Trust Assessment
safe-exec received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 1 critical, 0 high, 11 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER, Sensitive environment variable access: $GITHUB_USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 30/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via `eval` in Approval Script The `safe-exec-approve.sh` script uses `eval "$COMMAND"` to execute commands after user approval. While the `safe-exec.sh` script attempts to detect and filter dangerous commands using pattern matching (`assess_risk`), this is a heuristic and can be bypassed by sufficiently obfuscated or novel malicious commands. The `eval` command is inherently unsafe as it executes arbitrary shell code. An attacker who can craft a command that bypasses the initial risk assessment (or directly manipulate the pending request file if they have file system access) can achieve arbitrary command execution upon approval. Although `jq -Rs .` is used to store the command safely within the JSON file, this only prevents JSON injection, not shell command injection when `eval` is used. Replace `eval "$COMMAND"` with a safer execution method. Ideally, commands should be executed within a sandboxed environment or a more robust command parsing and execution mechanism that does not rely on `eval`. If direct execution is unavoidable, consider using `bash -c "$COMMAND"` with careful sanitization, or explicitly calling the command and its arguments after parsing them securely, rather than executing a raw string. | LLM | scripts/safe-exec-approve.sh:40 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec-ai-wrapper.sh:5 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec-ai-wrapper.sh:25 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec-approve.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec-list.sh:4 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec-reject.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec.sh:5 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/scripts/safe-exec.sh:288 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_USER Access to sensitive environment variable '$GITHUB_USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/tools/publish-to-github.sh:9 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_USER Access to sensitive environment variable '$GITHUB_USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/tools/push-to-github.sh:10 | |
| MEDIUM | Sensitive environment variable access: $GITHUB_USER Access to sensitive environment variable '$GITHUB_USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/ottttto/safe-exec/tools/release.sh:51 | |
| MEDIUM | Unsecured Configuration File Allows Bypass of Safety Mechanisms The `~/.openclaw/safe-exec-rules.json` file controls critical aspects of SafeExec, including its enabled status and user confirmation keywords. The skill does not explicitly enforce or recommend strict file system permissions for this configuration file. If this file is not adequately protected, an attacker or a compromised agent could modify it to disable SafeExec entirely (`"enabled": false`) or manipulate the `contextAware.confirmationKeywords` to easily bypass the user approval workflow, thereby undermining the skill's core security features. Implement strict file system permissions for `~/.openclaw/safe-exec-rules.json` (e.g., `chmod 600`) to ensure only the owner can read and write to it. Add a clear recommendation in the skill's documentation for users to secure this critical configuration file. For enhanced security, consider implementing cryptographic signing or integrity checks for the rules file to detect unauthorized modifications. | LLM | scripts/safe-exec.sh:15 |
Scan History
Embed Code
[](https://skillshield.io/report/c36c687ce1526c89)
Powered by SkillShield