critical
suspicious.dynamic_code_execution
- Location
- references/vendor/feapder-1.9.2/feapder/core/spiders/task_spider.py:360
- Finding
- Dynamic code execution detected.
feapder
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
If a project runs this kind of code against attacker-controlled Redis/MySQL task data, a crafted task string could execute Python code.
Why it was flagged
The vendored feapder reference implementation contains dynamic evaluation of task data. It is not auto-run by this instruction-only skill, but it is an unsafe pattern if the upstream code or copied logic processes untrusted task strings.
Skill content
tasks = [eval(task) for task in tasks]
Recommendation
Do not copy eval-based parsing into new spider code. Prefer json.loads or ast.literal_eval, and only run feapder 1.9.2 task/debug flows against trusted data or patched code.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running generated batch crawler code against the wrong database or Redis namespace could mark many tasks complete or failed incorrectly.
Why it was flagged
The documented BatchSpider workflow includes updating task state in backing storage. This is expected for feapder batch crawlers, but it is still a database/queue mutation when generated code is run.
Skill content
yield self.update_task_batch(request.task_id, 1) # 更新任务状态为1
Recommendation
Review redis_key, task_table, task_state, and database settings before running generated spiders, and test against a non-production environment first.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Copying authenticated browser curl commands into prompts, scripts, or shell history can expose session cookies.
Why it was flagged
The debugging documentation shows raw curl commands that may include session cookies. This is a normal crawler-debugging technique, but cookies are sensitive credentials.
Skill content
feapder shell --curl 'https://www.baidu.com/' ... -H 'Cookie: PSTM=...; BDUSS=...'
Recommendation
Redact cookies and authorization headers before sharing prompts or committing code, and use temporary test sessions when debugging authenticated pages.
Findings (2)
critical
suspicious.dynamic_code_execution
- Location
- references/vendor/feapder-1.9.2/feapder/network/request.py:527
- Finding
- Dynamic code execution detected.