openexec-skill_skill

This skill enables deterministic, offline-verified execution of approved actions with replay protection and verifiable receipts for secure automation.
  • Python

2.5k

GitHub Stars

7

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill openexec-skill

  • _meta.json513 B
  • main.py2.1 KB
  • README.md12.8 KB
  • replit.md2.8 KB
  • requirements.txt90 B
  • SECURITY.md5.8 KB
  • SKILL.md5.9 KB

Overview

This skill provides a source-distributed deterministic execution service with pinned dependencies and strict approval requirements. It runs only actions backed by a signed approval artifact when in ClawShield mode and emits verifiable receipt hashes for every attempt. The runtime performs no outbound HTTP or governance calls and never installs runtime packages or downloads code dynamically.

How this skill works

OpenExec accepts structured execution requests and enforces deterministic handlers from a static registry. It verifies replay protection (nonce uniqueness), generates a verifiable receipt for each attempt, and — when configured for ClawShield mode — validates an Ed25519-signed approval artifact offline before allowing execution. All verification and execution occur without outbound network calls unless the operator explicitly configures an external database URL.

When to use it

  • When you need deterministic, auditable execution of pre-approved actions
  • When execution must require an explicit signed approval artifact in production
  • When outbound network isolation is required during execution
  • When you need verifiable receipts for compliance or auditing
  • When you want a lightweight service that avoids runtime package installation

Best practices

  • Run behind containerization, VM isolation, or hardened hosts for OS-level protection
  • Use ClawShield mode with a securely stored Ed25519 public key for production approvals
  • Pin and review the static handler registry before deployment; avoid dynamic handler registration
  • Configure OPENEXEC_ALLOWED_ACTIONS to restrict permitted operations in sensitive environments
  • Persist execution records in a controlled database and restrict DB network access

Example use cases

  • Execute pre-approved infrastructure tasks where each execution must produce an auditable receipt
  • Run deterministic maintenance or migration actions that must not fetch or run new code at runtime
  • Enforce governance workflows that require an external signing authority to approve executions
  • Provide replay-protected demo or staging operations with deterministic outcomes for testing
  • Archive and verify historical executions using emitted receipt hashes for forensic review

FAQ

No. Signature verification and execution are performed offline with no outbound HTTP, RPC, or governance calls by default.

Can OpenExec run actions that are not pre-approved?

No. In ClawShield mode a signed approval artifact is required. Even in demo mode, execution is deterministic and replay-protected; operators should only register intended handlers.

Does OpenExec install packages or load code at runtime?

No. The service does not install packages or dynamically download execution logic. It uses a static handler registry and pinned dependencies.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
openexec-skill skill by openclaw/skills | VeilStrat