🧪

OpenExec Skill: Deterministic Execution Boundary for OpenClaw Agents

An OpenClaw Runner-review candidate for separating agent proposals from approved execution, with replay protection, receipts, and offline signature checks.

Original
Jun 4, 2026
Status & Access
Current access and latest update details.
Access
Free
Updated
Jul 19, 2026, 05:08 PM

LinkLoot AI review

Tool has value, start small

AI take: 57/100
Quick look at value, setup, permissions, and everyday caveats.

My take: OpenExec Skill: Deterministic Execution Boundary for OpenClaw Agents is an agent skill, not a normal reading tip. Start it isolated and without real tokens, cookies, or production data; it only becomes valuable if it fits your own agent workflow.

Direct value

Can save time as a small tool if it fits your workflow and you start with test data.

Check first

Do not start with real tokens, private repos, or production data.

What you get
  • The practical value shows up in your own mini test: install it, start it, and compare it with a harmless example.
What to watch
  • Before relying on it, check install, startup, and permissions against your setup.

Automated AI review. Decision aid, not a safety guarantee. · 2026-06-08 17:45:56 UTC

What it does

OpenExec is an OpenClaw skill that packages a small Python service for governed execution. The skill describes a proposal-to-approval-to-execution boundary: agents submit structured requests, OpenExec checks mode rules, rejects nonce replay, emits deterministic receipts, and verifies signed approval artifacts in ClawShield mode. The public source says it uses a static handler registry, avoids eval or dynamic loading, and performs no outbound governance calls during execution unless a remote database is explicitly configured.

Who should use it

Use this as a candidate for teams building agents that can touch email, infrastructure, payments, internal tools, or other irreversible actions. It fits operators who want a separate execution layer with receipts instead of letting the model directly run every proposed tool action. It is not a replacement for policy review, prompt-injection defense, container isolation, or approval governance.

Setup surface

The Awesome OpenClaw Skills DevOps category lists openexec-skill as a source-distributed deterministic execution service with pinned dependencies. ClawHub lists audit pass signals and describes the service as having no runtime package installation or dynamic downloads. The source tree exposes SKILL.md, SECURITY.md, README.md, main.py, requirements, tests, scripts, and configuration folders. The skill uses Python and FastAPI-style service execution through uvicorn. Pricing evidence: SKILL.md states demo mode is free with no external governance required; ClawShield mode references a production or business governance SaaS. Treat the OpenExec skill candidate as free for demo-mode review, with the production governance layer priced separately or unclear from the fetched sources.

Runner test plan

  • Static scan: inspect SKILL.md, README.md, SECURITY.md, main.py, requirements, tests, scripts, config, and handler registry files.
  • Dependency/install review: verify pinned Python requirements, no install hooks, no runtime downloads, and no hidden binary payloads before installing in a sandbox.
  • Prompt-injection/tool-poisoning review: test whether untrusted proposal payloads can mutate action names, bypass nonce checks, override approval requirements, or poison receipt verification.
  • Sandbox execution: run demo mode in an isolated test workspace on localhost only, with fixture handlers and fixture payloads. Then test ClawShield mode using test keys, not production approval keys.
  • Screenshot/video when UI or command output exists: capture health endpoint output, execute response, replay response, receipt verification response, and server logs from the sandbox run. No browser UI is expected.
  • Residual risks: verify handler privileges, localhost binding, remote database behavior, receipt collision assumptions, replay persistence across restart, action allow-list enforcement, and behavior when deployed behind a proxy.

Risk notes

This is not a tested recommendation yet. OpenExec is an execution boundary, not an OS sandbox. Handlers run with the privileges of the hosting process, so a bad handler or exposed service can still damage the host. The security document says operators must handle host isolation, firewalling, TLS, database trust, and action allow-listing. The fetched GitHub HTML confirms main.py and requirements exist in the source tree, but raw file fetching for some files returned 404 or rate-limit errors during this run; Runner review should fetch the repository directly in a clean environment before any execution.

Source links

Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in OpenClaw