critical
suspicious.dangerous_exec
- Location
- scripts/security_scan.py:64
- Finding
- Shell command execution detected (child_process).
Vulnerability Scanner
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If pointed at a broad or sensitive directory, the agent may inspect private source/config files and include file paths, secret types, and vulnerability summaries in its output.
Why it was flagged
The scanner recursively reads files under the user-supplied project path, limited to code and config extensions, to detect secrets and vulnerable patterns.
Skill content
for root, dirs, files in os.walk(project_path): ... ext not in CODE_EXTENSIONS and ext not in CONFIG_EXTENSIONS
Recommendation
Run it only on intended project directories and review outputs before sharing them.
What this means
Running the full scan may execute the local npm CLI in the selected project and may depend on the user’s npm configuration and network behavior.
Why it was flagged
The script runs a fixed npm audit command when a package.json is present. This is aligned with dependency vulnerability scanning and is not hidden, but it is still local command execution.
Skill content
subprocess.run(["npm", "audit", "--json"], cwd=project_path, capture_output=True, text=True, timeout=60)
Recommendation
Use the script in projects you intend to audit, and be aware that npm audit may contact npm services with dependency metadata.
What this means
Users have less provenance information to verify the script’s origin, and environments without npm may silently skip npm audit checks.
Why it was flagged
The skill has no public source/homepage metadata, and the metadata does not declare npm even though the script can optionally use npm audit.
Skill content
Source: unknown; Homepage: none; Required binaries: none
Recommendation
Review the included script before use and treat npm audit as an optional dependency for JavaScript projects.
Findings (2)
critical
suspicious.dynamic_code_execution
- Location
- scripts/security_scan.py:63
- Finding
- Dynamic code execution detected.