Exec Guard
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is meant to make shell commands safer, but its own rules can automatically allow high-impact actions like git push or broad sudo use across sessions.
Install only if you are comfortable with an always-on command policy influencing every shell execution. Before using it, revise the rules so remote changes, package installs, sudo, destructive actions, and any network write always require explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could push commits or make other impactful changes without asking again, despite the skill being presented as a safety guard.
The skill classifies git push as an automatically allowed workspace write, even though it can mutate a remote repository and publish changes.
Level 1 — WRITE(workspace 内写入)✅ 自动放行 ... git add / git commit / git push
Require explicit confirmation for git push, package installs, remote writes, and any command that changes external services or the user environment.
A future task could run privileged system-modifying commands automatically based on an old broad preference.
The skill allows a broad persistent preference that can auto-approve sudo commands, which crosses a local privilege boundary and is not narrowly scoped.
用户:"sudo 随便用" → 记住:sudo 命令 → 自动放行(但 DESTRUCTIVE 级别仍然确认)
Do not persist blanket sudo approvals. Require per-command confirmation for privileged operations, with a clear explanation of the affected files or services.
Old or overly broad command permissions could be reused later, causing the agent to skip prompts the user would expect for risky commands.
The skill persists execution-safety preferences across sessions without specifying review, expiry, scoping, or protection against stale or unsafe preferences.
偏好记录到 `memory/` 或 MEMORY.md 中,跨 session 生效。
Make saved preferences visible, narrow, editable, and time-limited; require fresh confirmation for destructive, privileged, network, or remote-mutating commands.