OpenExec — Deterministic Execution Boundary for Agent Systems

Security checks across malware telemetry and agentic risk

Overview

OpenExec is a transparent, purpose-aligned execution-boundary service, with important operator configuration risks but no artifact-backed malicious or hidden behavior.

Install only if you understand the mode boundary: demo mode auto-approves registered actions, while production use should set OPENEXEC_MODE=clawshield, configure a trusted CLAWSHIELD_PUBLIC_KEY, bind locally or behind a firewall, set OPENEXEC_ALLOWED_ACTIONS, and keep the database local or trusted. Treat stored payloads/results as potentially sensitive audit data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Description-Behavior Mismatch

High

Confidence: 91% confidence
Finding: The health endpoint explicitly reports that execution may run in "demo" mode with signature verification disabled and in an "open" configuration with no execution allow-list. That directly contradicts the stated security model that execution occurs only with a signed approval artifact in ClawShield mode, indicating the service can be deployed or operated in a materially less secure state than advertised. If the execute path is reachable while these weaker modes are enabled, an attacker or misconfigured operator could allow unapproved execution.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The code allows the database target to be fully controlled by the OPENEXEC_DB_URL environment variable, including non-SQLite backends. That undermines the stated property of purely local deterministic execution because a deployment can silently connect to an external database service, introducing network dependence, data exfiltration risk, and non-deterministic behavior tied to remote state and availability.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The metadata states the service 'runs only with a signed approval artifact,' but the documented runtime has a default demo mode where all actions are auto-approved. This creates a security-significant mismatch: operators may deploy it assuming constitutional enforcement is always active, while the actual default permits unauthenticated execution unless explicitly reconfigured.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The install script invokes `pip install -r requirements.txt`, which directly contradicts the skill metadata claim that no runtime package installation or dynamic downloads occur. This is dangerous because dependency installation can fetch code from package registries at install time, introducing supply-chain risk, nondeterminism, and behavior the operator was explicitly told would not happen.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The script's messaging normalizes dependency installation as part of setup even though the manifest promises that no runtime package installation occurs. In security-sensitive execution environments, this mismatch undermines trust guarantees and can mislead reviewers or operators into approving behavior that expands the attack surface through package retrieval and install-time code execution.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The engine persists full execution payloads and results to the database, and the code shows no minimization, redaction, retention control, or user-notice mechanism around that storage. In an execution service, payloads and results can easily contain secrets, personal data, or proprietary inputs/outputs, so retaining them by default increases privacy and breach impact even if the service is otherwise deterministic and approval-gated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal