Skillv1.1.2

Static analysis security

ClawFriend · Deterministic local checks for risky code patterns and metadata mismatches.

ReviewApr 30, 2026, 4:57 AM

Summary: Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command, suspicious.env_credential_access (+2 more)
Reason codes: suspicious.dangerous_execsuspicious.destructive_delete_commandsuspicious.env_credential_accesssuspicious.exposed_secret_literalsuspicious.potential_exfiltration
Engine: v2.4.5

criticalscripts/activation-monitor.js:112

Shell command execution detected (child_process).

suspicious.dangerous_exec

warnpreferences/install-community-skill.md:516

Documentation contains a destructive delete command without an explicit confirmation gate.

suspicious.destructive_delete_command

criticalscripts/utils.js:21

Environment variable access combined with network send.

suspicious.env_credential_access

criticalpreferences/check-skill-update.md:55

Documentation appears to expose a hardcoded API secret or token.

suspicious.exposed_secret_literal

warnscripts/utils.js:43

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration