ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paid Bash Security V1.1

v1.1.1

23-validator bash security chain validated in production Claude Code deployments. Every check closed a real attack vector.

0· 60·0 current·0 all-time
by~K¹yle Million@thebrierfox
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description asserts it 'installs a 23-validator bash security chain' and 'activates on every exec', but the package contains only SKILL.md (no code, no scripts, no BASH_SECURITY_ARCHITECTURE.md despite referencing it). There is no install spec, no binaries, and no files that could implement runtime validators — i.e., the requested/available artifacts do not support the claimed capability.
!
Instruction Scope
Runtime instructions tell the user to copy SKILL.md into ~/.openclaw/workspace/skills/... and to change the agent system prompt (SOUL.md) to enable 'strict' enforcement. The instructions claim behavioral changes (validator intercepts every exec) but provide no code or guidance that would actually implement those validators. They do not request unrelated secrets or files, but they misleadingly instruct the user to update persistent agent configuration for a feature that isn't present.
Install Mechanism
There is no install spec and no code files — from an installation-risk perspective this is low risk (nothing will be downloaded or executed). However, low technical risk here is overshadowed by the mismatch between claims and contents.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does ask the operator to edit the agent system prompt (SOUL.md), which is a normal configuration change for behavior, but it does not request secrets or unrelated credentials.
Persistence & Privilege
The skill does not set always:true and is user-invocable (defaults). It instructs changing the agent's SOUL.md to enable enforcement mode — that is a persistent change to agent behavior and should be done cautiously. Autonomous invocation is allowed by default (not a specific red flag), but combining persistent system-prompt changes with the claimed automatic interception behavior is problematic because the validators that would enforce that behavior are absent.
What to consider before installing
This package is an instruction-only document that claims to install a 23-validator runtime security chain but contains no validator code or architecture file it references. Do not rely on it for real protection. Before installing or changing your agent's SOUL.md to 'strict': - Demand the actual implementation: request the BASH_SECURITY_ARCHITECTURE.md and the validator scripts or a verifiable install package (GitHub repo or signed release). Verify code existence and review it. - If you want to experiment, keep enforcement in 'audit' mode only and test in a safe environment; do not enable strict blocking until you can confirm validators are present and functioning. - Verify the skill's source and homepage; this package has unknown source and no homepage — treat it as untrusted until provenance is established. - Prefer obtaining security validators from an auditable repository or a vetted vendor rather than a document that only instructs you to edit agent prompts. If the author supplies the missing files and an auditable install mechanism, re-evaluate for coherence and safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr7zrytqdb4g3m72pv1ae95844tj6
60downloads
0stars
1versions
Updated 2w ago
v1.1.1
MIT-0
~K¹yle Million@thebrierfox
latest
Download

Bash Security Validator — Production OpenClaw Shell Safety

Understand the threat model first? Read the free primer: OpenClaw Bash Safety — Why Your Agent Is a Security Risk It covers what ClawHavoc exploited, why text-pattern matching alone fails, and why this validator exists.

What This Skill Does

This skill installs a 23-validator bash security chain — the exact sequence Anthropic runs in production Claude Code before every shell execution. It activates on every exec tool call your OpenClaw agent makes.

Validator categories:

  1. Text-level — Obvious attack pattern detection (destructive ops, unauthorized data transfer)
  2. Structural — Substitution injection, brace expansion, heredoc abuse
  3. Encoding — Unicode homoglyphs, zero-width characters, RTL overrides
  4. Shell-specific (Bash) — Dangerous builtins, history manipulation, alias injection
  5. Shell-specific (Zsh) — Separate blocklist; Zsh ≠ Bash for dangerous commands
  6. Persistence vectors — Modifications to cron/init/systemd, shell profile backdoors
  7. Escalation vectors — Sudo config changes, setuid manipulation, capability grants

Each category closes a distinct attack class. Skipping any one leaves a category of attack unblocked.

Setup

Step 1 — Install

mkdir -p ~/.openclaw/workspace/skills/bash-security-validator
cp SKILL.md ~/.openclaw/workspace/skills/bash-security-validator/

Reload OpenClaw or restart the gateway.

Step 2 — Verify Activation

After installation, the agent will validate bash commands before execution. Test with a safe command:

Ask your agent: "Run: echo hello"

Normal execution proceeds. Then test a flagged pattern — a command that pipes untrusted remote content directly into a shell interpreter. The validator should intercept and refuse, explaining which validator triggered and why.

Step 3 — Configure Enforcement Mode

Two modes available. Set in your agent system prompt or SOUL.md:

Strict mode (recommended for production): Block and report. The agent stops, explains what triggered, and asks for confirmation or alternative.

Audit mode (recommended for onboarding): Log and warn. The agent notes the risk but proceeds. Use this for 1–2 weeks to understand what your existing workflows trigger before switching to strict.

Add to SOUL.md:

Bash security enforcement: strict

The 23 Validators (Summary)

Full specification in BASH_SECURITY_ARCHITECTURE.md (included in package).

Pre-processing gates (4):

  • Input encoding normalization
  • Shell detection (Bash vs. Zsh — different validator chains)
  • Context extraction (is this a file path? a URL? a string?)
  • Privilege context check (is elevated execution in scope?)

Text validators (5):

  • Destructive operation detection
  • Unauthorized data transfer detection
  • Credential access detection
  • Package manager abuse patterns
  • Known exploit signatures

Structural validators (6):

  • Substitution injection (process substitution, backtick evaluation)
  • Variable expansion abuse
  • Brace expansion bombs
  • Heredoc injection
  • Redirection abuse
  • Pipe chain analysis

Encoding validators (4):

  • Unicode homoglyph detection
  • Zero-width character stripping
  • RTL override detection
  • Multi-byte sequence normalization

Persistence/escalation validators (4):

  • Cron/systemd/init modification detection
  • Shell profile modification detection
  • Privilege configuration changes
  • Setuid/capability manipulation

What ClawHavoc Exploited

341 skills on ClawHub (early 2026) contained malicious setup scripts that passed all standard text-level checks. The attack vectors were:

  1. Variable expansion with embedded command substitution
  2. Heredoc injection in setup scripts
  3. Unicode-obfuscated path references pointing to sensitive system locations

Three specific validators in this chain block all three attack vectors. All three were absent from standard OpenClaw exec validation at the time.

Compatibility

  • OpenClaw 2026.3.x and above
  • Validates both Bash and Zsh (separate chains)
  • No external dependencies

Bundle

This skill is included in the Production Agent Ops — Battle-Tested Architecture Pack along with 6 other production architecture files. If you need compaction, loop termination, session memory, and the rest — the bundle costs less than buying individually.

Comments

Loading comments...