ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RedHat Command Execution

v1.0.0

Execute terminal commands safely with preflight checks and risk gating.

0· 63·0 current·0 all-time
byMauricio Z.@mzfshark

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mzfshark/axodus-command-execution.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "RedHat Command Execution" (mzfshark/axodus-command-execution) from ClawHub.
Skill page: https://clawhub.ai/mzfshark/axodus-command-execution
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install axodus-command-execution

ClawHub CLI

Package manager switcher

npx clawhub@latest install axodus-command-execution
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose — running terminal commands with preflight checks and gating — aligns with the SKILL.md instructions. The skill requests no binaries, env vars, or installs, which is proportionate for an instruction-only command-execution helper. However, there are metadata inconsistencies: registry owner (kn741...) differs from _meta.json ownerId (redhat-agent-001), the public slug (axodus-command-execution) differs from _meta.json slug (command-execution), and the human-facing name includes 'RedHat' while source/homepage are unknown. These mismatches suggest potential impersonation or sloppy packaging that should be validated with the publisher.
Instruction Scope
The SKILL.md is narrowly scoped: it classifies risk, blocks high-risk patterns, prefers dry-runs, captures exit code/stdout/stderr, and requires explicit confirmation for destructive commands. It does not instruct the agent to read unrelated system files, environment variables, or to exfiltrate data to external endpoints. One minor gap: the file relies on the agent or user to provide explicit confirmation flows (it says 'Never run destructive commands without explicit user confirmation') but does not define how confirmations are obtained/audited; implementers should ensure the agent prompts the user and logs consent.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is downloaded or written to disk by the skill itself — this is the lowest-install risk profile.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is appropriate for a pure instruction-only command-execution helper. The SKILL.md likewise does not reference hidden environment variables or external tokens.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (platform default) but not combined with elevated privileges or persistent system modifications in this package. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill's behavior (safe command execution with preflight checks) is coherent and instruction-only (no downloads or env access). However, the package contains inconsistent metadata and branding that suggest it may not come from the claimed 'RedHat' source. Before installing: - Confirm the publisher: verify the owner ID and homepage outside the registry (contact source or use an official Red Hat channel if you expect an official Red Hat skill). - Inspect the SKILL.md yourself and ensure the agent will prompt for explicit confirmation before running any high-risk command; do not rely on the skill's text alone. - Test the skill in an isolated environment (throwaway VM or container) before running on sensitive systems. - Refuse or remove skills that impersonate known vendors or have inconsistent/garbled metadata (e.g., differing slugs, placeholder fields like 'System.Object[]'). If you need this functionality but cannot verify the publisher, consider implementing similar guarded command-execution logic locally or using a vetted plugin from a trusted source.

Like a lobster shell, security has layers — review code before you run it.

devvk97635w172mkxbevzy6treegx185fp63latestvk97635w172mkxbevzy6treegx185fp63
63downloads
0stars
1versions
Updated 3d ago
v1.0.0
MIT-0
Mauricio Z.@mzfshark
devlatest
Download

SKILL: command-execution

Purpose

Execute terminal commands safely with deterministic preflight checks, risk classification, and auditable outputs.

When to Use

  • Running tests, builds, linters, or migrations.
  • Inspecting the repo (search, list files, check versions).
  • Any command execution that could affect the environment.

Inputs

  • command (required, string): exact command to run.
  • purpose (required, string): why this command is needed.
  • expected_effects (optional, string[]): what should happen (files created, tests run).
  • risk_level (optional, enum: low|medium|high): if known.

Steps

  1. Classify command risk:
    • read-only (safe)
    • write (moderate)
    • destructive/network/system (high)
  2. Block/require confirmation for high-risk patterns:
    • recursive deletes (rm -rf, Remove-Item -Recurse -Force)
    • format/disk ops
    • piping remote scripts (curl ... | sh)
  3. If supported, prefer dry-run flags first (e.g., --dry-run, -n, --check).
  4. Execute the command and capture:
    • exit code
    • stdout/stderr
    • elapsed time (if available)
  5. Interpret results against expected_effects.
  6. If command failed:
    • stop
    • summarize error
    • propose next diagnostic steps

Validation

  • Exit code is checked (not ignored).
  • Output is summarized with the relevant error lines.
  • Side effects match expectation (no surprise modifications).

Output

command: "<command>"
purpose: "<purpose>"
result: "success|blocked|failed"
exit_code: <int|null>
highlights: ["<key output lines>"]
next_steps: ["..."]

Safety Rules

  • Never run destructive commands without explicit user confirmation.
  • Never run unknown installers or remote scripts without review.
  • Prefer minimal, scoped commands (avoid global state changes).

Example

Run tests:

  • command: pnpm test
  • purpose: “Validate behavior after refactor”
  • Output: exit code + failing test names + next diagnostic step.

Comments

Loading comments...