功能描述

Human-in-the-loop security layer. Intercepts high-risk commands and requires push notification approval.

使用说明 (SKILL.md)

ClawShell

Name: Clawshell 0.1.0
Author: lucky-2968

Human-in-the-loop security layer for OpenClaw. ClawShell intercepts shell commands before execution, analyzes their risk level, and requires your explicit approval (via push notification) for dangerous operations.

How it works

The agent calls clawshell_bash instead of bash
ClawShell analyzes the command against built-in and configurable risk rules
Based on risk level:
- Critical (e.g. rm -rf /, fork bombs) — automatically blocked
- High (e.g. rm -rf, curl to external URLs, credential access) — sends a push notification and waits for your approval
- Medium (e.g. npm install, git push) — logged and allowed
- Low (e.g. ls, cat, git status) — allowed
All decisions are logged to logs/clawshell.jsonl

Tools

clawshell_bash

Secure replacement for bash. Analyzes command risk and executes only if safe or approved.

Parameters:

command (string, required) — The shell command to execute
workingDir (string, optional) — Working directory (defaults to cwd)

Returns: { exitCode, stdout, stderr }

High-risk commands will block until you approve or reject via push notification. Critical commands are rejected immediately.

clawshell_status

Returns current ClawShell state: pending approval requests and recent decisions.

Parameters: none

clawshell_logs

Returns recent log entries for audit and debugging.

Parameters:

count (number, optional) — Number of entries to return (default: 20)

Setup

1. Install dependencies

cd /app/workspace/skills/clawshell
npm install

2. Configure Pushover notifications

Create a Pushover application at https://pushover.net/apps/build and add your keys to .env:

CLAWSHELL_PUSHOVER_USER=your-user-key
CLAWSHELL_PUSHOVER_TOKEN=your-app-token

Alternatively, configure Telegram instead:

CLAWSHELL_TELEGRAM_BOT_TOKEN=your-bot-token
CLAWSHELL_TELEGRAM_CHAT_ID=your-chat-id

3. Add to TOOLS.md

Add the following to your OpenClaw TOOLS.md so the agent uses ClawShell for shell commands:

## Shell Access

Use `clawshell_bash` for ALL shell command execution. Do not use `bash` directly.
ClawShell will analyze commands for risk and require human approval for dangerous operations.

Available tools:
- `clawshell_bash(command, workingDir)` — Execute a shell command with risk analysis
- `clawshell_status()` — Check pending approvals and recent decisions
- `clawshell_logs(count)` — View recent audit log entries

Configuration

ClawShell reads configuration from environment variables (CLAWSHELL_*) with fallback to config.yaml.

Variable	Default	Description
`CLAWSHELL_PUSHOVER_USER`	—	Pushover user key
`CLAWSHELL_PUSHOVER_TOKEN`	—	Pushover app token
`CLAWSHELL_TELEGRAM_BOT_TOKEN`	—	Telegram bot token (alternative)
`CLAWSHELL_TELEGRAM_CHAT_ID`	—	Telegram chat ID (alternative)
`CLAWSHELL_TIMEOUT_SECONDS`	300	Seconds to wait for approval before auto-reject
`CLAWSHELL_LOG_DIR`	logs/	Directory for JSONL log files
`CLAWSHELL_LOG_LEVEL`	info	Log verbosity: debug, info, warn, error
`CLAWSHELL_BLOCKLIST`	—	Comma-separated extra blocked commands
`CLAWSHELL_ALLOWLIST`	—	Comma-separated extra allowed commands

Custom rules can also be defined in config.yaml under rules.blocklist and rules.allowlist using exact strings, globs, or regex patterns.

Limitations

Not a security guarantee. LLMs can encode, split, or obfuscate commands to bypass pattern matching.
Defense-in-depth only. Use alongside OpenClaw's sandbox mode, not as a replacement.
Approval latency. High-risk commands block execution until you respond or the timeout expires.

Always ask your AI to scan any skill or software for security risks.

安全使用建议

This skill is internally inconsistent: it promises a shell-intercepting tool but supplies no implementation and tells you to run `npm install` to fetch code from the registry. Do NOT run npm install or provide your Pushover (or other) tokens until you verify the runtime code. Steps to consider before installing: - Ask the publisher for the source code or a trusted release (git repo or release tarball) and verify it matches the SKILL.md behavior. - Inspect the actual JavaScript code and any install scripts (preinstall/postinstall) before running npm install. - If you must test, run it in a fully isolated sandbox with no access to real credentials and no network access to sensitive hosts. - Prefer skills that include their implementation or a verifiable release URL; avoid running npm install based on an opaque package.json/lock that appears malformed. - If you install, do not store production Pushover tokens in the .env file until the code has been audited; create a test token instead. Given the mismatch between claim and artifacts, proceed cautiously — the skill is suspicious but not provably malicious without further inspection.

功能分析

Type: OpenClaw Skill Name: clawshell-0-1-0 Version: 1.0.0 The skill's stated purpose in SKILL.md is to provide a human-in-the-loop security layer, which is a benign and security-enhancing objective. However, the `package.json`, `package-lock.json`, and `pnpm-lock.yaml` files declare a dependency on a package named `package-lock.json` from the npm registry. This is highly unusual and indicates a potential supply chain risk or a packaging error, as a package should not depend on a lockfile itself. While there is no clear evidence of intentional malicious behavior by the skill's author, this dependency introduces a significant vulnerability and makes the skill suspicious.

能力评估

⚠ Purpose & Capability

The SKILL.md promises a clawshell_bash tool that intercepts and mediates shell commands, but the skill bundle contains no executable, no implementation files, and no install spec. It declares node and Pushover env vars (which are consistent with sending push notifications), but there is no local code to actually perform interception; instead the README instructs the operator to run `npm install` to fetch dependencies — an unexpected shift of responsibility and a mismatch between described capability and provided artifacts.

⚠ Instruction Scope

Runtime instructions tell the operator/agent to run `npm install` in the skill directory and to add clawshell_bash to TOOLS.md so the agent uses it for all shell execution. Those steps implicitly require downloading and executing third-party code to implement the promised behavior. The instructions also suggest writing secrets to a .env file and modifying the agent's TOOLS.md (which affects global agent behavior). The instructions do not provide implementation details or safe validation steps before executing remote code.

⚠ Install Mechanism

There is no declared install spec, but the SKILL.md explicitly instructs running `npm install`. The included package.json is minimal and depends on a package named `package-lock.json` (odd and unexpected). The lock files point to a public npm package — instructing an operator to run `npm install` will fetch code from the public registry, which can execute arbitrary install scripts. Because the skill bundle contains no local implementation, running npm install is the only way to obtain the runtime code — that introduces a download-from-registry risk that is not vetted by the skill metadata.

ℹ Credentials

The two required env vars (CLAWSHELL_PUSHOVER_USER and CLAWSHELL_PUSHOVER_TOKEN) are consistent with the stated use of Pushover for approval notifications. The SKILL.md also mentions optional Telegram variables (CLAWSHELL_TELEGRAM_*), which are not declared as required — this is a minor inconsistency but not by itself malicious. Requiring push-notification credentials is proportional to the described functionality, but exposing those credentials to unreviewed code (via npm install) would be risky.

✓ Persistence & Privilege

The skill does not request always:true, does not request system-wide config changes programmatically in its metadata, and is user-invocable only. The SKILL.md asks you to manually edit TOOLS.md to route shell commands through clawshell_bash, which is a manual, visible change rather than a hidden privilege escalation. Autonomous invocation is allowed (the platform default) but is not combined with other high-privilege flags.

版本历史

v1.0.0

Initial release of ClawShell: Human-in-the-loop security layer for shell command execution. - Intercepts shell commands, analyzes risk, and enforces push notification approval for high-risk operations. - Categorizes commands into Critical (blocked), High (approval required), Medium (logged), and Low (allowed). - Provides three main tools: `clawshell_bash` (secure command exec), `clawshell_status` (view pending/recent approvals), and `clawshell_logs` (audit logs). - Supports push notifications via Pushover or Telegram. - Highly configurable through environment variables and `config.yaml`. - Enforces all decisions via a persistent JSONL audit log.

元数据

Slug clawshell-0-1-0

版本 1.0.0

许可证 —

累计安装 2

当前安装数 0

历史版本数 1

常见问题

Clawshell 0.1.0 是什么？

Human-in-the-loop security layer. Intercepts high-risk commands and requires push notification approval. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1693 次。

如何安装 Clawshell 0.1.0？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawshell-0-1-0」即可一键安装，无需额外配置。

Clawshell 0.1.0 是免费的吗？

是的，Clawshell 0.1.0 完全免费（开源免费），可自由下载、安装和使用。

Clawshell 0.1.0 支持哪些平台？

Clawshell 0.1.0 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawshell 0.1.0？

由 Lucky-2968（@lucky-2968）开发并维护，当前版本 v1.0.0。

Clawshell 0.1.0