critical
suspicious.dangerous_exec
- Location
- scripts/run_full_report.mjs:116
- Finding
- Shell command execution detected (child_process).
daily-investment-digest
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Using the skill will contact the iYiou API to retrieve financing-event data; increasing page limits could make more external requests.
Why it was flagged
The tool performs outbound requests to a fixed external API and has bounded pagination controls. This is disclosed and purpose-aligned, but users should notice that invoking the skill contacts an external service and can make multiple page requests.
Skill content
const API_URL = "https://api.iyiou.com/skill/info"; ... options.maxPage = clamp(options.maxPage, 1, 500);
Recommendation
Use it only for the intended financing-report task and keep the documented default max-page value unless the user explicitly requests more.
What this means
Installing and using the skill means allowing its bundled JavaScript files to run locally.
Why it was flagged
The wrapper script launches two bundled Node scripts to pipe fetch output into report generation. It uses process.execPath and fixed script paths rather than a shell command string, so this appears expected for the skill's one-command workflow.
Skill content
const fetchProc = spawn(process.execPath, fetchArgs, { stdio: ["ignore", "pipe", "pipe"] });Recommendation
Review the bundled scripts and invoke the documented command path; avoid modifying arguments to point at unrelated scripts or inputs.
What this means
Users have less publisher/source context to rely on and should ensure their environment can run the documented Node scripts.
Why it was flagged
The registry metadata provides limited provenance and does not declare a Node runtime requirement, even though SKILL.md documents Node-based commands. This is a metadata completeness/provenance note, not evidence of malicious behavior.
Skill content
Source: unknown Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Recommendation
Verify the publisher/source if provenance matters, and confirm Node.js is available before relying on the skill.