← Back to Skills Marketplace
Native Run
by
sadikjarvis
· GitHub ↗
· v0.0.1
752
Downloads
0
Stars
5
Active Installs
1
Versions
Install in OpenClaw
/install native-run
Description
Execute native commands on the local Windows machine and return their output to OpenClaw for automation and testing purposes.
Usage Guidance
This skill will run arbitrary shell commands on the gateway machine — a high-risk capability that appears intentional. Before installing: (1) Do not deploy on any machine you don't fully control or trust. (2) Fix the mismatches: update skill.json to point to the actual entry file, and align SKILL.md examples with the JS pattern (or vice versa). (3) Remove the hardcoded token: require a configurable secret via secure environment variable or platform-managed credential, and rotate it. (4) Implement command whitelisting/sanitization and restrict the server to localhost or a secured socket. (5) Consider running the service in an isolated container or VM with limited privileges. If you cannot inspect and remediate the code yourself, treat this package as unsafe to install on production or sensitive systems.
Capability Analysis
Type: OpenClaw Skill
Name: native-run
Version: 0.0.1
This skill is highly suspicious due to a critical shell injection vulnerability. The `native_run.py` script executes user-provided commands directly via `subprocess.check_output` with `shell=True`, allowing arbitrary command execution on the host machine. The `native_run_skill.js` passes unsanitized user input from the chat message directly to this vulnerable endpoint. While the skill explicitly states its purpose is to run native commands, the implementation introduces a severe Remote Code Execution (RCE) risk without clear malicious intent like data exfiltration or persistence, thus classifying it as suspicious rather than malicious.
Capability Assessment
Purpose & Capability
The name and SKILL.md say the skill executes native commands locally; the included Python HTTP server and JS entry point do exactly that (they accept an incoming command and run it). That behavior is coherent with the claimed purpose. However, the skill metadata and docs do not line up with the code: SKILL.md example uses 'Run native: whoami' but the JS looks for 'Run command:', and skill.json references a non-existent 'skill.js' entry point. These mismatches reduce confidence that the package is well-constructed.
Instruction Scope
SKILL.md describes a simple pattern-based local command runner but omits operational details (how/when to start the Python server). The runtime files actually start an HTTP server that accepts arbitrary commands and runs them with shell=True — very broad capability. The documentation and code disagree on the trigger phrase and on platform details (doc says Windows; code is cross-platform). The instructions do not limit or sanitize allowed commands, nor do they explain the hardcoded token or how to secure the service.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in isolation. However, the repository includes executable code (a long-running Python HTTP server and a JS entrypoint) that will be placed on the gateway if installed; those files will run arbitrary shell commands if launched. The lack of an install spec means there's no controlled install step to set up secure defaults (e.g., change token, restrict bind address).
Credentials
The skill declares no required environment variables or credentials, which superficially seems minimal. But it embeds a long, hardcoded token in both the Python and JS files. Hardcoded secrets in code are sensitive: anyone with file access can use or leak the token, and if the service is accidentally exposed beyond localhost, that token grants remote command execution. No justification is provided for this hardcoded secret.
Persistence & Privilege
always is false (good). The skill includes a server that, if executed, will run persistently (HTTP server on localhost:8080) and accept command execution requests. Autonomous invocation by the agent is allowed (disable-model-invocation is false), which is expected for skills but increases blast radius: an agent could trigger the skill to call the local runner. The package does not request elevated system config, but the long-running server behavior should be treated like persistence and secured appropriately.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install native-run - After installation, invoke the skill by name or use
/native-run - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
Initial release.
- Execute native commands on the local machine running the OpenClaw gateway.
- Returns command output to OpenClaw.
- Operates on Windows platform only.
- Designed for automation, testing, and local tooling.
- Includes security notice: use only in trusted environments.
Metadata
Frequently Asked Questions
What is Native Run?
Execute native commands on the local Windows machine and return their output to OpenClaw for automation and testing purposes. It is an AI Agent Skill for Claude Code / OpenClaw, with 752 downloads so far.
How do I install Native Run?
Run "/install native-run" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Native Run free?
Yes, Native Run is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Native Run support?
Native Run is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Native Run?
It is built and maintained by sadikjarvis (@sadikjarvis); the current version is v0.0.1.
More Skills