critical
suspicious.dangerous_exec
- Location
- bin/patch-channels.mjs:13
- Finding
- Shell command execution detected (child_process).
xihe-jianmu-ipc
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration
Findings (12)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Another local or reachable network process could inject messages into connected AI sessions, and those messages may be treated as work requests.
Why it was flagged
If IPC_AUTH_TOKEN is not set, the hub accepts unauthenticated message-routing requests from any client that can reach the API.
Skill content
function checkAuth(providedToken) {
if (!AUTH_TOKEN) return true; // Auth disabled
return providedToken === AUTH_TOKEN;
}
...
// HTTP API for sending messages — any tool (Codex, curl, scripts) can use thisRecommendation
Require IPC_AUTH_TOKEN by default, avoid exposing the hub beyond localhost unless needed, and document how users should firewall or bind the service.
Concern
ASI01: Agent Goal HijackWhat this means
A message from another session or HTTP client could redirect the agent's goals or cause it to perform actions the user did not intend.
Why it was flagged
The instructions make incoming IPC content operationally authoritative without requiring sender verification or user confirmation.
Skill content
1. When you receive an incoming IPC message, read it carefully and act on the request. 2. After completing a task received via IPC, report back using `ipc_send` to the sender.
Recommendation
Treat IPC messages as untrusted input, verify the sender, and require explicit user approval before acting on requests that modify files, accounts, settings, or public outputs.
Concern
ASI10: Rogue AgentsWhat this means
The agent may launch additional AI processes that continue work outside the immediate conversation, increasing cost and risk of unintended actions.
Why it was flagged
The MCP server exposes a tool that can create additional AI sessions, including background sessions, with a user-supplied task.
Skill content
name: 'ipc_spawn', description: 'Spawn a new Claude Code session. Background mode runs a one-shot task and reports back via IPC. Interactive mode opens a new terminal window.'
Recommendation
Make ipc_spawn opt-in, require user confirmation for every spawn, clearly disclose it in SKILL.md, and provide controls to list and stop spawned sessions.
What this means
Running this script can remove an upstream safety warning and alter another installed tool in a way users may not expect.
Why it was flagged
This script modifies Claude Code's installed CLI to bypass a warning dialog for development channels.
Skill content
Patches Claude Code's cli.js to skip the dev channels warning dialog. ... const replacement = 'if(true)gd'; ... writeFileSync(cliPath, content.replace(target, replacement));
Recommendation
Do not run this patch unless you fully understand the impact. The skill should avoid modifying third-party CLIs or should require explicit, documented user approval with an undo path.
What this means
Anyone with access to process logs or terminal output could recover the IPC shared secret and impersonate a session.
Why it was flagged
The shared authentication token is placed in the WebSocket URL and then logged to stderr.
Skill content
if (authToken) url += `&token=${encodeURIComponent(authToken)}`;
...
process.stderr.write(`[ipc-channel] connecting to hub at ${url}\n`);Recommendation
Send tokens in headers where possible and redact credentials from logs, especially connection URLs.
What this means
If configured with a third-party endpoint, IPC message contents will be sent there.
Why it was flagged
Incoming IPC messages can be forwarded to a user-configured HTTP endpoint, which is purpose-aligned for channel notifications but expands where message content goes.
Skill content
IPC_CHANNEL_URL — HTTP endpoint to POST messages to (optional) ... body: JSON.stringify(body)
Recommendation
Only set IPC_CHANNEL_URL to endpoints you trust, and avoid sending secrets or sensitive project data through IPC messages.
Findings (12)
critical
suspicious.dangerous_exec
- Location
- mcp-server.mjs:288
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- skills/xihe-jianmu-ipc/bin/patch-channels.mjs:13
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- skills/xihe-jianmu-ipc/mcp-server.mjs:288
- Finding
- Shell command execution detected (child_process).
critical
suspicious.env_credential_access
- Location
- bin/jianmu.mjs:22
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- channel-server.mjs:24
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- hub.mjs:24
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- skills/xihe-jianmu-ipc/bin/jianmu.mjs:22
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- skills/xihe-jianmu-ipc/channel-server.mjs:24
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- skills/xihe-jianmu-ipc/hub.mjs:24
- Finding
- Environment variable access combined with network send.
warn
suspicious.potential_exfiltration
- Location
- channel-server.mjs:42
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- skills/xihe-jianmu-ipc/channel-server.mjs:42
- Finding
- Sensitive-looking file read is paired with a network send.