Safe Exec
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: safe-exec Version: 0.3.4 The 'safe-exec' skill is presented as a security tool to intercept and require approval for dangerous shell commands executed by an AI agent. Its documentation (SKILL.md, READMEs, CLAWDHUB_SECURITY_RESPONSE.md) explicitly states no network calls, monitoring, or credential requirements, and the developer has actively removed previously problematic features. However, the core scripts (`scripts/safe-exec.sh` and `scripts/safe-exec-approve.sh`) use `eval "$COMMAND"` to execute commands. This is a critical shell injection vulnerability, as a sophisticated attacker could potentially bypass the risk assessment regexes or manipulate the command string to achieve arbitrary code execution, even for commands deemed 'low' risk or after user approval. Despite the clear intent to provide a security layer, this significant RCE risk makes the skill suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or noninteractive workflow could approve and run a queued command without a fresh human terminal confirmation, potentially changing or deleting local files or system state.
The approval script disables interactive confirmation for agent/auto-confirm environments and then executes the queued command through the shell.
if [[ -n "$OPENCLAW_AGENT_CALL" ]] || [[ -n "$SAFE_EXEC_AUTO_CONFIRM" ]]; then
IS_INTERACTIVE=false
fi
...
echo "🤖 非交互式环境 - 自动跳过确认"
...
eval "$COMMAND"Use only with trusted agents; disable auto-confirm behavior for risky workflows, require explicit human approval for HIGH/CRITICAL commands, and restrict which commands the agent can approve.
A user may believe dangerous commands always wait for prior approval, when some agent-mode paths rely on audit logs or automatic behavior instead.
The same documentation promises explicit confirmation but also describes bypassing confirmation in agent mode, which can lead users to overestimate the protection they get before execution.
✅ **User approval workflow** - Commands wait for explicit confirmation ... - **Automatic bypass of confirmation prompts** - Prevents agent hanging
Clearly distinguish prior human approval from post-execution audit logging, and document exactly which risk levels can execute automatically in agent mode.
Approved commands will run with the full shell behavior of the current user account, including pipes, redirects, substitutions, and destructive operations.
Executing shell command strings is central to this skill, but using eval means shell metacharacters and request-file contents are treated as executable code.
COMMAND=$(jq -r '.command' "$REQUEST_FILE") ... eval "$COMMAND"
Review the exact command before approval, avoid approving commands built from untrusted text, and prefer structured command execution where possible.
Local audit files could reveal sensitive command history to anyone with access to the user account or backups.
The skill stores command requests and audit logs locally, which may include sensitive paths, arguments, or secrets typed into commands.
Requests stored in: `~/.openclaw/safe-exec/pending/` - Audit log: `~/.openclaw/safe-exec-audit.log`
Avoid putting secrets directly in shell commands, protect the audit log path, and rotate or delete logs when no longer needed.
Users may not realize they need jq or that manual GitHub installation is part of the documented setup.
SKILL.md documents a jq dependency and GitHub clone path, while the registry summary says there is no install spec and no required binaries; this is a provenance/setup inconsistency rather than direct malicious behavior.
"requires": { "bins": ["jq"] },
"install": [{ "kind": "git", "url": "https://github.com/OTTTTTO/safe-exec.git" }]Verify the source repository and version before installing, and ensure dependency and install metadata match the published package.