🧪
OpenClawFree

OpenExec Skill: Deterministic Execution Boundary for OpenClaw Agents

An OpenClaw Runner-review candidate for separating agent proposals from approved execution, with replay protection, receipts, and offline signature checks.

Original
Awesome OpenClaw Skills DevOps categoryOpen original externally↗
Jun 4, 2026
#openclaw#skill#agent#free#execution#security#governance#runner-review
Status & Access
Current access and latest update details.
Access
Free
Updated
Jun 4, 2026, 01:41 PM

LinkLoot AI review

Tool has value, start small

AI take: 60/100
Quick look at value, setup, permissions, and everyday caveats.

My take: OpenExec Skill: Deterministic Execution Boundary for AI review Agents is an interesting tool candidate, but better for a controlled first run than immediate production use. The strongest test signal: install or core steps ran in a disposable test pass with 3/3 visible steps. The catch: First run should use dummy data, no real credentials, and a clear permission boundary.

Safety
risky
Value
value with gaps
Privacy
sensitive data risk
Ease of use
setup caveats
Future
watch further
Direct value

Technical users with a disposable repo, dummy data, and clear permission boundaries.

Check first

Do not start with real tokens, private repos, or production data.

What you get
  • Can simplify media or download workflows if source, rights, and target path fit your use case.
  • Useful as a local helper tool as long as you first try it with harmless URLs and test folders.
What to watch
  • Before relying on it, check install, startup, and permissions against your setup.

Automated AI review. Decision aid, not a safety guarantee. · 2026-06-04 11:43:28 UTC

What it does

OpenExec is an OpenClaw skill that packages a small Python service for governed execution. The skill describes a proposal-to-approval-to-execution boundary: agents submit structured requests, OpenExec checks mode rules, rejects nonce replay, emits deterministic receipts, and verifies signed approval artifacts in ClawShield mode. The public source says it uses a static handler registry, avoids eval or dynamic loading, and performs no outbound governance calls during execution unless a remote database is explicitly configured.

Who should use it

Use this as a candidate for teams building agents that can touch email, infrastructure, payments, internal tools, or other irreversible actions. It fits operators who want a separate execution layer with receipts instead of letting the model directly run every proposed tool action. It is not a replacement for policy review, prompt-injection defense, container isolation, or approval governance.

Setup surface

The Awesome OpenClaw Skills DevOps category lists openexec-skill as a source-distributed deterministic execution service with pinned dependencies. ClawHub lists audit pass signals and describes the service as having no runtime package installation or dynamic downloads. The source tree exposes SKILL.md, SECURITY.md, README.md, main.py, requirements, tests, scripts, and configuration folders. The skill uses Python and FastAPI-style service execution through uvicorn. Pricing evidence: SKILL.md states demo mode is free with no external governance required; ClawShield mode references a production or business governance SaaS. Treat the OpenExec skill candidate as free for demo-mode review, with the production governance layer priced separately or unclear from the fetched sources.

Runner test plan

  • Static scan: inspect SKILL.md, README.md, SECURITY.md, main.py, requirements, tests, scripts, config, and handler registry files.
  • Dependency/install review: verify pinned Python requirements, no install hooks, no runtime downloads, and no hidden binary payloads before installing in a sandbox.
  • Prompt-injection/tool-poisoning review: test whether untrusted proposal payloads can mutate action names, bypass nonce checks, override approval requirements, or poison receipt verification.
  • Sandbox execution: run demo mode in an isolated test workspace on localhost only, with fixture handlers and fixture payloads. Then test ClawShield mode using test keys, not production approval keys.
  • Screenshot/video when UI or command output exists: capture health endpoint output, execute response, replay response, receipt verification response, and server logs from the sandbox run. No browser UI is expected.
  • Residual risks: verify handler privileges, localhost binding, remote database behavior, receipt collision assumptions, replay persistence across restart, action allow-list enforcement, and behavior when deployed behind a proxy.

Risk notes

This is not a tested recommendation yet. OpenExec is an execution boundary, not an OS sandbox. Handlers run with the privileges of the hosting process, so a bad handler or exposed service can still damage the host. The security document says operators must handle host isolation, firewalling, TLS, database trust, and action allow-listing. The fetched GitHub HTML confirms main.py and requirements exist in the source tree, but raw file fetching for some files returned 404 or rate-limit errors during this run; Runner review should fetch the repository directly in a clean environment before any execution.

Source links

Sources & links
References, demos, and supporting links.
Awesome OpenClaw Skills DevOps categorygithub.comPrimaryClawskills listingclawskills.shClawHub pageclawhub.aiUnderlying OpenClaw skills source treegithub.comSKILL.md source pagegithub.comSECURITY.md source pagegithub.com
Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in OpenClaw