Safe Exec
WarnAudited by ClawScan on May 10, 2026.
Overview
SafeExec appears to be a local command-safety wrapper, but its agent/noninteractive approval path can skip human confirmation and execute shell commands, so it needs careful review.
Install only if you intentionally want a local shell-command wrapper for agents. Before enabling it, verify how agent-mode approval works, keep SAFE_EXEC_AUTO_CONFIRM off unless you fully trust the workflow, manually review high-risk commands, and protect or rotate the local audit logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or noninteractive workflow could approve and run a queued command without a fresh human terminal confirmation, potentially changing or deleting local files or system state.
The approval script disables interactive confirmation for agent/auto-confirm environments and then executes the queued command through the shell.
if [[ -n "$OPENCLAW_AGENT_CALL" ]] || [[ -n "$SAFE_EXEC_AUTO_CONFIRM" ]]; then
IS_INTERACTIVE=false
fi
...
echo "🤖 非交互式环境 - 自动跳过确认"
...
eval "$COMMAND"Use only with trusted agents; disable auto-confirm behavior for risky workflows, require explicit human approval for HIGH/CRITICAL commands, and restrict which commands the agent can approve.
A user may believe dangerous commands always wait for prior approval, when some agent-mode paths rely on audit logs or automatic behavior instead.
The same documentation promises explicit confirmation but also describes bypassing confirmation in agent mode, which can lead users to overestimate the protection they get before execution.
✅ **User approval workflow** - Commands wait for explicit confirmation ... - **Automatic bypass of confirmation prompts** - Prevents agent hanging
Clearly distinguish prior human approval from post-execution audit logging, and document exactly which risk levels can execute automatically in agent mode.
Approved commands will run with the full shell behavior of the current user account, including pipes, redirects, substitutions, and destructive operations.
Executing shell command strings is central to this skill, but using eval means shell metacharacters and request-file contents are treated as executable code.
COMMAND=$(jq -r '.command' "$REQUEST_FILE") ... eval "$COMMAND"
Review the exact command before approval, avoid approving commands built from untrusted text, and prefer structured command execution where possible.
Local audit files could reveal sensitive command history to anyone with access to the user account or backups.
The skill stores command requests and audit logs locally, which may include sensitive paths, arguments, or secrets typed into commands.
Requests stored in: `~/.openclaw/safe-exec/pending/` - Audit log: `~/.openclaw/safe-exec-audit.log`
Avoid putting secrets directly in shell commands, protect the audit log path, and rotate or delete logs when no longer needed.
Users may not realize they need jq or that manual GitHub installation is part of the documented setup.
SKILL.md documents a jq dependency and GitHub clone path, while the registry summary says there is no install spec and no required binaries; this is a provenance/setup inconsistency rather than direct malicious behavior.
"requires": { "bins": ["jq"] },
"install": [{ "kind": "git", "url": "https://github.com/OTTTTTO/safe-exec.git" }]Verify the source repository and version before installing, and ensure dependency and install metadata match the published package.