Safe Exec

Security checks across malware telemetry and agentic risk

Overview

SafeExec is a local command-approval tool, but its bypass modes can let agents execute risky shell commands without a real human confirmation.

Install only if you are comfortable letting this skill execute shell commands with your user privileges. Keep SAFE_EXEC_AUTO_CONFIRM and OPENCLAW_AGENT_CALL bypass flows off for untrusted workflows, do not rely on the audit log as tamper-proof, avoid passing secrets in prompts/context, and use OS/container sandboxing for destructive or privileged command work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (17)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README makes a security-critical claim that 'all commands require approval by default' while earlier sections explicitly state that safe commands execute directly. This kind of contradictory documentation can cause operators to overtrust the tool and assume protections exist when they do not, leading to unsafe deployment decisions.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: Claiming audit logs are 'immutable' and 'append-only' without documenting any actual enforcement mechanism is misleading in a security product. Users may rely on log integrity for incident response or compliance even though an attacker or local user may be able to alter or delete the file.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: In non-interactive mode, the script explicitly skips confirmation and still proceeds to mark the request approved and execute the queued shell command. That defeats the advertised human-oversight control and allows dangerous pending commands to run automatically in agent, CI, or scripted contexts where no person reviewed them.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The helper is supposed to approve pending commands safely, but when stdin is not a TTY or specific environment variables are set, it bypasses user confirmation and directly executes the stored command. In the context of a 'safe-exec' skill that claims human oversight for dangerous commands, this is especially risky because it undermines the core safety guarantee and can be abused to run destructive shell payloads unattended.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation recommends enabling automatic approval for LOW/MEDIUM risk actions in production without a prominent warning about the loss of human review. In a safety wrapper whose purpose is to gate risky commands, normalizing auto-approval weakens the control boundary and can let privilege-affecting or persistence-related operations proceed unattended.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The troubleshooting section tells users to delete SafeExec state with rm commands but does not clearly warn that this destroys pending approvals, rules, and audit history. While limited to the tool's own files, it can erase forensic records and safety state, reducing accountability and interfering with review workflows.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The README promotes a very broad natural-language install trigger ('Help me install SafeExec skill from ClawdHub') that could be matched by an agent during ordinary conversation and cause an unintended package installation workflow. In an agentic environment, vague trigger phrases increase the chance of tool invocation without explicit, structured user consent.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The installation trigger phrase is broad natural language ('Help me install...') and could overlap with ordinary user conversation, causing unintended installation actions. In agent environments, ambiguous trigger phrases increase the chance of accidental or prompt-injected activation of remote code installation.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Enablement phrases like 'Enable SafeExec' or 'Start SafeExec' are ambiguous and lack scope constraints, making it easier for prompt injection or incidental text to activate persistent command interception behavior. Because enabling changes how future shell commands are handled, accidental activation has meaningful security consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The wrapper copies user-provided context into the SAFEXEC_CONTEXT environment variable and then launches another program, which can expose potentially sensitive prompts or user data to child processes, logs, crash reports, or process-inspection surfaces. In an agent setting, this is more dangerous because user messages may contain secrets, credentials, filesystem paths, or other sensitive operational context, and the transfer happens silently without notice or minimization.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This is a true security issue: non-interactive execution paths auto-approve and run pending commands without any user confirmation, despite the script being positioned as a guardrail for dangerous shell commands. An attacker or compromised agent that can enqueue a request and invoke this helper in a non-interactive environment can convert the approval mechanism into an execution primitive.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When SafeExec is disabled, the script immediately runs arbitrary input via eval without an approval gate, and the same direct execution path exists for commands classified as low risk. In an agent setting, misclassification or a toggled-off state turns the wrapper into a thin pass-through, undermining the safety guarantees advertised by the skill and allowing destructive shell payloads to execute if they evade the simple pattern checks.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The context-aware downgrade trusts the presence of configurable confirmation keywords in SAFEXEC_CONTEXT and then directly executes high- and medium-risk commands with eval. Because this context is external input and may be agent-controlled, an attacker can inject the magic phrase to bypass approval for dangerous commands, defeating the core protection mechanism.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Agent Mode Clarification **Concern:** "Agent calls may automatically bypass confirmation... changes protection model" **Reality:** - Agent mode prevents agent hanging (agents can't interactively confirm)
Confidence: 93% confidence
Finding: bypass confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ### "Instructions imply access to chat/session data... not called out in description" **Response:** Fixed. Added explicit metadata and "Security & Privacy" section clearly stating what SafeExec does and does NOT do. ### "Agent calls may automatically bypass confirmation... changes protection model" **Response:** Documented. Agent mode is now clearly explained as an automation feature with full audit logging. Safety checks remain active. This is standard for agent tools (agents can't interactively confirm). ### "Cron-style monitoring... create background process"
Confidence: 83% confidence
Finding: bypass confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - **Safety preserved:** - Danger pattern detection still active - All commands logged with `agent_auto` mode label - Audit trail shows which commands were auto-executed - **Use case:** Trusted automation with human oversight via audit logs **Not a "blast radius" increase because:**
Confidence: 89% confidence
Finding: auto-execute

Self-Modification

High

Category: Rogue Agent
Content: - **Use case:** Trusted automation with human oversight via audit logs **Not a "blast radius" increase because:** - Agent mode does not disable safety checks - CRITICAL/HIGH risk commands still intercepted and logged - Humans can review audit log at any time - Can be disabled via `SAFE_EXEC_DISABLE=1`
Confidence: 76% confidence
Finding: disable safety check

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal