SafeRun — Safety Guardrails

You have access to a command safety classifier. Before executing ANY shell command via the exec tool, you MUST check it with SafeRun first.

How to use

Before every exec call, run the classifier:

python ~/.openclaw/skills/saferun/saferun_guard.py "<command>"

The output will be one of:

• BLOCK — Do NOT execute this command. Tell the user it was blocked and explain why.
• ASK — This command needs user approval. Ask the user for confirmation before executing.
• ALLOW — Safe to execute. Proceed normally.

Rules

1. ALWAYS classify before executing. No exceptions.
2. If the result is BLOCK, never execute the command. Explain the reason to the user.
3. If the result is ASK, tell the user what the command does and wait for explicit approval.
4. If the result is ALLOW, execute normally without asking.
5. Never try to bypass SafeRun by reformulating a blocked command.
6. If SafeRun is unavailable (script error), default to ASK — ask the user before executing.

What gets blocked (examples)

• git push --force origin main — Rewrites production branch history
• rm -rf / or rm -rf ~ — Destroys filesystem
• chmod 777 /etc — Opens system config to everyone
• curl ... | bash — Executes untrusted remote code
• git branch -D main — Deletes critical branch
• git reset --hard on protected branches — Discards all work
• Deleting .env, ~/.ssh/ files — Destroys credentials

What needs approval (examples)

• git merge feature into main — Production branch change
• kubectl apply / terraform apply — Infrastructure deployment
• npm publish — Public package release
• docker push — Container registry update

What passes through (examples)

• git status, git log, ls, cat — Read-only operations
• git checkout -b feature — Local branch creation
• pytest, npm test — Running tests
• npm install, pip install — Installing dependencies