Sop Architect

ReviewAudited by ClawScan on May 10, 2026.

Overview

The SOP generator is simple and purpose-aligned, but its helper script can write outside the intended SOPs folder if given a crafted task name.

Only use this skill if you trust the local file creation behavior. Avoid task names containing slashes, '..', or path-like text until the script is fixed to keep outputs strictly inside the SOPs folder.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A crafted or accidental task name containing path traversal could create or overwrite markdown files outside the intended SOPs folder.

Why it was flagged

The first argument controls the output path with only spaces replaced; slashes and '..' are not blocked, and '>' truncates or creates the computed file.

Skill content

TASK_NAME=$1 ... FILE="SOPs/${TASK_NAME// /_}.md" ... echo "# SOP: $TASK_NAME" > "$FILE"

Recommendation

Sanitize the task name into a safe slug, reject '/' and '..', verify the resolved path stays inside SOPs/, and avoid overwriting existing files without confirmation.