ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Safe Exec

Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
8 · 6.9k · 94 current installs · 102 all-time installs
by@OTTTTTO
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (intercept dangerous shell commands and provide an approval workflow) matches the included bash scripts and audit-log behavior. However the documentation asserts "automatically monitors all shell command executions" and "runs transparently in the background" while also declaring "No background monitoring processes" — the package appears to be a wrapper that requires routing commands through it (e.g., via agent configuration or symlinks), not a system-wide interceptor. There is also a small metadata mismatch: SKILL.md declares a dependency on jq and a git install step, but the top-level registry metadata lists none; this inconsistency should be clarified.
!
Instruction Scope
SKILL.md and READMEs repeatedly claim full session/command monitoring and in-session prompts but the shipped code is a set of wrapper/utility scripts (safe-exec.sh, approve/list/reject, AI wrapper). There is no visible code that would transparently hook every shell invocation system-wide; instead the agent or user must route commands through safe-exec. That difference (wrapper vs global monitor) is material and under-documented. Additionally, agent-mode behavior (non-interactive auto-bypass) is documented but grants automated flows the ability to execute commands with less human friction — this is within the skill's purpose but expands what will run automatically.
Install Mechanism
No high-risk installers (archive downloads or shorteners) are used; SKILL.md recommends cloning from GitHub (https://github.com/OTTTTTO/safe-exec.git). The package included in the registry contains the scripts and docs. The install flow is git-based and transparent, which is reasonable, but the registry listing lacks the same install metadata so the install guidance in SKILL.md should be treated as authoritative only after verifying the repository source.
Credentials
The skill declares only local control env vars (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM) and writes to ~/.openclaw/safe-exec/ and an audit log — no external credentials or network access. That is proportional. However SAFE_EXEC_AUTO_CONFIRM and OPENCLAW_AGENT_CALL are explicit switches that allow non-interactive approvals; if set or used by an agent, LOW/MEDIUM commands (and in some flows approvals) may be auto-executed without human confirmation. If you enable these env vars or allow agents to set them, the blast radius increases.
Persistence & Privilege
The skill is not 'always:true' and doesn't request elevated platform privileges, and it persists data under the user home (~/.openclaw). However there is ambiguous language about running 'in the background' vs 'no background processes'. The included files show a pending queue and logs (persistent files), but no cron/daemon scripts in the provided files. Before trusting it, verify the main entrypoint safe-exec.sh for any modifications to shell startup files (e.g., .bashrc) or installation steps that alter PATH or create persistent hooks.
What to consider before installing
What to check before installing: - Verify the git repository (https://github.com/OTTTTTO/safe-exec.git) content and commit history yourself rather than relying solely on the SKILL.md claims. - Inspect the main script (~/.openclaw/skills/safe-exec/safe-exec.sh) to confirm how it intercepts commands: is it a wrapper that agents must call, or does it install shell hooks or modify startup files? Look for any edits to ~/.bashrc, ~/.profile, /etc files, or creation of daemons. - Understand agent-mode auto-approval: avoid setting SAFE_EXEC_AUTO_CONFIRM or exposing OPENCLAW_AGENT_CALL to untrusted agents. If you need automation, restrict which agents can set these vars and review the audit log frequently. - Ensure jq (declared dependency) is installed and that the git source is what you expect; the registry metadata and SKILL.md differ on declared requirements—clarify this discrepancy with the author or maintainer. - Test in an isolated or VM environment first (try harmless commands and known dangerous patterns) to confirm behaviour and that audit logs are generated and complete. - If you need a true system-wide interceptor rather than a wrapper, do not assume this skill provides that; ask the maintainer for explicit technical details about how global monitoring (if any) is implemented. Given the inconsistencies and the potential for agents to auto-execute commands via auto-confirm switches, treat this package with caution and validate the exact runtime behavior before enabling it in production or on important systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.3.4
Download zip
audit-logvk974a9fzv2bsj44fdq36f901zs80b2p8command-executionvk974a9fzv2bsj44fdq36f901zs80b2p8latestvk97fdp888hv9cb4zsb2gngc9px81zrr2risk-assessmentvk974a9fzv2bsj44fdq36f901zs80b2p8securityvk97f3xgxdxrcmr575k37fcm3th81wz4p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
SAFE_EXEC_DISABLErequired
OPENCLAW_AGENT_CALLrequired
SAFE_EXEC_AUTO_CONFIRMrequired

SKILL.md

SafeExec - Safe Command Execution

Provides secure command execution capabilities for OpenClaw Agents with automatic interception of dangerous operations and approval workflow.

Features

  • 🔍 Automatic danger pattern detection - Identifies risky commands before execution
  • 🚨 Risk-based interception - Multi-level assessment (CRITICAL/HIGH/MEDIUM/LOW)
  • 💬 In-session notifications - Real-time alerts in your current terminal/session
  • User approval workflow - Commands wait for explicit confirmation
  • 📊 Complete audit logging - Full traceability of all operations
  • 🤖 Agent-friendly - Non-interactive mode support for automated workflows
  • 🔧 Platform-agnostic - Works independently of communication tools (webchat, Feishu, Telegram, etc.)
  • 🔐 Security-focused - No monitoring, no external notifications, no network calls

Agent Mode

When called by OpenClaw agents in non-interactive environments:

  • Automatic bypass of confirmation prompts - Prevents agent hanging
  • Full audit logging - All executions recorded with mode label (agent_auto vs user_approved)
  • Safety preserved - Danger pattern detection and risk assessment remain active
  • Intended use case - Automated workflows with human oversight via audit logs

Environment variables:

  • OPENCLAW_AGENT_CALL - Set by OpenClaw when agent executes commands
  • SAFE_EXEC_AUTO_CONFIRM - Manual override to auto-approve LOW/MEDIUM risk commands

Security Note: Agent mode does not disable safety checks. CRITICAL and HIGH risk commands are still intercepted, logged, and can be reviewed in audit trail.

Quick Start

Installation (One Command)

The easiest way to install SafeExec:

Just say in your OpenClaw chat:

Help me install SafeExec skill from ClawdHub

OpenClaw will automatically download, install, and configure SafeExec for you!

Alternative: Manual Installation

If you prefer manual installation:

# Clone from GitHub
git clone https://github.com/OTTTTTO/safe-exec.git ~/.openclaw/skills/safe-exec

# Make scripts executable
chmod +x ~/.openclaw/skills/safe-exec/safe-exec*.sh

# Create symlinks to PATH (optional)
ln -s ~/.openclaw/skills/safe-exec/safe-exec.sh ~/.local/bin/safe-exec
ln -s ~/.openclaw/skills/safe-exec/safe-exec-*.sh ~/.local/bin/

Enable SafeExec

After installation, simply say:

Enable SafeExec

SafeExec will start monitoring all shell commands automatically!

How It Works

Once enabled, SafeExec automatically monitors all shell command executions. When a potentially dangerous command is detected, it intercepts the execution and requests your approval through in-session terminal notifications.

Architecture:

  • Requests stored in: ~/.openclaw/safe-exec/pending/
  • Audit log: ~/.openclaw/safe-exec-audit.log
  • Rules config: ~/.openclaw/safe-exec-rules.json
  • No external network calls
  • No background monitoring processes

Usage

Enable SafeExec:

Enable SafeExec

Turn on SafeExec

Start SafeExec

Once enabled, SafeExec runs transparently in the background. Agents can execute commands normally, and SafeExec will automatically intercept dangerous operations:

Delete all files in /tmp/test

Format the USB drive

SafeExec detects the risk level and displays an in-session prompt for approval.

Risk Levels

CRITICAL: System-destructive commands (rm -rf /, dd, mkfs, fork bombs) HIGH: User data deletion or significant system changes (chmod 777, curl | bash) MEDIUM: Service operations or configuration changes (sudo, firewall modifications) LOW: Read operations and safe file manipulations

Approval Workflow

  1. Agent executes a command
  2. SafeExec analyzes the risk level
  3. In-session notification displayed in your terminal
  4. Approve or reject via:
    • Terminal: safe-exec-approve <request_id>
    • List pending: safe-exec-list
    • Reject: safe-exec-reject <request_id>
  5. Command executes or is cancelled

Example notification:

🚨 **Dangerous Operation Detected - Command Intercepted**

**Risk Level:** CRITICAL
**Command:** `rm -rf /tmp/test`
**Reason:** Recursive deletion with force flag

**Request ID:** `req_1769938492_9730`

ℹ️  This command requires user approval to execute.

**Approval Methods:**
1. In terminal: `safe-exec-approve req_1769938492_9730`
2. Or: `safe-exec-list` to view all pending requests

**Rejection Method:**
 `safe-exec-reject req_1769938492_9730`

Configuration

Environment variables for customization:

  • SAFE_EXEC_DISABLE - Set to '1' to globally disable safe-exec
  • OPENCLAW_AGENT_CALL - Automatically enabled in agent mode (non-interactive)
  • SAFE_EXEC_AUTO_CONFIRM - Auto-approve LOW/MEDIUM risk commands

Examples

Enable SafeExec:

Enable SafeExec

After enabling, agents work normally:

Delete old log files from /var/log

SafeExec automatically detects this is HIGH risk (deletion) and displays an in-session approval prompt.

Safe operations pass through without interruption:

List files in /home/user/documents

This is LOW risk and executes without approval.

Global Control

Check status:

safe-exec-list

View audit log:

cat ~/.openclaw/safe-exec-audit.log

Disable SafeExec globally:

Disable SafeExec

Or set environment variable:

export SAFE_EXEC_DISABLE=1

Reporting Issues

Found a bug? Have a feature request?

Please report issues at: 🔗 https://github.com/OTTTTTO/safe-exec/issues

We welcome community feedback, bug reports, and feature suggestions!

When reporting issues, please include:

  • SafeExec version (run: grep "VERSION" ~/.openclaw/skills/safe-exec/safe-exec.sh)
  • OpenClaw version
  • Steps to reproduce
  • Expected vs actual behavior
  • Relevant logs from ~/.openclaw/safe-exec-audit.log

Audit Log

All command executions are logged with:

  • Timestamp
  • Command executed
  • Risk level
  • Execution mode (user_approved / agent_auto)
  • Approval status
  • Execution result
  • Request ID for traceability

Log location: ~/.openclaw/safe-exec-audit.log

Security & Privacy

What SafeExec does:

  • ✅ Intercepts shell commands before execution
  • ✅ Detects dangerous patterns using regex matching
  • ✅ Requests user approval for risky commands
  • ✅ Logs all executions to local audit file
  • ✅ Works entirely locally on your machine

What SafeExec does NOT do:

  • ❌ No monitoring of chat sessions or conversation history
  • ❌ No reading of OpenClaw session data
  • ❌ No external network requests (except git clone during installation)
  • ❌ No sending data to external services
  • ❌ No background monitoring processes or cron jobs
  • ❌ No integration with external notification services (Feishu, webhooks, etc.)

Integration

SafeExec integrates seamlessly with OpenClaw agents. Once enabled, it works transparently without requiring changes to agent behavior or command structure. The approval workflow is entirely local and independent of any external communication platform.

Platform Independence

SafeExec operates at the session level, working with any communication channel your OpenClaw instance supports (webchat, Feishu, Telegram, Discord, etc.). The approval workflow happens through your terminal, ensuring you maintain control regardless of how you're interacting with your agent.

Support & Community

License

MIT License - See LICENSE for details.

Files

15 total
Select a file
Select a file to preview.

Comments

Loading comments…