Openclaw Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: skillshield-openclaw Version: 2.1.8 The skill is a legitimate security utility designed to sandbox AI agent shell commands using Bubblewrap (bwrap). It implements a Rust-based enforcement daemon (skillshieldd) that validates and isolates execution within a restricted user namespace (using --unshare-all and read-only binds). The provided bash wrapper (skillshield-exec.sh) manages the daemon lifecycle and communicates via a local Unix socket. No evidence of data exfiltration, malicious persistence, or unauthorized network activity was found; the code is well-structured and aligns perfectly with its stated purpose of enhancing agent safety.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may allow an agent to run commands believing stronger protections exist than the code actually provides.
The reviewed source implements a fixed policy that sends shell commands to the sandbox, and the artifacts do not show configurable rules, a shell-command confirmation workflow, repetition limiting, or per-decision logging. These claims may cause users to overtrust the safety layer.
checks each shell request against configurable rules ... ask for your confirmation. Every decision is logged
Treat this as a simple Bubblewrap wrapper unless the missing validation, approval, logging, and loop-limit controls are implemented and documented.
An autonomous agent could still alter or delete files in the current workspace, despite the read-only root filesystem.
The skill executes the supplied command string through a shell and mounts the working directory read-write. The policy does not inspect the command contents before sandboxing, so destructive workspace actions are not blocked or confirmed.
cmd.arg("--bind").arg(dir).arg(dir); ... cmd.arg("--").arg("sh").arg("-c").arg(command);Use it only in disposable or well-scoped directories, require explicit approval for destructive commands, and add real command allow/deny rules before autonomous use.
A local background service remains after use and may continue accepting local requests until stopped.
The wrapper starts the enforcement daemon in the background and leaves it running after the command. Because the daemon is the component that accepts execute requests, this extends the lifetime of command-execution authority beyond a single invocation.
SKILLSHIELDD_BIND="unix:$SOCKET_PATH" "$BIN_PATH" >>"$LOG_PATH" 2>&1 & echo $! > "$PID_PATH"
Document the persistence clearly, provide a stop/cleanup command, and ensure the socket directory and permissions are restricted to the intended user.
First use may download and build third-party Rust dependencies whose exact versions can vary over time.
The skill builds the bundled Rust daemon on first use. That is purpose-aligned and disclosed, but the provided manifest uses broad dependency versions and no Cargo.lock is included in the file manifest, so dependency resolution is not fully pinned.
CARGO_TARGET_DIR="$TARGET_DIR" cargo build --release --manifest-path "$MANIFEST_PATH"
Publish a Cargo.lock or otherwise pin dependency versions, and declare the build requirements in the registry metadata.