safe-exec
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agents need to execute shell commands that may be dangerous (rm -rf, dd, fork bombs, system directory modifications) or require human oversight. Provides multi-level risk assessment (CRITICAL/HIGH/MEDIUM/LOW), in-session notifications, pending request management, and non-interactive environment support for agent automation.
Why use this skill?
Enhance your OpenClaw agent security with SafeExec. Automatic danger pattern detection, risk assessment, and user approval for all shell commands.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/lucky-2968/safe-exec-0-3-2What This Skill Does
SafeExec provides an essential security layer for OpenClaw agents, functioning as a proactive shield against accidental or malicious system damage. By intercepting shell commands before they are executed, it performs a real-time risk assessment using a multi-level classification system (CRITICAL, HIGH, MEDIUM, LOW). Whether the agent attempts a catastrophic operation like deleting the root directory or modifying system configuration files, SafeExec ensures that nothing proceeds without explicit human intervention. It maintains a strict audit log and utilizes an in-session notification system that integrates directly into your terminal workflow, ensuring you are always aware of what the agent is planning to execute on your machine.
Installation
You can install SafeExec effortlessly through the OpenClaw assistant. Simply type 'Help me install SafeExec skill from ClawdHub' into your chat interface, and the assistant will handle the cloning and configuration. For advanced users, you can use the ClawdHub CLI: set your registry via export CLAWDHUB_REGISTRY=https://www.clawhub.ai and run clawhub install safe-exec. Alternatively, clone the repository directly from https://github.com/OTTTTTO/safe-exec.git into your ~/.openclaw/skills/ directory. Once installed, activate it by sending 'Enable SafeExec' to your agent.
Use Cases
SafeExec is ideal for developers who want to empower their AI agents to handle server tasks without the fear of unintended consequences. Use it when performing batch file operations, installing software via shell scripts, managing system processes, or automating daily server maintenance. It is particularly useful when testing agent scripts that interact with system directories, as it provides a 'sandbox-like' approval mechanism for dangerous command patterns.
Example Prompts
- 'Enable SafeExec and monitor all incoming shell commands for security violations.'
- 'List all pending command approvals so I can review what the agent tried to do.'
- 'Approve the command with ID 8829 because I trust the agent is just cleaning the /tmp directory.'
Tips & Limitations
To maximize the utility of SafeExec, always review the generated audit logs located in ~/.openclaw/safe-exec-audit.log. Be aware that while SafeExec effectively catches common patterns, it is not a complete replacement for robust system permissions and user-level access controls. Always run your agents with the least-privileged user necessary. The skill currently focuses on terminal-based shell command interception and may not capture commands executed through non-shell APIs or direct application integration.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-lucky-2968-safe-exec-0-3-2": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: code-execution, file-read, file-write
Related Skills
clawshell
Human-in-the-loop security layer. Intercepts high-risk commands and requires push notification approval.
filesystem
Advanced filesystem operations - listing, searching, batch processing, and directory analysis for Clawdbot
todo-management
Per-workspace SQLite todo manager (./todo.db) with groups and task statuses (pending/in_progress/done/skipped), operated via {baseDir}/scripts/todo.sh for adding, listing, editing, moving, and removing entries and managing groups.
web-search
Search the web for real-time information.