Benchmark Tool
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: benchmark-tool Version: 3.0.0 The benchmark tool contains shell injection vulnerabilities in `scripts/script.sh` due to unquoted variables in the `disk` and `compare` commands (e.g., `diff $2 $3` and `dd ... of=${2:-/tmp}/bench_test`). While the script's logic aligns with its stated purpose of performance measurement, these flaws allow for arbitrary command execution if the OpenClaw agent provides unsanitized input. There is no clear evidence of intentional malice, though the large block of empty comments in the script is unusual.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the disk test could overwrite or delete an existing file named bench_test in the chosen directory, and the network test will contact the selected host.
The benchmark operations write and remove a local test file and make an outbound curl request. This is expected for disk and network benchmarking, but it is real system interaction and should be directed carefully.
dd if=/dev/zero of=${2:-/tmp}/bench_test bs=1M count=100 oflag=direct 2>&1 | tail -1; rm -f ${2:-/tmp}/bench_test
...
curl -so /dev/null -w 'DNS: %{time_namelookup}s Connect: %{time_connect}s Total: %{time_total}s\n' ${2:-https://google.com}Run disk tests only in a scratch directory and run network tests only against hosts you intend to contact.