ottttto_safe-exec/GITHUB_ISSUE_TEMPLATE.md at 0c8a4c3a377e38e14a2ab3181065647c35e1921c

skills/ottttto_safe-exec

Fork 0

Files

zlei9 0c8a4c3a37 Initial commit with translated description

2026-03-29 13:14:42 +08:00

3.4 KiB

Raw Blame History

False Positive Appeal: SafeExec Skill

Hi ClawHub team,

My SafeExec skill was flagged based on a security review that identified monitoring concerns. I believe this is a false positive because all problematic features have been completely removed in v0.3.3.

Skill Information

Name: safe-exec
Repository: https://github.com/OTTTTTO/safe-exec
Current Version: v0.3.3 (2026-02-26)
ClawdHub: https://www.clawhub.ai/skills/safe-exec

What SafeExec Is (v0.3.3)

SafeExec is a command approval tool that:

✅ Intercepts dangerous shell commands (rm -rf, dd, etc.)
✅ Requests user approval before execution
✅ Logs all commands locally for audit
✅ Works entirely offline (no network calls)
✅ Requires zero credentials or API tokens

What SafeExec Does NOT Do (v0.3.3)

The security review flagged these features - all have been removed:

❌ NO monitoring of chat sessions ❌ NO reading conversation history ❌ NO external network requests ❌ NO notifications to Feishu/webhooks ❌ NO background cron jobs ❌ NO GitHub monitoring ❌ NO credentials required

Changes Made

v0.3.2 (2026-02-26) - Cleaned Up

Deleted 21 files (4,309 lines):

Removed all monitoring scripts (unified-monitor.sh, etc.)
Removed all monitoring documentation
Removed all external integration guides
Removed Feishu/GitHub monitoring references

v0.3.3 (2026-02-26) - Added Transparency

Added comprehensive metadata to SKILL.md:

metadata:
  openclaw:
    network: false
    monitoring: false
    credentials: []
    env: ["SAFE_EXEC_DISABLE", "OPENCLAW_AGENT_CALL", "SAFE_EXEC_AUTO_CONFIRM"]
    writes: ["~/.openclaw/safe-exec/", "~/.openclaw/safe-exec-audit.log"]

Added "Security & Privacy" section clearly stating:

What SafeExec does (local command interception)
What SafeExec does NOT do (no monitoring, no network, no external services)

Evidence

Tags on GitHub:

v0.3.2: https://github.com/OTTTTTO/safe-exec/releases/tag/v0.3.2 (cleanup)
v0.3.3: https://github.com/OTTTTTO/safe-exec/releases/tag/v0.3.3 (transparency)

Documentation:

SKILL.md: https://github.com/OTTTTTO/safe-exec/blob/master/SKILL.md (with metadata)
Security Response: https://github.com/OTTTTTO/safe-exec/blob/master/CLAWDHUB_SECURITY_RESPONSE.md
CHANGELOG: https://github.com/OTTTTTO/safe-exec/blob/master/CHANGELOG.md#033---2026-02-26

Why This Is a False Positive

The security review appears to be based on v0.3.1 or earlier, which included:

unified-monitor.sh monitoring system
Feishu notification integration
GitHub issue monitoring
External notification features

These features have been 100% removed. Current version (v0.3.3) is:

Pure command approval tool
Fully local (no network calls)
Fully transparent (all capabilities declared)
Fully audited (complete log trail)

Request

Could you please:

Review SafeExec v0.3.3 on GitHub to confirm all monitoring features are removed
Remove the suspicious flag as this is now a legitimate, transparent security tool
OR let me know what specific rules are still triggering so I can address them

Thank you for reviewing this appeal!

Links:

Repo: https://github.com/OTTTTTO/safe-exec
v0.3.3 Release: https://github.com/OTTTTTO/safe-exec/releases/tag/v0.3.3
Full Appeal Document: https://github.com/OTTTTTO/safe-exec/blob/master/CLAWDHUB_APPEAL.md

3.4 KiB Raw Blame History