📦 Safe Exec 0.3.2 — 安全命令执行
v1.0.0为 OpenClaw 智能体提供带危险模式识别、风险分级、人工审批与审计日志的 shell 命令安全执行环境,可拦截 rm -rf、dd、fork 炸弹等高危操作,支持 CRITICAL/HIGH/MEDIUM/LOW 四级评估、会话内通知、待审批队列及无人值守自动化。
4· 2.4k·20 当前·22 累计
by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Things to check before installing:
- Source authenticity: SKILL.md and READMEs reference a GitHub repo (OTTTTTO/safe-exec) but the registry shows 'Source: unknown' and no homepage. Verify the canonical repository URL and the publisher identity before installing.
- Read the scripts (especially scripts/safe-exec.sh and scripts/safe-exec-ai-wrapper.sh): the package is script-based — inspect what it writes to ~/.openclaw/, what commands it executes, and whether it modifies shell startup files or P...详细分析 ▾
ℹ 用途与能力
The name/description (SafeExec) align with the shipped scripts and docs: there are multiple shell scripts for interception, approval, listing pending requests, and audit logging. However the SKILL.md claims it will “automatically monitor all shell commands” system-wide as a Skill (not a plugin). That capability normally requires either modifying shell startup files, wrapping executables, or being integrated in the host runtime — none of which are declared explicitly. The repository includes wrapper scripts and link/installation guidance (symlinks, PATH changes, OpenClaw config edits), so behavior is plausible, but the SKILL.md overstates 'automatic' system-wide interception without detailing the required host changes.
⚠ 指令范围
Runtime instructions tell the agent/user to install via ClawdHub or git clone and then enable SafeExec so it will 'monitor all shell commands' and intercept dangerous ones. The docs and scripts reference persistent file locations (~/.openclaw/safe-exec/, ~/.openclaw/safe-exec-audit.log, pending/), cron jobs (monitoring), and monitoring of OpenClaw sessions/GitHub issues. The instruction set therefore encourages creating long-lived files, cron/monitoring tasks, and potentially reading OpenClaw session data. The SKILL.md does not require or declare any credentials for external notification channels (Feishu/GitHub) yet the monitoring code and docs describe sending notifications and calling APIs — that scope creep (reading session messages and posting external notifications) is not clearly scoped or constrained in the skill metadata.
ℹ 安装机制
Registry shows no install spec (instruction-only), which is lower risk. The package itself contains many script files (safe-exec.sh and helpers) and tooling; installation guidance in SKILL.md recommends git clone from GitHub or using ClawdHub. There are no opaque remote downloads or binary installers in the metadata. That said, the SKILL.md suggests an in-chat 'Help me install...' action that will cause the agent/system to fetch & install the skill — you should confirm what exact URL and code will be fetched by that mechanism (the docs reference a GitHub repo but the registry 'Source' is 'unknown' and homepage is empty).
⚠ 凭证需求
The skill metadata declares no required environment variables or credentials, but the documentation lists configuration variables (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM, SAFE_EXEC_FEISHU_GROUP, SAFE_EXEC_AUDIT_LOG) and monitoring features that post to Feishu/GitHub and read OpenClaw session data. The skill may rely on existing OpenClaw CLI/credentials on the host to access session history or send notifications, which is not documented in the registry metadata. In short: no explicit credential requests is plausible, but the code/docs indicate access to external services and agent session content — that access is not declared and thus disproportionate to what the metadata advertises.
ℹ 持久化与权限
The skill does not request always: true and does not declare elevated privileges. However it writes persistent data under ~/.openclaw/, creates cron/monitoring scripts, and provides non-interactive (agent) bypass behavior (OPENCLAW_AGENT_CALL) that automatically skips confirmations for agent calls. Those are significant operational behaviors: the skill establishes ongoing local presence and can change runtime behavior for automated agent runs. This persistence is expected for a protection tool, but it increases blast radius if the skill were malicious or misconfigured.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/4
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install safe-exec-0-3-2
镜像加速npx clawhub@latest install safe-exec-0-3-2 --registry https://cn.longxiaskill.com