critical
suspicious.dangerous_exec
- Location
- src/cli.js:212
- Finding
- Shell command execution detected (child_process).
Dual-Brain
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A secondary model's text may influence the agent's answer even though that text may be incomplete, stale, or prompt-injected by the original user message.
Why it was flagged
The skill intentionally changes the agent's response workflow by adding generated secondary-model text into the agent's context.
Skill content
Before responding to any user message, check for a dual-brain perspective... Synthesize both viewpoints (yours + the secondary LLM's)
Recommendation
Treat the perspective file as advisory only; do not let it override the user's request, safety rules, or tool-use approvals.
What this means
Private or unrelated agent-session messages may be read and processed by the daemon without a per-conversation selection step.
Why it was flagged
The daemon scans broad local agent session directories, including an additional .moltbot path, and the default empty ownerIds setting allows processing broad/main sessions rather than only explicitly selected conversations.
Skill content
path.join(os.homedir(), '.openclaw'), path.join(os.homedir(), '.moltbot') ... const isOwner = cfg.ownerIds.length === 0 || ... || file.name.includes('main');Recommendation
Restrict the watched paths and ownerIds before use, and avoid running the daemon on machines or profiles containing sensitive sessions.
What this means
If a remote provider such as Groq, OpenAI, or Moonshot is selected, user prompts and potentially sensitive session content can leave the local machine.
Why it was flagged
For a remote provider, the code sends user-message content to an external LLM API using the configured provider credential.
Skill content
{ role: 'user', content: `Human to ${agentId}: "${userMessage.slice(0, 1000)}"` } ... 'Authorization': `Bearer ${this.apiKey}`Recommendation
Use the local Ollama provider for sensitive work, or require explicit user consent and clear data-retention expectations before forwarding messages to remote LLMs.
What this means
Agents may reuse stale or poisoned secondary-model content, and optional semantic memory storage can make that content persist across future tasks.
Why it was flagged
Generated secondary-LLM output is written into a reusable perspective file and can also be posted to Engram memory, but the perspective file write shown here does not include timestamp/source metadata.
Skill content
fs.writeFileSync(file, `\n${perspective}\n`); ... content: `[Dual-Brain for ${agentId}] ${perspective}` ... path: '/api/memories'Recommendation
Add timestamp, provider, source-message ID, and freshness checks to stored perspectives; disable Engram unless long-term storage is clearly wanted.
What this means
Once installed as a service, the watcher may continue running and processing new sessions until explicitly stopped or uninstalled.
Why it was flagged
The service installer is designed to keep the daemon running automatically after login/boot.
Skill content
<key>RunAtLoad</key><true/> ... <key>KeepAlive</key><true/> ... Restart=always
Recommendation
Install the daemon service only if you want continuous monitoring; verify how to stop, disable, and remove it before enabling auto-start.
What this means
Other local users or processes may be able to read provider API keys if filesystem permissions are not tightened.
Why it was flagged
Provider credentials are expected for remote LLM integrations, but the artifacts explicitly state they are stored unencrypted with overly broad file permissions.
Skill content
API Keys in Plaintext - Stored in `~/.dual-brain/config.json` - Not encrypted ... File permissions: 0644 (should be 0600)
Recommendation
Store keys in an OS keychain or set the config file to mode 0600, and rotate any key exposed on a shared system.
What this means
The installer can modify local service configuration and run system service commands when the user invokes install-daemon.
Why it was flagged
The CLI runs local shell commands during the user-invoked service installation path.
Skill content
const nodePath = execSync('which node').toString().trim(); ... execSync(`launchctl load ${plistPath}`);Recommendation
Inspect service files before loading them, keep install-daemon user-initiated, and quote or sanitize paths in future revisions.
What this means
Users have less provenance information for verifying that the installed package matches the reviewed artifacts.
Why it was flagged
The registry metadata does not provide a verified source/homepage or install spec, while the documentation instructs users to install a global npm package.
Skill content
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Recommendation
Verify the npm package publisher and source repository before installing globally, and prefer a pinned, auditable release.