if you will keep it enabled, avoid SAFE_EXEC_AUTO_CONFIRM or agent-driven approvals, and avoid relying on SAFEXEC_CONTEXT text as proof of consent. Treat the included Git publishing tools and monitoring documents as extra scope to review before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (75)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises automatic installation, shell command monitoring, GitHub cloning, and execution of local shell scripts, which implies shell and network capabilities without any declared permission model. This creates a transparency and trust problem: users may enable a skill that can fetch code and run commands without an explicit capability declaration or consent boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
A description-behavior mismatch is high risk because users rely on the stated purpose to judge safety, while hidden Git/release/publishing automation could modify repositories, create tags, configure remotes, or push code unexpectedly. If the broader package includes functionality unrelated to safe command interception, that materially expands attack surface and could lead to unauthorized source control changes or data exfiltration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The changelog simultaneously states that approval/security features are preserved and that agent or non-interactive calls automatically skip confirmation. For a tool whose purpose is to add human oversight to dangerous shell execution, silently removing the approval gate for agent-triggered use materially weakens the control and can let destructive commands proceed without the intended review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented global disable switch allows all commands to execute directly without any safety checks, which defeats the core protection promised by the skill. If an attacker, compromised agent, or misconfigured workflow can toggle this state, they can bypass all risk assessment and approval controls and run destructive shell commands unrestricted.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented monitoring components expand the skill from local safe command execution into GitHub/OpenClaw issue and comment monitoring, which is a materially broader capability than the declared purpose. In an agent skill, undocumented or weakly justified external monitoring features increase the attack surface, can enable collection or triggering from remote content, and make it harder for users to reason about trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Publishing and push tooling introduces repository-modifying capabilities that are unrelated to merely assessing and gating dangerous shell commands. In an agent context, this creates a stronger risk because a compromised or misused skill could alter remote repositories, exfiltrate code through commits, or persist malicious changes under the guise of utility tooling.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This document describes a GitHub/OpenClaw monitoring and notification system inside a skill whose stated purpose is safe shell command execution with approval workflows. That capability mismatch is dangerous because it can normalize or conceal unrelated data-collection and background-monitoring behavior under a trusted security-oriented skill name, increasing the chance of unauthorized monitoring or misuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Monitoring GitHub issues via API and forwarding notifications to Feishu is outside the minimum functionality implied by a safe command execution skill. Unrelated network access and notification channels expand the attack surface and can be repurposed for unexpected data exfiltration or covert operational behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Cron-based background execution and session/message inspection introduce persistent monitoring behavior unrelated to safe command execution. Background jobs and message inspection are especially sensitive because they can run without immediate user awareness and collect data over time.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file title and opening description present the skill as a unified monitoring system rather than a command-safety tool, directly contradicting the declared SafeExec intent. This kind of identity mismatch is dangerous because users may trust the skill for one purpose while it performs materially different monitoring functions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This document describes a GitHub issue monitor with scheduled polling, Feishu messaging, and local issue-tracking state under a skill whose declared purpose is safe shell command execution and approval workflows. That capability mismatch is dangerous because it can hide unrelated networked automation inside a trusted security-oriented skill, reducing user scrutiny and enabling unnoticed data flow or persistence.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Periodic GitHub API access and external Feishu notifications are unrelated to the stated mission of safe command execution, so they expand the skill's privilege and data-exposure surface without clear justification. In the context of a safety-focused skill, this makes the behavior more suspicious because users may trust it with elevated confidence while it performs outbound communication and scheduled monitoring.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The release notes explicitly introduce a global disable mode that bypasses all safety checks, which undermines the skill's stated purpose of safe command execution with approval gates. In the context of an agent-facing safety wrapper, documenting and normalizing a full bypass materially increases the chance that dangerous commands will run without review.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document markets the enabled state as 'maximum protection' and the release as production-ready, yet the shown implementation allows complete protection bypass and direct `eval` execution when disabled. This creates a dangerous mismatch between user expectations and actual guarantees, and the `eval` path adds command-injection risk if untrusted input reaches the wrapper.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The release notes state that the approval workflow is unchanged, but earlier sections explicitly document that confirmation is automatically skipped when OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM is set. This is security-significant because it can mislead operators into believing human approval still occurs in agent/non-interactive contexts, reducing scrutiny around dangerous command execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The FAQ explicitly suggests users can 'directly execute commands' to bypass the safety wrapper. In a tool whose purpose is to enforce review and approval for dangerous commands, documentation that normalizes bypassing the guardrail undermines the control and can lead agents or users to execute destructive operations without interception.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
In non-interactive mode, the script explicitly skips human confirmation, then immediately marks the request as approved and executes the stored command with eval. This defeats the stated safety/approval model and allows any pending dangerous command to run automatically in automation contexts, which is especially risky for a tool meant to gate destructive shell execution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script treats agent-driven or auto-confirm environments as non-interactive, prints that confirmation is skipped, and still proceeds to approve and run the command. For a skill advertised as providing human oversight for dangerous commands, this is a direct bypass of the approval workflow and enables unattended execution of potentially destructive operations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script exposes a global disable switch that causes all subsequent commands to be executed via eval without any approval, validation, or protective checks. In a tool whose stated purpose is safe execution with dangerous-command interception, this creates a complete fail-open path that can be abused by any actor able to toggle the setting or influence the rules file.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The context-aware path treats a generic keyword match in SAFEXEC_CONTEXT as proof of user approval, then directly executes medium/high-risk commands or downgrades critical ones. Because this approval signal is just untrusted text input rather than a separate authenticated human action, an agent or attacker can inject the phrase and bypass the intended approval workflow.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The status text claims dangerous commands will be intercepted and approved, but the implementation can be disabled entirely and can auto-allow risky commands through context keywords. This mismatch is security-relevant because operators may trust the tool's guarantees and unknowingly run it in an unprotected mode.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script generates and instructs use of a helper that modifies the Git remote and pushes code/tags to GitHub, which is outside the stated purpose of a 'safe command execution' skill with approval and audit controls. In an agent-skill context, unrelated repository publication capability expands the trust boundary and could cause unintended code exfiltration or remote reconfiguration if invoked by automation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file implements a GitHub publishing assistant rather than the manifest-described controls for dangerous command detection, risk assessment, approval workflow, and audit logging. This mismatch is dangerous because operators may trust the skill for one security-sensitive purpose while it actually contains unrelated release automation, increasing the chance of unintended execution and hidden capability creep.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically bypassing the confirmation prompt for agent calls reduces a key safety barrier, and the changelog does not indicate a strong user-facing warning or compensating control. In the context of a shell-execution safety wrapper, this creates a dangerous trust gap where automated callers can perform risky actions without the expected friction or operator awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly explains multiple ways to disable SafeExec, including an environment variable and script flags, without prominently warning that this removes command-interception safeguards. In an agent-automation context, easy undocumented-or-underwarned disabling of the protection layer can lead to dangerous commands executing without human review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.confirmation_bypass, suspicious.destructive_delete_command

Risky command approval can be bypassed through environment or context signals.

Critical
Code
suspicious.confirmation_bypass
Location
scripts/safe-exec.sh:12

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
docs/FIX_REPORT_v0.1.3.md:66

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README-detail.md:417