Skillv0.1.10

ClawScan security

OpenExec — Deterministic Execution Boundary for Agent Systems · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 17, 2026, 10:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested configuration are coherent with its stated purpose as a deterministic execution boundary; nothing requested or installed is disproportionate or unrelated to that purpose.
Guidance: This skill appears to implement what it claims. Consider the following before installing: - Deploy behind a firewall or bind to localhost (the provided run script binds 0.0.0.0 which exposes the service publicly). - Protect any CLAWSHIELD_PUBLIC_KEY and CLAWSHIELD_TENANT_ID values and ensure you only set OPENEXEC_DB_URL to trusted DB endpoints (a remote DB will create outbound network I/O). - Configure OPENEXEC_ALLOWED_ACTIONS to limit registered handlers in production and audit any additional handlers you add to the code. - Run inside a container/VM and avoid running as root since registered handlers run with the process's privileges — the project explicitly states it is an application-layer boundary, not an OS sandbox. - The repo includes test utilities that mint test keys; do not use test keys in production. If you want higher assurance, review any handlers you add and perform an operational hardening checklist (network binding, TLS, logging/rotation, backups).

Review Dimensions

Purpose & Capability: okName/description match the code and runtime instructions: the package implements a deterministic execution service, Ed25519 approval verification, replay protection, receipts, and a static action registry. There are no unrelated credentials, binaries, or surprising capabilities in the repo.
Instruction Scope: noteSKILL.md and README state 'no outbound HTTP/RPC during execution' and the code respects that (no network calls except optional DB via OPENEXEC_DB_URL). Note: the service exposes inbound HTTP endpoints (intended) and scripts/run.sh binds 0.0.0.0 (public) while docs recommend binding to localhost; operator should pay attention to binding and firewall configuration before deployment.
Install Mechanism: okNo installer in the registry metadata but the project is source-distributed with a requirements.txt and simple pip-based install steps. No downloads from untrusted URLs or archive extraction; dependencies are pinned in requirements.txt.
Credentials: okNo required secret environment variables; optional env vars (CLAWSHIELD_PUBLIC_KEY, CLAWSHIELD_TENANT_ID, OPENEXEC_ALLOWED_ACTIONS, OPENEXEC_DB_URL) are appropriate for the documented functionality. The code documents that OPENEXEC_DB_URL may enable outbound DB network I/O.
Persistence & Privilege: noteSkill writes execution records to a local SQLite DB by default (sqlite:///openexec.db) and stores receipts — expected for this service. always:false and no cross-skill configuration modifications. Operators must still isolate runtime (container/VM) and avoid running as root because handlers execute with host process privileges.