Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
A2A-Code-Audit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent paid code-audit service, but users should be aware that submitted code goes to an external endpoint and each scan may authorize a small payment.
Before using this skill, confirm you trust the remote service with the specific code you plan to submit, redact real secrets, and set a budget or approval requirement for paid scans. If you self-host it, pin dependencies, verify the Bandit scanner source, and fix temporary-file cleanup on error paths.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Repeated scans could spend money, even though the per-scan price is small and disclosed.
Why it was flagged
The skill is explicitly paid and tells agents how to mark requests as payment-authorized.
Skill content
**Price:** $0.25 USD per scan ... Include header: `x402-payment: 1` or query: `?payment=1`
Recommendation
Use the skill with explicit budget limits or per-use approval for paid scans.
What this means
Sensitive source code or secrets included in the submitted snippet leave the local environment.
Why it was flagged
The intended workflow sends submitted source code to a remote provider endpoint; code audits may include proprietary code or hardcoded secrets.
Skill content
**Endpoint:** POST https://a2a-code-audit.cvapi.workers.dev/audit ... { "code": "import os\nos.system('ls')", "language": "python" }Recommendation
Only submit code you are comfortable sharing with the service operator, redact real secrets first, and check any available privacy or retention terms.
What this means
In self-hosted Node deployments, submitted code could be retained longer than users expect.
Why it was flagged
The Node/Bandit path stores submitted code in /tmp and cleanup is not in a finally block, so files may remain if Bandit errors or exits unexpectedly.
Skill content
fs.writeFileSync(tmpFile, code); ... const result = execSync(`bandit -f json ${tmpFile}`, ...); ... fs.unlinkSync(tmpFile); ... } catch (e) { return { issues: [], skipped: 'bandit_unavailable' }; }Recommendation
Use try/finally cleanup, delete temporary files on all error paths, and document retention behavior.
What this means
A self-hosted deployment will execute the local Bandit binary, so an untrusted PATH or compromised scanner install could affect the service.
Why it was flagged
The self-hosted scanner shells out to a Bandit binary found on PATH, which is expected for local static analysis but relies on the deployment environment.
Skill content
const check = execSync('which bandit', { encoding: 'utf8' }); ... execSync(`bandit -f json ${tmpFile}`, { encoding: 'utf8', timeout: 30000 })Recommendation
Pin and verify the Bandit installation, consider execFile/spawn with fixed arguments, and run the scanner in a restricted environment.
What this means
Self-hosters inherit normal package-supply-chain risk and may not get the exact same dependencies over time.
Why it was flagged
Deployments that run npm install will fetch version-range dependencies, and the scanner also depends on an external Bandit binary/provenance not pinned in the artifacts.
Skill content
"dependencies": { "express": "^4.18.2", "bandit": "^1.7.6", "eslint": "^8.57.0", "python-shell": "^5.0.0" }Recommendation
Use a lockfile, pin dependency versions, and document the trusted source for the Bandit scanner.