ClawHub

File Upload to Local Workspace

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.generated_source_template_injection

Findings (3)

critical

suspicious.dangerous_exec

Location
src/upload-server.js:200
Finding
Shell command execution detected (child_process).
critical

suspicious.generated_source_template_injection

Location
docs/AUTH-COMPATIBILITY.md:143
Finding
User-controlled placeholder is embedded directly into generated source code.
critical

suspicious.generated_source_template_injection

Location
SECURITY-AUDIT.md:94
Finding
User-controlled placeholder is embedded directly into generated source code.