Safe Exec

The skill's stated purpose (intercept dangerous shell commands and provide an approval workflow) matches the included bash scripts and audit-log behavior. However the documentation asserts "automatically monitors all shell command executions" and "runs transparently in the background" while also declaring "No background monitoring processes" — the package appears to be a wrapper that requires routing commands through it (e.g., via agent configuration or symlinks), not a system-wide interceptor. There is also a small metadata mismatch: SKILL.md declares a dependency on jq and a git install step, but the top-level registry metadata lists none; this inconsistency should be clarified.

SKILL.md and READMEs repeatedly claim full session/command monitoring and in-session prompts but the shipped code is a set of wrapper/utility scripts (safe-exec.sh, approve/list/reject, AI wrapper). There is no visible code that would transparently hook every shell invocation system-wide; instead the agent or user must route commands through safe-exec. That difference (wrapper vs global monitor) is material and under-documented. Additionally, agent-mode behavior (non-interactive auto-bypass) is documented but grants automated flows the ability to execute commands with less human friction — this is within the skill's purpose but expands what will run automatically.

No high-risk installers (archive downloads or shorteners) are used; SKILL.md recommends cloning from GitHub (https://github.com/OTTTTTO/safe-exec.git). The package included in the registry contains the scripts and docs. The install flow is git-based and transparent, which is reasonable, but the registry listing lacks the same install metadata so the install guidance in SKILL.md should be treated as authoritative only after verifying the repository source.

The skill declares only local control env vars (SAFE_EXEC_DISABLE, OPENCLAW_AGENT_CALL, SAFE_EXEC_AUTO_CONFIRM) and writes to ~/.openclaw/safe-exec/ and an audit log — no external credentials or network access. That is proportional. However SAFE_EXEC_AUTO_CONFIRM and OPENCLAW_AGENT_CALL are explicit switches that allow non-interactive approvals; if set or used by an agent, LOW/MEDIUM commands (and in some flows approvals) may be auto-executed without human confirmation. If you enable these env vars or allow agents to set them, the blast radius increases.

The skill is not 'always:true' and doesn't request elevated platform privileges, and it persists data under the user home (~/.openclaw). However there is ambiguous language about running 'in the background' vs 'no background processes'. The included files show a pending queue and logs (persistent files), but no cron/daemon scripts in the provided files. Before trusting it, verify the main entrypoint safe-exec.sh for any modifications to shell startup files (e.g., .bashrc) or installation steps that alter PATH or create persistent hooks.