ClawHub

Bookmark Intelligence

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI05: Unexpected Code Execution
What this means

A bookmarked tweet or linked URL could potentially cause commands to run on the user's machine with the user's permissions.

Why it was flagged

URLs are extracted from bookmark text and inserted directly into a shell command. A malicious or specially crafted bookmarked URL can contain shell metacharacters such as command substitution, causing local command execution when the analyzer runs.

Skill content
const urlRegex = /https?:\/\/[^\s]+/g; ... const cmd = `curl -L -s -A "Mozilla/5.0" --max-time 10 "${url}" | head -c 100000`; const content = execSync(cmd, ...);
Recommendation

Do not run this skill in daemon mode until fixed. Replace shell-string execution with execFile/spawn argument arrays or a safe HTTP library, validate URL schemes/hosts, and avoid piping through the shell.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone or any process that obtains these cookies can access the user's X account as the user, not just read bookmarks.

Why it was flagged

The skill requires raw X session cookies with full account access, while the registry metadata declares no primary credential or required environment variables. This is broader than bookmark-only access and should be explicitly scoped and declared.

Skill content
`auth_token` → Copy the Value ... `ct0` → Copy the Value ... **These cookies are like your password** - they give full access to your X account
Recommendation

Use a scoped OAuth/read-only mechanism if available, clearly declare AUTH_TOKEN and CT0 as sensitive credentials, document revocation steps, and consider using a dedicated low-risk X account.

ConcernHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A compromised, replaced, or unexpected global CLI could receive sensitive account cookies or change what the skill does.

Why it was flagged

The skill instructs users to install global, unpinned CLI packages, and bird is then given the user's X session cookies. These required binaries are not declared in the registry requirements.

Skill content
npm install -g bird ... npm install -g pm2
Recommendation

Declare required binaries in metadata, pin package names/versions, document provenance, avoid global installs where possible, and avoid passing full session cookies to third-party CLIs.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Private bookmarks, linked page contents, and project details may be sent to an LLM provider depending on the user's OpenClaw configuration.

Why it was flagged

The LLM prompt includes tweet text, fetched article content, and the user's configured project context before being sent through the OpenClaw model provider path.

Skill content
const cmd = `openclaw ask --model gpt-4o-mini --format json "$(cat ${tempFile})" ...`;
Recommendation

Tell users exactly which model/provider receives the data, allow local/offline analysis, and let users exclude sensitive bookmarks or project context.

NoteHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Private bookmarks and AI-generated summaries remain on disk and could influence future workflows if that directory is reused as context.

Why it was flagged

The skill persistently stores full bookmark records and AI analysis in the configured knowledge-base directory, which defaults to a life/resources path.

Skill content
const record = { bookmark, analysis, processedAt: new Date().toISOString() }; writeFileSync(filepath, JSON.stringify(record, null, 2));
Recommendation

Review the storage path, retention, and backups; avoid syncing this directory if bookmarks are sensitive; label stored web-derived content as untrusted.

NoteHigh Confidence
ASI10: Rogue Agents
What this means

Once enabled, the skill continues fetching bookmarks and processing links without further manual action.

Why it was flagged

The skill can be configured as a PM2 background daemon that restarts and runs hourly.

Skill content
script: './monitor.js', ... autorestart: true, ... cron_restart: '0 * * * *'
Recommendation

Only enable daemon mode intentionally, monitor PM2 logs/status, and stop or uninstall the daemon when it is no longer needed.

ConcernHigh Confidence
ASI09: Human-Agent Trust Exploitation
What this means

Users may misunderstand whether the skill is free/open-source, proprietary, or paid, and which payment method or license terms actually apply.

Why it was flagged

The documentation describes paid, license-gated use while also claiming broad MIT usage rights; other supplied docs also describe proprietary licensing and differing payment options. This can mislead users about costs, rights, and activation.

Skill content
After payment, activate your license: `node scripts/license.js activate YOUR-LICENSE-KEY` ... `MIT - Use it however you want!`
Recommendation

Align all documentation, package metadata, and marketplace listing on one license, one pricing model, and the exact supported payment methods before distribution.

Findings (5)

critical

suspicious.dangerous_exec

Location
analyzer.js:37
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
monitor.js:76
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
scripts/license.js:65
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
scripts/setup.js:56
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
scripts/uninstall.js:43
Finding
Shell command execution detected (child_process).