Native Run
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly designed to run local commands, but it gives the agent broad, unbounded shell access with weak scoping and unclear setup boundaries.
Install only if you intentionally want OpenClaw to run arbitrary commands on the gateway machine. Use it on an isolated test system, review every command before execution, fix the entry-point/dependency issues, and stop the local runner when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or by a compromised agent flow, this could run destructive or sensitive local commands on the gateway machine.
The runner executes any supplied command through the shell. This matches the skill purpose, but it is an unbounded high-impact tool surface with no allowlist, per-command approval, or containment shown in the artifacts.
subprocess.check_output(
payload["command"],
shell=True,Only use in a trusted, isolated environment. Add explicit user confirmation, command allowlists, working-directory limits, timeout limits, and clear logging before enabling agent invocation.
Any local component or copied code that knows this token could call the local runner while it is active and ask it to execute commands.
The command-execution endpoint is protected by a token that is hard-coded into the distributed source, so it should not be treated as a meaningful secret or permission boundary.
'http://localhost:8080/?token=272d22dec98da63a3362c6dc0a9c0eebf2aa9ed96d21775d'
Use a per-install secret outside source control, restrict callers more strongly, and document exactly who can invoke the endpoint.
Users may not be able to tell which reviewed file will actually run, or the skill may fail and require manual fixes that bypass normal review.
The declared entry point refers to skill.js, but the provided manifest contains native_run_skill.js instead. For a skill that can execute arbitrary local commands, an unclear or mismatched runtime entry point is a material provenance and reviewability issue.
"main": "skill.js"
Make the entry point match the included file, declare all dependencies, and provide a complete install/run specification.
A mistaken or manipulated prompt could be converted into a local shell command and executed on the gateway machine.
The command is extracted from the raw message text rather than a narrow structured input. Combined with shell execution in the Python runner, this increases the chance that unintended text becomes an executable local command.
const command = raw.replace(/^Run command:\s*/i, '').trim();
Require structured command input, show the exact command to the user before execution, and refuse commands unless the user explicitly approves them.
After being started, the local runner could remain available for future command execution beyond the immediate task.
The local command runner is a long-running service. The artifacts do not provide clear lifecycle controls, stop instructions, or limits on how long this high-impact command endpoint remains available.
httpd.serve_forever()
Document start/stop behavior, avoid automatic long-running operation, and ensure the service is disabled when not actively needed.