critical
suspicious.dangerous_exec
- Location
- scripts/generate.mjs:49
- Finding
- Shell command execution detected (child_process).
每日有趣内容
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Running the generator executes the local mcporter command; if that local command is untrusted or replaced, it could do more than just search.
Why it was flagged
The generator invokes a local shell command. In this artifact the queries are fixed by the script and the behavior is disclosed, so this is purpose-aligned but still worth reviewing.
Skill content
const { execSync } = await import('child_process'); const command = `mcporter call glm-search.webSearchPrime search_query="${query}"`; const result = execSync(command, {Recommendation
Install only if you trust the local Node.js and mcporter/search setup. Prefer a safer argument-passing API such as execFile if the query ever becomes user-controlled.
What this means
The skill's behavior depends partly on whatever external search tool and Node runtime are available on the user's machine.
Why it was flagged
The skill depends on external runtime/search tooling that is not packaged or pinned in the artifact set.
Skill content
- 需要网络搜索能力(可用 `perplexity` skill 或 `glm-web-search` skill) - Node.js 18+
Recommendation
Verify that Node.js and the search provider/CLI are installed from trusted sources and match what you expect before enabling scheduled runs.
What this means
If enabled, the skill will run on a schedule and may generate/share content without a fresh manual prompt each time.
Why it was flagged
The documentation instructs the user to create a recurring cron task, which is persistent background agent behavior.
Skill content
每天早上 6:00 自动生成: openclaw cron add --name "Daily Fun Content Generator" --cron "0 6 * * *"
Recommendation
Only add the cron/heartbeat entries if you want recurring behavior, and remove those entries if the periodic content becomes unwanted.
What this means
Low-quality, offensive, or instruction-like text from search results could be saved and later repeated as fun content, though the skill does not tell the agent to obey it.
Why it was flagged
Text retrieved from web search is persisted into a cache and later reused by the skill.
Skill content
const jokesResult = await searchWeb(jokesQuery); ... items.push({ type: 'joke', content: joke.trim() }); ... fs.writeFileSync(cacheFile, JSON.stringify(cache, null, 2));Recommendation
Review the cache occasionally or add filtering if you use this in sensitive contexts; treat cached web snippets as untrusted content to quote/share, not instructions.