ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A2A-Code-Audit

v1.0.0

Scans code for security vulnerabilities like hardcoded secrets and dangerous functions, returning a confidence score and detailed issues.

0· 20·0 current·0 all-time
by@crftsmnd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to run Bandit to scan Python code, which explains use of child_process to invoke a native tool. However the SKILL.md directs deployment to Cloudflare Workers (a JS runtime that cannot run Bandit/Python native binaries), while the repo also contains a Node/Express server implementation. This duplication and runtime mismatch is disproportionate and unclear: a Bandit-based scanner normally requires a Python environment, not a Workers deployment. The package.json also lists an npm dependency named "bandit" (likely not the same as the Python Bandit), which is inconsistent with the declared purpose.
!
Instruction Scope
SKILL.md instructs deploying a Cloudflare Worker and points to a workers.dev endpoint, and the worker.js implements a static-analysis-only fallback. Meanwhile audit.js uses execSync to run system Bandit and writes files to /tmp. The instructions do not reconcile which implementation will be used in which environment. The API and payment header behavior are explicit and limited (no secret exfiltration), but the mismatch between instructions and code increases risk of unexpected behavior.
Install Mechanism
There is no declared install spec for this skill (instruction-only), but the bundle includes package.json and server code. package.json lists dependencies including 'bandit' (an npm package name that likely differs from the Python Bandit tool), 'python-shell', and 'eslint'. Pulling an unexpected npm package named 'bandit' during install could introduce unreviewed code. No external binary downloads are declared, but execSync usage indicates runtime will attempt to use system-installed Bandit if available.
Credentials
The skill does not request environment variables, credentials, or config paths. It only expects callers to include a payment header/query param. That requested access is proportionate to the stated pay-per-scan behavior.
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and doesn't attempt to modify other skills or system-wide settings. It exposes a web API and a worker entrypoint only — ordinary for a service of this type.
What to consider before installing
This package is internally inconsistent rather than clearly malicious, but exercise caution. Key points to consider before installing or deploying: - Runtime mismatch: The repo contains two implementations (a Node/Express server using child_process to call Bandit and a Cloudflare Worker that implements only static regex checks). Cloudflare Workers cannot run native Python tools like Bandit; if you deploy the worker you will only get the fallback static checks. Ask the author which runtime is intended. - Suspicious dependency: package.json lists an npm package named "bandit". The well-known Bandit is a Python tool (pip package), not an npm module — installing this npm package could pull unrelated or malicious code. Review that package on the npm registry before running npm install. - execSync usage: audit.js spawns child processes and writes temp files (/tmp). That is expected for running Bandit, but it means any Node environment running this code will execute shell commands. Run in an isolated environment and audit inputs if you accept this behavior. - Payment header: The service only checks for an x402-payment header or ?payment=1 flag and does not validate payments. The header is a lightweight gate, not an actual payment verification. - Build/config issues: netlify.toml has a malformed runtime line and the repo contains overlapping deployment instructions (Netlify, Wrangler). These look like sloppy packaging and increase risk of deployment mistakes. Recommendations: - Don't deploy the included code to production or public workers until the author clarifies intended runtime (Node server vs Cloudflare Worker) and the 'bandit' dependency is verified. - Inspect the npm package named 'bandit' (and any other dependencies) before installing; prefer to run the canonical Python Bandit in a trusted environment if you want true Bandit scans. - If you need a quick, low-risk scan, consider running the audit.js logic locally in an isolated VM/container after removing or verifying suspicious dependencies, or use a well-known security scanning service instead. - Ask the publisher for source/origin, a canonical homepage, and clarification on which implementation they intend users to run; lack of a homepage and unknown source lowers trust. If you provide the npm registry details for the 'bandit' dependency or ask the author for clarification about intended deployment, I can reassess and raise or lower the concern level.
audit.js:16
Shell command execution detected (child_process).
audit.js:64
Dynamic code execution detected.
worker.js:100
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

a2avk973nn1hrtjpzjj4q5st5e01hs849e3pcode-auditvk973nn1hrtjpzjj4q5st5e01hs849e3platestvk973nn1hrtjpzjj4q5st5e01hs849e3ppaidvk973nn1hrtjpzjj4q5st5e01hs849e3psecurityvk973nn1hrtjpzjj4q5st5e01hs849e3p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments