critical
suspicious.dangerous_exec
- Location
- cli/doctor.js:15
- Finding
- Shell command execution detected (child_process).
Jasper Recall
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If the recall server is running, a crafted request could run commands as the local user account.
Why it was flagged
The HTTP recall query is used to build a shell command passed to execSync. Escaping only quotes does not prevent shell substitutions such as $(), so a crafted query could execute local commands.
Skill content
function executeRecall(query, options = {}) { ... const output = execSync(cmd, {Recommendation
Do not expose or rely on the server until this is fixed. Replace execSync shell strings with execFile/spawn argument arrays and validate query input.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Other local processes, containers, or websites visited in a browser could query the recall API while it is running; if private access is enabled, this could expose private memories.
Why it was flagged
The memory search server allows any browser origin and exposes a recall endpoint without an authentication mechanism in the handler.
Skill content
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (pathname === '/recall' || pathname === '/api/recall') {Recommendation
Keep the server disabled unless needed, bind only to localhost, restrict CORS, add an authentication token, and avoid enabling private queries on a network-accessible server.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Incorrect, sensitive, or poisoned memory entries may influence future agent responses or be surfaced in contexts where they were not intended.
Why it was flagged
The skill intentionally persists and automatically reuses indexed memory in future agent context.
Skill content
When `autoRecall: true`, the plugin hooks into `before_agent_start` ... Injects results as `<relevant-memories>` context
Recommendation
Index only intended memory folders, review public/private tags, use publicOnly for sandboxed agents, and disable autoRecall if automatic context injection is not desired.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future dependency versions could change behavior or introduce vulnerabilities when setup or repair commands install packages.
Why it was flagged
Setup installs unpinned Python packages from the package ecosystem, which is expected for this local RAG tool but still affects provenance and reproducibility.
Skill content
run(`${pip} install --quiet chromadb sentence-transformers`);Recommendation
Prefer pinned dependency versions or a reviewed lockfile, and run setup only from a trusted package source.
Findings (7)
critical
suspicious.dangerous_exec
- Location
- cli/jasper-recall.js:43
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- cli/server.js:33
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- extensions/jasper-recall/index.ts:58
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- extensions/openclaw-plugin/index.ts:58
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- src/index.js:28
- Finding
- Shell command execution detected (child_process).
warn
suspicious.destructive_delete_command
- Location
- SKILL.md:424
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.