Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Other
Safe Exec
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...
skill openclawclawhub Free
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- CHANGELOG.md, CLAWDHUB_APPEAL.md, CLAWDHUB_SECURITY_RESPONSE.md, GITHUB_ISSUE_TEMPLATE.md, README-detail.md, README.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 0.3.4
Provenance
- Publisher
- OTTTTTO
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
SafeExec - Safe Command Execution
Provides secure command execution capabilities for OpenClaw Agents with automatic interception of dangerous operations and approval workflow.
Features
๐ Automatic danger pattern detection - Identifies risky commands before execution ๐จ Risk-based interception - Multi-level assessment (CRITICAL/HIGH/MEDIUM/LOW) ๐ฌ In-session notifications - Real-time alerts in your current terminal/session โ User approval workflow - Commands wait for explicit confirmation ๐ Complete audit logging - Full traceability of all operations ๐ค Agent-friendly - Non-interactive mode support for automated workflows ๐ง Platform-agnostic - Works independently of communication tools (webchat, Feishu, Telegram, etc.) ๐ Security-focused - No monitoring, no external notifications, no network calls
Agent Mode
When called by OpenClaw agents in non-interactive environments: Automatic bypass of confirmation prompts - Prevents agent hanging Full audit logging - All executions recorded with mode label (agent_auto vs user_approved) Safety preserved - Danger pattern detection and risk assessment remain active Intended use case - Automated workflows with human oversight via audit logs Environment variables: OPENCLAW_AGENT_CALL - Set by OpenClaw when agent executes commands SAFE_EXEC_AUTO_CONFIRM - Manual override to auto-approve LOW/MEDIUM risk commands Security Note: Agent mode does not disable safety checks. CRITICAL and HIGH risk commands are still intercepted, logged, and can be reviewed in audit trail.
Installation (One Command)
The easiest way to install SafeExec: Just say in your OpenClaw chat: Help me install SafeExec skill from ClawdHub OpenClaw will automatically download, install, and configure SafeExec for you!
Alternative: Manual Installation
If you prefer manual installation: # Clone from GitHub git clone https://github.com/OTTTTTO/safe-exec.git ~/.openclaw/skills/safe-exec # Make scripts executable chmod +x ~/.openclaw/skills/safe-exec/safe-exec*.sh # Create symlinks to PATH (optional) ln -s ~/.openclaw/skills/safe-exec/safe-exec.sh ~/.local/bin/safe-exec ln -s ~/.openclaw/skills/safe-exec/safe-exec-*.sh ~/.local/bin/
Enable SafeExec
After installation, simply say: Enable SafeExec SafeExec will start monitoring all shell commands automatically!
How It Works
Once enabled, SafeExec automatically monitors all shell command executions. When a potentially dangerous command is detected, it intercepts the execution and requests your approval through in-session terminal notifications. Architecture: Requests stored in: ~/.openclaw/safe-exec/pending/ Audit log: ~/.openclaw/safe-exec-audit.log Rules config: ~/.openclaw/safe-exec-rules.json No external network calls No background monitoring processes
Usage
Enable SafeExec: Enable SafeExec Turn on SafeExec Start SafeExec Once enabled, SafeExec runs transparently in the background. Agents can execute commands normally, and SafeExec will automatically intercept dangerous operations: Delete all files in /tmp/test Format the USB drive SafeExec detects the risk level and displays an in-session prompt for approval.
Risk Levels
CRITICAL: System-destructive commands (rm -rf /, dd, mkfs, fork bombs) HIGH: User data deletion or significant system changes (chmod 777, curl | bash) MEDIUM: Service operations or configuration changes (sudo, firewall modifications) LOW: Read operations and safe file manipulations
Approval Workflow
Agent executes a command SafeExec analyzes the risk level In-session notification displayed in your terminal Approve or reject via: Terminal: safe-exec-approve <request_id> List pending: safe-exec-list Reject: safe-exec-reject <request_id> Command executes or is cancelled Example notification: ๐จ **Dangerous Operation Detected - Command Intercepted** **Risk Level:** CRITICAL **Command:** `rm -rf /tmp/test` **Reason:** Recursive deletion with force flag **Request ID:** `req_1769938492_9730` โน๏ธ This command requires user approval to execute. **Approval Methods:** 1. In terminal: `safe-exec-approve req_1769938492_9730` 2. Or: `safe-exec-list` to view all pending requests **Rejection Method:** `safe-exec-reject req_1769938492_9730`
Configuration
Environment variables for customization: SAFE_EXEC_DISABLE - Set to '1' to globally disable safe-exec OPENCLAW_AGENT_CALL - Automatically enabled in agent mode (non-interactive) SAFE_EXEC_AUTO_CONFIRM - Auto-approve LOW/MEDIUM risk commands
Examples
Enable SafeExec: Enable SafeExec After enabling, agents work normally: Delete old log files from /var/log SafeExec automatically detects this is HIGH risk (deletion) and displays an in-session approval prompt. Safe operations pass through without interruption: List files in /home/user/documents This is LOW risk and executes without approval.
Global Control
Check status: safe-exec-list View audit log: cat ~/.openclaw/safe-exec-audit.log Disable SafeExec globally: Disable SafeExec Or set environment variable: export SAFE_EXEC_DISABLE=1
Reporting Issues
Found a bug? Have a feature request? Please report issues at: ๐ https://github.com/OTTTTTO/safe-exec/issues We welcome community feedback, bug reports, and feature suggestions! When reporting issues, please include: SafeExec version (run: grep "VERSION" ~/.openclaw/skills/safe-exec/safe-exec.sh) OpenClaw version Steps to reproduce Expected vs actual behavior Relevant logs from ~/.openclaw/safe-exec-audit.log
Audit Log
All command executions are logged with: Timestamp Command executed Risk level Execution mode (user_approved / agent_auto) Approval status Execution result Request ID for traceability Log location: ~/.openclaw/safe-exec-audit.log
Security & Privacy
What SafeExec does: โ Intercepts shell commands before execution โ Detects dangerous patterns using regex matching โ Requests user approval for risky commands โ Logs all executions to local audit file โ Works entirely locally on your machine What SafeExec does NOT do: โ No monitoring of chat sessions or conversation history โ No reading of OpenClaw session data โ No external network requests (except git clone during installation) โ No sending data to external services โ No background monitoring processes or cron jobs โ No integration with external notification services (Feishu, webhooks, etc.)
Integration
SafeExec integrates seamlessly with OpenClaw agents. Once enabled, it works transparently without requiring changes to agent behavior or command structure. The approval workflow is entirely local and independent of any external communication platform.
Platform Independence
SafeExec operates at the session level, working with any communication channel your OpenClaw instance supports (webchat, Feishu, Telegram, Discord, etc.). The approval workflow happens through your terminal, ensuring you maintain control regardless of how you're interacting with your agent.
Support & Community
GitHub Repository: https://github.com/OTTTTTO/safe-exec Issue Tracker: https://github.com/OTTTTTO/safe-exec/issues Documentation: README.md ClawdHub: https://www.clawhub.ai/skills/safe-exec
License
MIT License - See LICENSE for details.
Category context
Long-tail utilities that do not fit the current primary taxonomy cleanly.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
6 Docs
- CHANGELOG.md
- CLAWDHUB_APPEAL.md
- CLAWDHUB_SECURITY_RESPONSE.md
- GITHUB_ISSUE_TEMPLATE.md
- README-detail.md
- README.md