← Back to Skills Marketplace
109
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install safe-exec-bak
Description
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...
Usage Guidance
Key things to check before installing:
1) Resolve metadata mismatches: SKILL.md declares 'jq' and a git install; the registry listed none — ensure the actual install process will provide jq and uses the GitHub URL you reviewed.
2) Understand how "automatic monitoring" is implemented: the shipped code shows CLI wrappers and pending files, not a background daemon or shell hooks. Ask/inspect any platform integration that claims to "monitor all shell commands" — that step could add persistent hooks or cron jobs.
3) Audit the core scripts (especially safe-exec.sh and the request creation code). The approval executor uses eval on command text read from JSON files; ensure pending files cannot be modified by untrusted parties (file permissions) and that commands are sanitized.
4) Be cautious about agent-mode auto-bypass: OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM cause confirmation to be skipped (non-interactive). If agents are untrusted or multi-tenant, this can let agents run commands without human approval for LOW/MEDIUM risk. Prefer keeping auto-confirm disabled unless you fully trust the agents.
5) Verify pending and audit directories permissions (only user-writable) and rotate/backup audit logs. Don't install system-wide or enable automatic shell hooking without a code review.
6) If you plan to install from the GitHub URL, compare the remote repo contents with the archive reviewed here to ensure no post-publish changes.
If you want, I can: (a) point out exact lines in safe-exec.sh where eval/command execution happens, (b) list needed hardening changes (e.g., avoid eval, use safe exec arrays, check file ownership), or (c) produce a short checklist to use when reviewing the remote repo prior to cloning.
Capability Analysis
Type: OpenClaw Skill
Name: safe-exec-bak
Version: 1.0.0
The safe-exec skill is a legitimate security utility designed to provide a safety layer for OpenClaw agents by intercepting and auditing dangerous shell commands. It implements a risk assessment engine (in safe-exec.sh) that categorizes commands into risk levels (CRITICAL, HIGH, MEDIUM, LOW) using regex patterns and manages a local approval workflow. All executions are recorded in a local audit log (~/.openclaw/safe-exec-audit.log). While the tool includes features like an 'Agent Mode' that bypasses interactive prompts and a 'Context-aware' mechanism to downgrade risk levels based on specific user keywords, these are documented as intentional features for automation and power-user control. The package contains extensive documentation and changelogs (CHANGELOG.md, CLAWDHUB_SECURITY_RESPONSE.md) detailing the removal of previous monitoring and external network components in response to security reviews, demonstrating a clear focus on local security and transparency.
Capability Assessment
Purpose & Capability
The name/description claim a local command-approval/monitoring tool — included scripts implement an approval flow, pending queue, and audit log which is coherent. However the SKILL.md repeatedly states SafeExec "automatically monitors all shell command executions" and "runs transparently in the background" while the shipped code contains no persistent monitoring daemon or cron job; instead it provides CLI wrapper scripts. That mismatch (advertised system-wide monitoring vs. wrapper-based invocation) is a design/claims inconsistency. Also SKILL.md metadata declares a required binary 'jq' and a git install source, but higher-level registry metadata (in the provided summary) listed none — another inconsistency.
Instruction Scope
Runtime instructions ask OpenClaw/agents to 'Enable SafeExec' and promise to intercept all shell commands. The actual scripts operate by creating pending JSON files and executing approved commands; there is no code that hooks into all user shells shown in the bundle. The approval/execute flow uses eval to run commands read from pending JSON files (unsafe if those files are tampered with). The SKILL.md claims no monitoring and no network access, which matches the codebase review, but it also suggests in-session notifications and 'automatic monitoring' that would require integration not present in the code. The instructions also recommend one-click install via ClawdHub which will 'automatically download, install and configure' — that presumes platform integration steps that are not visible here and could alter behavior.
Install Mechanism
There is no complex install spec in the registry, but SKILL.md suggests git cloning from GitHub (a standard public source) and making scripts executable. That's low-to-moderate risk but depends on trusting the GitHub repo. No third-party binary downloads or obscure URLs were observed in the shipped files. The SKILL.md metadata includes an 'install' git entry pointing to github.com/OTTTTTO/safe-exec.git which is reasonable; still confirm that the repo you clone matches the code you inspected.
Credentials
Declared environment variables are modest (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM). That is appropriate for a local approval tool. However behavior tied to those env vars is significant: OPENCLAW_AGENT_CALL or SAFE_EXEC_AUTO_CONFIRM will make the workflow non-interactive (the scripts treat calls with these set as non-interactive and may skip human confirmation). The skill claims no credentials/network access which matches the code. The mismatch between top-level registry 'required binaries: none' and SKILL.md 'requires: jq' is a small but important inconsistency to resolve before trusting the install.
Persistence & Privilege
The skill writes to user-owned paths (~/.openclaw/safe-exec/, audit log). That is expected. There is no 'always: true' flag. However the README/SKILL.md make broad claims about background monitoring and automatic interception 'in the background' but the code shows only CLI wrappers and no persistent monitor; if an installation path or platform integration step attempts to add shell hooks or a background process to achieve global interception, that would increase privilege and must be reviewed. Also agent-mode auto-bypass increases blast radius for autonomous agents if OPENCLAW_AGENT_CALL is set by agents.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install safe-exec-bak - After installation, invoke the skill by name or use
/safe-exec-bak - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SafeExec 1.0.0 - Initial Release
- Provides safe shell command execution for OpenClaw agents with built-in danger pattern detection.
- Features multi-level risk assessment (CRITICAL/HIGH/MEDIUM/LOW) and an interactive user approval workflow.
- Supports audit logging of all agent and user command executions for traceability.
- Includes in-session notifications, pending request management, and non-interactive agent automation support.
- Easily installed via OpenClaw or manual steps, with local operation and no external network access.
Metadata
Frequently Asked Questions
What is Safe Exec.Bak?
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.
How do I install Safe Exec.Bak?
Run "/install safe-exec-bak" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Safe Exec.Bak free?
Yes, Safe Exec.Bak is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Safe Exec.Bak support?
Safe Exec.Bak is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Safe Exec.Bak?
It is built and maintained by gjc0909 (@gjc0909); the current version is v1.0.0.
More Skills