8.8 KiB
8.8 KiB
Changelog
All notable changes to SafeExec will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[0.3.3] - 2026-02-26
Security
- Enhanced SKILL.md metadata - Added explicit declarations for network, monitoring, and credential requirements
- Documented Agent Mode - Clearly explained non-interactive execution behavior with full audit logging
- Added Security & Privacy section - Comprehensive documentation of what SafeExec does and does NOT do
- Created CLAWDHUB_SECURITY_RESPONSE.md - Detailed response to security review concerns
Changed
- SKILL.md - Added comprehensive metadata section
- Declares environment variables: SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM
- Declares write paths: ~/.openclaw/safe-exec/, ~/.openclaw/safe-exec-audit.log
- Explicitly states: network=false, monitoring=false, credentials=[]
- SKILL.md - Added "Security & Privacy" section
- Clearly documents what SafeExec does and does NOT do
- Addresses all ClawdHub security review concerns
- SKILL.md - Enhanced "Agent Mode" section
- Explains non-interactive execution behavior
- Documents full audit logging for agent-executed commands
- Clarifies safety preservation in agent mode
Security Notes
- ✅ No monitoring - Does not read chat sessions or conversation history
- ✅ No network calls - Works entirely locally (except git clone during manual installation)
- ✅ No external notifications - No integration with Feishu, webhooks, or external services
- ✅ No background processes - No cron jobs or persistent monitoring daemons
- ✅ Transparent audit logging - All executions logged with mode label (user_approved / agent_auto)
- ⚠️ Agent mode preserved - Non-interactive bypass for automation, fully audited
Addressed Issues
This release directly addresses security review concerns from ClawdHub:
- Declared capabilities: Explicit metadata in SKILL.md
- Documented behavior: Agent mode clearly explained with safety guarantees
- Transparency: Comprehensive "Security & Privacy" section
[0.3.2] - 2026-02-26
Security
- Removed monitoring subsystem - Deleted unified-monitor.sh and all monitoring components
- Removed external integrations - No more Feishu notifications, GitHub monitoring, or OpenClaw comment checking
- Simplified project scope - Focused purely on command approval functionality
Removed
UNIFIED_MONITOR.md- Unified monitoring system documentationdocs/GITHUB_ISSUE_MONITOR.md- GitHub issue monitoring documentationdocs/BLOG.md/docs/BLOG_EN.md- Blog posts with notification referencesdocs/CONTRIBUTING.md- Outdated contribution guidedocs/FIX_REPORT_v0.1.3.md/docs/FIX_REPORT_v0.2.3.md- Historical fix reportsdocs/GITHUB_RELEASE_v0.2.0.md- GitHub release documentationdocs/GLOBAL_SWITCH_GUIDE.md- Global switch usage guidedocs/PROJECT_REPORT.md- Project reportdocs/PUBLISHING_GUIDE.md- Publishing tool documentationdocs/RELEASE_NOTES.md- Release notesdocs/RELEASE_v0.2.0.md/docs/RELEASE_v0.2.4.md- Historical release documentationdocs/USAGE.md- Usage documentationtools/publish-to-github.sh- GitHub publishing scripttools/push-to-github.sh- Git push scripttools/release.sh- Release automation scriptRELEASE_v0.3.2.md- Release documentationUPDATE_NOTES.md- Update notes
Changed
README_EN.md- Removed Feishu environment variable configuration
[Unreleased]
[0.2.4] - 2026-02-01
Fixed
- Non-interactive hang issue: Fixed
safe-exec-approve.shhanging when called by OpenClaw Agent - Script now detects non-interactive environments and skips confirmation prompt
- Added
OPENCLAW_AGENT_CALLandSAFE_EXEC_AUTO_CONFIRMenvironment variable support - TTY detection using
[[ -t 0 ]]for automatic environment detection
Changed
- Interactive confirmation is now conditional based on environment
- Human terminal usage maintains safety confirmation
- Agent calls automatically bypass confirmation (prevents hanging)
Added
FIX_REPORT_v0.2.3.md- Detailed fix report with test results- Smart environment detection logic (TTY + environment variables)
- Visual indicator for non-interactive mode:
🤖 非交互式环境 - 自动跳过确认
Security
- ✅ All security features preserved
- ✅ Danger pattern detection unchanged
- ✅ Risk assessment mechanism unchanged
- ✅ Approval workflow intact
- ✅ Audit logging complete
- ✅ Human users still get confirmation prompt in terminals
Testing
- ✅ Agent call scenario: Pass (no hang, completes in <1s)
- ✅ Environment variable detection: Pass
- ✅ Human terminal usage: Pass (confirmation preserved)
- ✅ Command execution: Pass (successful)
- ✅ Request cleanup: Pass
Backwards Compatibility
- ✅ Fully backwards compatible
- ✅ Existing usage patterns unchanged
- ✅ Human user experience unchanged
- ✅ Agent calls automatically adapt
[0.2.3] - 2026-02-01
Added
- Context-aware risk assessment: Detect user confirmation keywords
- Dynamic risk level adjustment based on user intent
- Customizable confirmation keywords
safe-exec-ai-wrapper.shfor AI Agent integrationtest-context-aware.shtest suite
Changed
- Risk assessment now considers user context
- CRITICAL + confirmation → MEDIUM (still requires approval)
- HIGH + confirmation → LOW (direct execution)
- MEDIUM + confirmation → LOW (direct execution)
Security
- CRITICAL operations always require approval
- All operations logged to audit trail
- Configurable strictness level
[0.2.0] - 2026-02-01
Added
- Global on/off switch for SafeExec
- New commands:
--enable,--disable,--status - Configuration file
safe-exec-rules.jsonnow includesenabledfield - When disabled, commands execute directly without safety checks
- Audit log includes
bypassedevents when disabled
Changed
- Improved
is_enabled()function to handle false correctly - Updated status display to show current protection state
- Enhanced user feedback for enable/disable operations
Fixed
- Critical Bug: Fixed jq
//operator treatingfalseas falsy - Now explicitly checks
.enabled == trueinstead of.enabled // true - This ensures SafeExec can be properly toggled on/off
Security Note
⚠️ Warning: When SafeExec is disabled, ALL commands execute directly without protection! Only disable in trusted environments.
[0.1.3] - 2026-02-01
Fixed
- Configuration Fix: Removed incorrect SafeExec plugin configuration
- SafeExec is now properly configured as a Skill (not a Plugin)
- Eliminated startup warning logs about missing plugin skill paths
- Clean separation between Plugin (core extension) and Skill (Agent tool)
Changed
- Removed
~/.openclaw/extensions/safe-exec/(incorrect Plugin version) - Kept
~/.openclaw/skills/safe-exec/(correct Skill version) - Updated
openclaw.jsonto remove plugin entry for safe-exec
Technical Details
- Before: SafeExec was registered in
plugins.entries.safe-exec - After: SafeExec is loaded from
skills.load.extraDirs - Benefit: Correct architecture, no warning logs, proper Skill behavior
[0.1.2] - 2026-01-31
Added
- Comprehensive USAGE.md guide (3000+ words)
- CONTRIBUTING.md with contribution guidelines
- CHANGELOG.md following Keep a Changelog format
- release.sh automation script
- RELEASE_NOTES.md for v0.1.2
- .github/workflows/test.yml for CI/CD
- PROJECT_REPORT.md with completion status
Documentation
- Complete installation guide
- Usage examples and scenarios
- Troubleshooting section
- FAQ (Frequently Asked Questions)
- Best practices guide
[0.1.1] - 2026-01-31
Added
- Automatic cleanup of expired approval requests
cleanup_expired_requests()function--cleanupflag for manual cleanup- Default 5-minute timeout for requests
- Audit log entries for expiration events
Improved
- Prevents request database from growing indefinitely
- Automatic cleanup on every command execution
- Better security with request expiration
[0.1.0] - 2026-01-31
Added
- Core risk assessment engine
- Command interception system
- Approval workflow
- Audit logging
- Integration with OpenClaw
- Initial documentation
Security
- 10+ danger pattern detection
- Fork bomb detection
- System directory protection
- Pipe injection prevention
[0.2.0] - Planned
Planned
- Web UI for approval management
- Multi-channel notifications (Telegram, Discord)
- ML-based risk assessment
- Batch operation support
- Rate limiting