Openclaw Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real local Bubblewrap command wrapper, but its safety claims are broader than what the code enforces and it starts a persistent command-running daemon.
Review carefully before installing. If you use it, run it only in a controlled workspace, manually approve commands that can change files, and be aware that it builds code on first use and leaves a local daemon running until you stop it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may allow an agent to run commands believing stronger protections exist than the code actually provides.
The reviewed source implements a fixed policy that sends shell commands to the sandbox, and the artifacts do not show configurable rules, a shell-command confirmation workflow, repetition limiting, or per-decision logging. These claims may cause users to overtrust the safety layer.
checks each shell request against configurable rules ... ask for your confirmation. Every decision is logged
Treat this as a simple Bubblewrap wrapper unless the missing validation, approval, logging, and loop-limit controls are implemented and documented.
An autonomous agent could still alter or delete files in the current workspace, despite the read-only root filesystem.
The skill executes the supplied command string through a shell and mounts the working directory read-write. The policy does not inspect the command contents before sandboxing, so destructive workspace actions are not blocked or confirmed.
cmd.arg("--bind").arg(dir).arg(dir); ... cmd.arg("--").arg("sh").arg("-c").arg(command);Use it only in disposable or well-scoped directories, require explicit approval for destructive commands, and add real command allow/deny rules before autonomous use.
A local background service remains after use and may continue accepting local requests until stopped.
The wrapper starts the enforcement daemon in the background and leaves it running after the command. Because the daemon is the component that accepts execute requests, this extends the lifetime of command-execution authority beyond a single invocation.
SKILLSHIELDD_BIND="unix:$SOCKET_PATH" "$BIN_PATH" >>"$LOG_PATH" 2>&1 & echo $! > "$PID_PATH"
Document the persistence clearly, provide a stop/cleanup command, and ensure the socket directory and permissions are restricted to the intended user.
First use may download and build third-party Rust dependencies whose exact versions can vary over time.
The skill builds the bundled Rust daemon on first use. That is purpose-aligned and disclosed, but the provided manifest uses broad dependency versions and no Cargo.lock is included in the file manifest, so dependency resolution is not fully pinned.
CARGO_TARGET_DIR="$TARGET_DIR" cargo build --release --manifest-path "$MANIFEST_PATH"
Publish a Cargo.lock or otherwise pin dependency versions, and declare the build requirements in the registry metadata.