ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Exec Permission

v1.0.0

OpenClaw exec安全权限配置指南。用于配置tools.exec的security和ask参数,管理agent命令执行权限。触发词:exec权限、安全配置、提权、exec security、ask off、allowlist。

0· 82·0 current·0 all-time
by@embracex1998

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for embracex1998/openclaw-exec-permission.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Exec Permission" (embracex1998/openclaw-exec-permission) from ClawHub.
Skill page: https://clawhub.ai/embracex1998/openclaw-exec-permission
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-exec-permission

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-exec-permission
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description claim to manage tools.exec security and ask parameters, and the SKILL.md directly provides instructions to do exactly that. This is coherent — a config guide legitimately would show how to change these fields. However, the provided example uses a hard-coded absolute path (/home/zzclaw/.openclaw/openclaw.json) which may not match the operator's environment and suggests the doc was copied from a single-machine context without parameterization.
!
Instruction Scope
Instructions tell the user/agent to manually edit a protected config path (bypassing API safeguards) and set security='full' and ask='off', then restart the gateway. That directly lowers host-level protections and allows unrestricted command execution. The SKILL.md gives a runnable Python one-liner that reads/writes the target file and a restart command — this is precise and actionable for agents and could be used to escalate privileges. The doc does not require backups, permission checks, or confirm whether the operator has authority to change the file; it also hardcodes a user home path which could lead to accidental edits to the wrong user's config.
Install Mechanism
This is an instruction-only skill with no install steps and no remote downloads, so there's no install-time code execution risk. That lowers supply-chain risk relative to skills that install binaries.
!
Credentials
The skill does not declare any required env vars, but its runtime instructions access and modify a local configuration file under a specific absolute path, which implies file-system and service-control privileges. Asking operators/agents to change protected config keys and restart the gateway is a privileged action; these privileged operations are disproportionate relative to a harmless 'guide' and should require explicit admin controls. The SKILL.md does not justify why API-based config.patch is unusable other than an error message, nor does it suggest safer alternatives.
!
Persistence & Privilege
Although always:false, the skill (if invoked) instructs persistent changes to the agent runtime (modifying openclaw.json and restarting the gateway), which permanently changes exec authorization behavior. Because disable-model-invocation is false (default), an agent with permission to run skills could itself perform the provided steps and remove exec protections — increasing blast radius. The skill advocates bypassing protected paths rather than using documented, auditable APIs.
What to consider before installing
This guide is coherent with its stated purpose (it shows how to change tools.exec.security and tools.exec.ask), but it also teaches how to bypass intended protections by editing a protected config file and restarting the gateway. Before using or installing this skill: 1) Verify you are an authorized admin and that the hard-coded path (/home/zzclaw/...) actually points to the target configuration on your host; don't run the one-liner blindly. 2) Make a backup of the config file and ensure you have console access in case the restart breaks the gateway. 3) Prefer documented, auditable APIs or an operator-led change process; avoid setting security='full' and ask='off' on production or shared systems. 4) Because the skill can be run by agents autonomously, consider disabling model invocation or restricting who/what can run this skill if you keep it. 5) Treat this skill as privileged: only install it if you trust its source (source unknown) and understand the operational and security consequences.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔒 Clawdis
latestvk979zzscjrt0bqrpjtm1tyqc858422dr
82downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@embracex1998
latest
Download

🔒 OpenClaw Exec 权限配置

关键参数

openclaw.jsontools.exec 下:

  • security: 执行安全级别

    • "deny" — 禁止所有exec
    • "allowlist" — 仅允许白名单命令(默认)
    • "full" — 允许所有命令,无限制

  • ask: 审批模式

    • "off" — 跳过审批直接执行
    • "always" — 每次都需审批
    • "on-miss" — 仅白名单外的命令需审批

配置方法

⚠️ 注意:这两个字段是受保护路径

tools.exec.securitytools.exec.ask 无法通过 config.patchgateway config.apply 修改,会报错:

gateway config.patch cannot change protected config paths: tools.exec.security

✅ 正确方法:直接编辑配置文件

python3 -c "
import json
with open('/home/zzclaw/.openclaw/openclaw.json') as f:
    c = json.load(f)
c['tools']['exec']['security'] = 'full'
c['tools']['exec']['ask'] = 'off'
with open('/home/zzclaw/.openclaw/openclaw.json', 'w') as f:
    json.dump(c, f, indent=2, ensure_ascii=False)
print('done')
"

然后重启 gateway:

openclaw gateway restart

权限级别参考

场景securityask说明
生产环境(严格)allowliston-miss白名单内放行,其余审批
开发环境(宽松)fulloff全部放行,无审批
信任的私有机器fulloff同上
多人共享allowliston-miss安全第一

allowlist 配置

securityallowlist 时,可通过 tools.exec.allowlist 配置允许的命令模式:

{
  "tools": {
    "exec": {
      "security": "allowlist",
      "allowlist": [
        "git *",
        "npm *",
        "python3 *",
        "cat *",
        "ls *",
        "echo *"
      ]
    }
  }
}

痛点记录

  1. 受保护路径securityask 只能手动改文件,无法通过 API 修改
  2. allowlist miss:当 security=allowlist 时,未在白名单的命令会被拒绝,即使 ask=off 也不行
  3. 改完要重启:修改配置文件后必须重启 gateway 才能生效
  4. exec denied 时的处理:如果 agent 执行命令被拒,需要先改配置再重启,agent 自身无法自救

Comments

Loading comments...