6.2 KiB
False Positive Appeal: SafeExec
Issue Reference
Based on the security review process, SafeExec (skill: safe-exec) was flagged with several security concerns. I believe these concerns have been fully addressed in v0.3.3, and the suspicious flag should be removed.
Skill Information
- Skill Name: safe-exec
- Repository: https://github.com/OTTTTTO/safe-exec
- ClawdHub URL: https://www.clawhub.ai/skills/safe-exec
- Current Version: v0.3.3
- Latest Commit: 0306903
What is SafeExec?
SafeExec is a pure command approval tool for OpenClaw Agents. It provides:
- Dangerous command detection - Intercepts risky shell commands (rm -rf, dd, mkfs, etc.)
- Risk assessment - Multi-level analysis (CRITICAL/HIGH/MEDIUM/LOW)
- User approval workflow - Requires explicit confirmation before execution
- Complete audit logging - Full traceability of all operations
- Agent-friendly - Non-interactive mode for automation (fully audited)
What SafeExec Does NOT Do (Clarifying Misconceptions)
The initial security review identified concerns about monitoring and external integrations. These features were completely removed in v0.3.2:
❌ NO monitoring - Does not read chat sessions or conversation history ❌ NO network calls - Works entirely locally (except git clone during installation) ❌ NO external notifications - No integration with Feishu, webhooks, or external services ❌ NO background processes - No cron jobs or persistent monitoring daemons ❌ NO credentials required - Zero API tokens or authentication needed
Changes Made to Address Security Concerns
v0.3.2 (2026-02-26) - Removed Monitoring Components
Deleted 21 files (4,309 lines) including:
UNIFIED_MONITOR.md- Unified monitoring system documentationdocs/GITHUB_ISSUE_MONITOR.md- GitHub monitoring documentationdocs/BLOG.md/docs/BLOG_EN.md- Blog posts with notification referencestools/publish-to-github.sh- GitHub publishing scripttools/push-to-github.sh- Git push scripttools/release.sh- Release automation script- All historical release notes and fix reports
- All integration guides (Feishu, GitHub, OpenClaw CLI)
v0.3.3 (2026-02-26) - Enhanced Transparency
Added comprehensive metadata declarations:
metadata:
openclaw:
env: ["SAFE_EXEC_DISABLE", "OPENCLAW_AGENT_CALL", "SAFE_EXEC_AUTO_CONFIRM"]
writes: ["~/.openclaw/safe-exec/", "~/.openclaw/safe-exec-audit.log"]
network: false
monitoring: false
credentials: []
Added "Security & Privacy" section to SKILL.md:
- Clearly documents what SafeExec does and does NOT do
- Addresses all ClawdHub security review concerns point-by-point
- Explains Agent Mode behavior with full audit logging
Created detailed security response:
CLAWDHUB_SECURITY_RESPONSE.md- Comprehensive response to all review points
Transparency Commitments
SafeExec v0.3.3 provides complete transparency:
✅ Declared Capabilities
- All environment variables documented
- All file write paths documented
- Explicit
network: falsedeclaration - Explicit
monitoring: falsedeclaration - Explicit
credentials: []declaration
✅ Audit Trail
- Every command execution logged with timestamp
- Mode labeled (user_approved vs agent_auto)
- Risk level recorded
- Approval status tracked
- Request ID for traceability
✅ No Hidden Functionality
- Source code fully open (MIT License)
- No obfuscated installers
- No remote code execution
- No telemetry or data collection
- No external dependencies (except
jqfor JSON parsing)
Agent Mode Clarification
Concern: "Agent calls may automatically bypass confirmation... changes protection model"
Reality:
- Agent mode prevents agent hanging (agents can't interactively confirm)
- Safety checks remain ACTIVE in agent mode
- All commands logged with
agent_automode label - Humans can review audit log at any time
- Can be disabled via
SAFE_EXEC_DISABLE=1
This is standard for agent tools and does not reduce security. The audit trail provides full oversight.
Request to ClawdHub Team
Could you please:
-
Review SafeExec v0.3.3 with the understanding that all monitoring/external integration features have been removed
-
Remove the suspicious flag as the skill is now a transparent, well-documented command approval tool
-
OR share the specific rules triggered so I can further clarify the documentation
Supporting Documentation
- GitHub Repository: https://github.com/OTTTTTO/safe-exec
- v0.3.3 Release: https://github.com/OTTTTTO/safe-exec/releases/tag/v0.3.3
- Security Response: https://github.com/OTTTTTO/safe-exec/blob/master/CLAWDHUB_SECURITY_RESPONSE.md
- SKILL.md: https://github.com/OTTTTTO/safe-exec/blob/master/SKILL.md
- CHANGELOG.md: https://github.com/OTTTTTO/safe-exec/blob/master/CHANGELOG.md#033---2026-02-26
Comparison: Before vs After
| Aspect | Before (v0.3.1) | After (v0.3.3) |
|---|---|---|
| Monitoring | ❌ Had unified-monitor | ✅ Completely removed |
| External Integrations | ❌ Feishu, GitHub monitoring | ✅ None |
| Network Calls | ❌ Monitoring endpoints | ✅ None (except install) |
| Metadata | ❌ Not declared | ✅ Fully declared |
| Security Docs | ❌ Scattered in multiple files | ✅ Centralized in SKILL.md |
| Transparency | ⚠️ Ambiguous scope | ✅ Clear boundaries |
| Credentials | ⚠️ Referenced but not declared | ✅ Explicitly none |
Summary
SafeExec v0.3.3 is a legitimate security tool for OpenClaw agents, not a suspicious package. It:
- Provides essential command safety for AI agents
- Operates entirely locally with zero network calls
- Has complete audit logging for transparency
- Declares all capabilities upfront in metadata
- Removed all problematic monitoring features
- Has comprehensive documentation addressing all review concerns
The suspicious flag appears to be based on an older version (v0.3.1 or earlier) that included monitoring components. Those components have been completely removed.
Thank you for your time and consideration!
Version: 0.3.3
Date: 2026-02-26
Author: Otto SafeExec
GitHub: https://github.com/OTTTTTO/safe-exec