Network Scanner
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: network-scanner Version: 1.1.0 The skill is classified as suspicious due to a command injection vulnerability in `scripts/scan.py`. The `subprocess.run` function is used with `shell=True` to execute `dig` commands, and the `--dns` argument (user-controlled input) is directly interpolated into the shell command string without proper sanitization. This allows an attacker to inject arbitrary shell commands by providing a crafted DNS server value (e.g., `--dns '8.8.8.8; rm -rf /'`). While the skill includes safety features to prevent accidental public network scanning, this specific vulnerability poses a significant risk for arbitrary code execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted DNS server or target value could cause the agent to run commands on the user's machine instead of only scanning the network.
The script runs shell commands and directly interpolates DNS server and CIDR values that the SKILL.md documents as user/configurable inputs. Shell metacharacters in those values could execute unintended local commands.
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
...
cmd += f" @{dns_server}"
...
nmap_cmd = f"{sudo}nmap -sn -oX - {cidr} 2>/dev/null"Replace shell=True with argument lists, validate DNS/CIDR values with ipaddress or equivalent parsing, and reject values containing shell syntax.
The scanner could accidentally attempt broader scans than expected or hang/crash on very large network ranges.
The advertised public-network protection checks only the first host rather than the whole CIDR and materializes all hosts before blocking. Unusual or very large CIDRs could bypass intended bounds or consume excessive resources.
network = ipaddress.ip_network(cidr, strict=False) # Get first host IP (skip network address) test_ip = str(list(network.hosts())[0]) if network.num_addresses > 1 else str(network.network_address) ... if not test_ip_obj.is_private:
Validate the entire target network, cap allowed CIDR sizes, avoid list(network.hosts()), and require explicit confirmation for large or configured-trusted ranges.
Running scans with sudo may expose more local network information and can increase harm if command handling is abused.
Elevated privileges are disclosed and are purpose-aligned for ARP/MAC discovery, but they increase the impact of mistakes or unsafe command construction.
- `sudo` access recommended for MAC address discovery
Use --no-sudo unless MAC addresses are needed, and only run sudo scans for networks you own or administer.