critical
suspicious.dynamic_code_execution
- Location
- skill_scanner_integration.py:50
- Finding
- Dynamic code execution detected.
Flow
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A crafted request or registry entry could create a workflow file that does more than the user intended when executed later.
Why it was flagged
Skill names, paths, and parsed step text are interpolated directly into a Python file. If those values contain quotes or Python syntax, the generated flow can be syntactically altered and may execute injected code when run.
Skill content
f' self.components["{skill.name}"] = self._load_skill("{skill.path}")' ... f' results["step_{i}"] = self._execute_step("{step}", kwargs)' ... with open(output_path, 'w') as f:Recommendation
Generate code using safe templating, repr()/json serialization for all inserted strings, strict name/path validation, and require user review before running generated flows.
What this means
A workflow may include components the scanner already rated high-risk, without an explicit stop or approval step.
Why it was flagged
In the default configuration, HIGH-risk scanned skills are warned about but still added to the composed workflow unless the user has explicitly enabled strict mode.
Skill content
'security_level': 'standard' ... elif scan_result.risk_level == 'HIGH': ... else: warnings.append(f"{skill.name} has elevated risk") ... scanned_skills.append(skill)Recommendation
Block HIGH-risk components by default, require explicit confirmation to continue, and show the exact scanner findings before composition.
What this means
Users may assume the whole skill package was checked even though important non-Python behavior may not be scanned.
Why it was flagged
The scanner used before composition only examines Python files, so other skill artifacts such as instructions, install files, or non-Python helpers can bypass this security gate.
Skill content
# Only scan Python files, skip docs/markdown
if path.endswith('.py'):
files_to_scan = [path]
... if file.endswith('.py'):Recommendation
Scan complete skill packages, including SKILL.md, install specs, dependency files, and helper scripts, or clearly label the scanner as Python-only.
What this means
A bad or unintended generated flow can remain available and influence later workflow composition.
Why it was flagged
Newly generated flows are saved into the registry for future reuse by default, creating persistent workflow state.
Skill content
'auto_update_registry': True ... if self.config['auto_update_registry']:
self.registry.register(flow_skill)Recommendation
Review generated flows before reuse, disable auto_update_registry when experimenting, and periodically clean the registry.
What this means
Future dependency changes could alter behavior or introduce dependency risk.
Why it was flagged
Dependencies are specified with lower bounds rather than pinned versions, so installs can resolve to newer package versions than the author tested.
Skill content
streamlit>=1.28.0 pandas>=2.0.0 nltk>=3.8.0 spacy>=3.6.0 bandit>=1.7.5 safety>=2.3.0
Recommendation
Install in an isolated environment and prefer pinned, hash-verified dependency versions for production use.