critical
suspicious.dangerous_exec
- Location
- index.js:256
- Finding
- Shell command execution detected (child_process).
Mem Optimizer
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If invoked with dryRun=false, the agent may rewrite memory files and remove details that the user expected to keep.
Why it was flagged
The callable tool can switch from preview to actual compression through a single boolean, but the tool schema does not show a separate confirmation, target file list, backup option, or exclusion boundary.
Skill content
"dryRun": { "type": "boolean", "default": true, "description": "true=仅预览不修改文件,false=执行实际压缩" }Recommendation
Keep dryRun enabled by default, require explicit user confirmation before every write, show the exact files and diffs, and create backups before compression.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Installing the skill allows it to run local system-status commands, which may expose local machine metadata in reports.
Why it was flagged
The code uses child_process.exec to run local shell commands such as top, free, df, uptime, and ls. The shown commands are fixed rather than user-controlled, and they align with the advertised server-status report.
Skill content
exec(commands[key], (err, stdout, stderr) => {Recommendation
Verify that local shell execution is acceptable in your environment and restrict the skill to systems where these commands are expected.
ConcernMedium Confidence
ASI06: Memory and Context PoisoningWhat this means
Persistent memory notes can influence future optimization behavior; a bad or overbroad learned pattern could cause future memory to be compressed too aggressively.
Why it was flagged
The skill reads persistent self-improvement/reflection files and promotes stored patterns into future compression preferences, while also appending new reflections and corrections.
Skill content
if (obj.status === 'Confirmed') { preferences.learnedPatterns.push(obj); }Recommendation
Review self-improvement files before applying learned preferences, require user approval before promoting global preferences, and keep an audit trail with rollback.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
The skill may read activity and memory metadata from other agents' workspaces, crossing agent data boundaries.
Why it was flagged
The code scans all OpenClaw agent entries and their workspace memory directories using hardcoded global paths, rather than limiting itself to the current workspace or an explicit user-selected agent.
Skill content
const agentsDir = '/root/.openclaw/agents'; ... const workspacePath = `/root/.openclaw/workspace-${agentId}`; ... const memoryDir = path.join(workspacePath, 'memory');Recommendation
Limit scanning to the current workspace by default, require explicit selection for other agents, and document what data is read from each agent.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
The skill can keep operating on a schedule, potentially changing memory files or sending reports even when the user did not manually ask for that day's run.
Why it was flagged
The skill declares a daily scheduled action that performs memory optimization and sends a summary report, creating autonomous recurring behavior beyond a one-time user request.
Skill content
cron:\n - expression: "0 8 * * *"\n action: "mem_optimize_daily"\n description: "每天上午 8 点执行记忆优化并发送每日总结"
Recommendation
Disable the cron job unless needed, make scheduled runs preview-only unless separately approved, and clearly show how to stop the scheduled task.