ClawHub
Security warning — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

myskill

myskill executes commands with configurable environment, working directory, timeout, terminal mode, host targeting, and security enforcement options.

Audits

Warn
ClawScanWarn

Agentic behavior and permission review.

Static analysisPending

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install myskill
  • command (required)
  • workdir (defaults to cwd)
  • env (key/value overrides)
  • yieldMs (default 10000): auto-background after delay
  • background (bool): background immediately
  • timeout (seconds, default 1800): kill on expiry
  • pty (bool): run in a pseudo-terminal when available (TTY-only CLIs, coding agents, terminal UIs)
  • host (sandbox | gateway | node): where to execute
  • security (deny | allowlist | full): enforcement mode for gateway/node
  • ask (off | on-miss | always): approval prompts for gateway/node
  • node (string): node id/name for host=node
  • elevated (bool): request elevated mode (gateway host); security=full is only forced when elevated resolves to full

Notes:

  • host defaults to sandbox.
  • elevated is ignored when sandboxing is off (exec already runs on the host).
  • gateway/node approvals are controlled by ~/.openclaw/exec-approvals.json.
  • node requires a paired node (companion app or headless node host).
  • If multiple nodes are available, set exec.node or tools.exec.node to select one.
  • On non-Windows hosts, exec uses SHELL when set; if SHELL is fish, it prefers bash (or sh) from PATH to avoid fish-incompatible scripts, then falls back to SHELL if neither exists.
  • On Windows hosts, exec prefers PowerShell 7 (pwsh) discovery (Program Files, ProgramW6432, then PATH), then falls back to Windows PowerShell 5.1.
  • Host execution (gateway/node) rejects env.PATH and loader overrides (LD_*/DYLD_*) to prevent binary hijacking or injected code.
  • Important: sandboxing is off by default. If sandboxing is off and host=sandbox is explicitly configured/requested, exec now fails closed instead of silently running on the gateway host. Enable sandboxing or use host=gateway with approvals.
  • Script preflight checks (for common Python/Node shell-syntax mistakes) only inspect files inside the effective workdir boundary. If a script path resolves outside workdir, preflight is skipped for that file.

Config

  • tools.exec.notifyOnExit (default: true): when true, backgrounded exec sessions enqueue a system event and request a heartbeat on exit.
  • tools.exec.approvalRunningNoticeMs (default: 10000): emit a single “running” notice when an approval-gated exec runs longer than this (0 disables).
  • tools.exec.host (default: sandbox)
  • tools.exec.security (default: deny for sandbox, allowlist for gateway + node when unset)
  • tools.exec.ask (default: on-miss)
  • tools.exec.node (default: unset)
  • tools.exec.pathPrepend: list of directories to prepend to PATH for exec runs (gateway + sandbox only).
  • tools.exec.safeBins: stdin-only safe binaries that can run without explicit allowlist entries. For behavior details, see Safe bins.
  • tools.exec.safeBinTrustedDirs: additional explicit directories trusted for safeBins path checks. PATH entries are never auto-trusted. Built-in defaults are /bin and /usr/bin.
  • tools.exec.safeBinProfiles: optional custom argv policy per safe bin (minPositional, maxPositional, allowedValueFlags, deniedFlags).