Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub · AI
OpenExec — Deterministic Execution Boundary for Agent Systems
Source-distributed deterministic execution service with pinned dependencies. Runs only with a signed approval artifact (ClawShield mode) and emits verifiable...
skill openclawclawhub Free
Source-distributed deterministic execution service with pinned dependencies. Runs only with a signed approval artifact (ClawShield mode) and emits verifiable...
⬇ 0 downloads ★ 0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- README.md, SECURITY.md, SKILL.md, config/openexec.example.json, main.py, openexec/__init__.py
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 0.1.10
Provenance
- Publisher
- trendinghot
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
OpenExec — Governed Deterministic Execution (Skill)
OpenExec is a runnable governed execution service. It executes only what has already been approved. It is not an agent. It is not a policy engine. It does not self-authorize. OpenExec performs no outbound HTTP, RPC, or governance calls during signature verification or execution. All verification is fully offline. By default, OpenExec uses a local SQLite database (sqlite:///openexec.db). Database network I/O occurs only if explicitly configured by the operator via OPENEXEC_DB_URL.
Install
pip install -r requirements.txt
Run (local)
python -m uvicorn main:app --host 0.0.0.0 --port 5000
Endpoints
GET / → service info (deployment health check) GET /health → health status, mode, restriction level GET /ready → readiness check GET /version → version metadata POST /execute → execute an approved action deterministically POST /receipts/verify → verify receipt hash integrity
1) Demo mode (default, free)
No external governance required. No env vars required. export OPENEXEC_MODE=demo Demo mode still enforces: deterministic execution replay protection (nonce uniqueness) receipt generation
2) ClawShield mode (production / business)
Requires a signed approval artifact issued by ClawShield. OpenExec verifies the Ed25519 signature offline using the configured public key. export OPENEXEC_MODE=clawshield export CLAWSHIELD_PUBLIC_KEY="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----" export CLAWSHIELD_TENANT_ID="tenant-id" If signature validation fails, execution is denied. Note: ClawShield governance SaaS is available at https://clawshield.forgerun.ai/. OpenExec does not contact this URL at runtime. It is provided for reference only.
Environment Variables
All environment variables are optional. OpenExec runs with zero configuration in demo mode. VariableDefaultDescriptionOPENEXEC_MODEdemoExecution mode: demo or clawshieldCLAWSHIELD_PUBLIC_KEY(none)PEM-encoded Ed25519 public key for signature verificationCLAWSHIELD_TENANT_ID(none)Tenant identifier for multi-tenant isolationOPENEXEC_ALLOWED_ACTIONS(none)Comma-separated list of permitted actions. If unset, all registered actions are allowedOPENEXEC_DB_URLsqlite:///openexec.dbDatabase URL for execution record persistence
90-Second Quickstart (Demo)
Start server: python -m uvicorn main:app --host 0.0.0.0 --port 5000 Confirm health: curl http://localhost:5000/health Execute a deterministic demo action: curl -X POST http://localhost:5000/execute \ -H "Content-Type: application/json" \ -d '{ "action":"echo", "payload":{"msg":"hello"}, "nonce":"unique-1" }' Replay attempt (returns same result, no re-execution): curl -X POST http://localhost:5000/execute \ -H "Content-Type: application/json" \ -d '{ "action":"echo", "payload":{"msg":"hello"}, "nonce":"unique-1" }'
Receipts
Every execution produces a receipt hash. Receipts are evidence, not logs. Verify a receipt: curl -X POST http://localhost:5000/receipts/verify \ -H "Content-Type: application/json" \ -d '{"exec_id":"<id>","result":"<result_json>","receipt":"<hash>"}'
What this skill does
Accepts structured execution requests Enforces replay protection Executes deterministically (approved parameters only) Emits verifiable receipts for every attempt In ClawShield mode: verifies signed approvals before execution Supports optional execution allow-list via environment variable
What this skill does not do
Define policy Grant permissions Reason autonomously Override governance decisions Self-authorize execution Make outbound HTTP or governance calls during execution Provide OS-level sandboxing or container isolation
Security Boundary Notice
OpenExec enforces execution boundaries at the application layer. It does not provide OS-level sandboxing. Deploy behind containerization, VM isolation, or hardened environments when actions interact with production systems. OpenExec enforces authority separation. It is not a sandbox.
Architecture context (3-layer separation)
OpenExec -- deterministic execution adapter (this skill) ClawShield -- governance + approval minting (SaaS): https://clawshield.forgerun.ai/ ClawLedger -- witness ledger (optional integration) Each layer is replaceable. No single layer can act alone.
Security Documentation
A full security model, threat assumptions, and production hardening checklist are available in SECURITY.md. This skill intentionally separates: Execution enforcement (OpenExec) Infrastructure isolation (operator responsibility)
Execution Safety Guarantees
This skill: Does not dynamically load code Does not evaluate user input as code Uses a static handler registry Does not install packages at runtime Does not fetch remote execution logic
Category context
Agent frameworks, memory systems, reasoning layers, and model-native orchestration.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
3 Docs2 Scripts1 Config
- SKILL.md
- README.md
- SECURITY.md
- main.py
- openexec/__init__.py
- config/openexec.example.json