critical
suspicious.generated_source_template_injection
- Location
- SECURITY.md:120
- Finding
- User-controlled placeholder is embedded directly into generated source code.
Clawhub Manager
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.generated_source_template_injection
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running the test script could use the logged-in ClawHub account to attempt a live publish of a temporary test skill or otherwise hit the real publish path unexpectedly.
Why it was flagged
The security test runs the real publish script against a temporary test skill rather than a scan-only helper. Since publish.sh is the live publishing workflow, this can reach ClawHub publication behavior from a test command.
Skill content
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/publish.sh "$TEST_DIR/safe-skill" --version 1.0.0 2>&1 | grep -q "安全扫描通过"
Recommendation
Do not run test-security-scan.sh unless you are prepared for possible live ClawHub side effects; maintainers should change it to use security-check.sh or add an explicit --dry-run/--scan-only mode.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A chosen local skill directory may be uploaded/published to ClawHub under the current account.
Why it was flagged
The main publish script directly delegates to clawhub publish for the user-supplied skill directory. This is expected for the skill, but it is a high-impact external action.
Skill content
PUBLISH_CMD=(clawhub publish "$SKILL_PATH" --version "$VERSION")
Recommendation
Before publishing, confirm the directory, version, slug, changelog, and logged-in ClawHub account; avoid broad or private directories.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Commands can change resources associated with the active ClawHub account.
Why it was flagged
The skill explicitly relies on an authenticated ClawHub session for publish/delete operations. No direct token handling is shown, but actions run with the logged-in account's authority.
Skill content
发布和删除技能需要登录 ClawHub
Recommendation
Use a trusted clawhub CLI session and verify which account is logged in before invoking publish or delete.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Behavior depends on the local clawhub and jq binaries available in the environment.
Why it was flagged
The skill delegates important behavior to locally installed binaries. This is normal for a CLI wrapper, but users need to trust the installed tools.
Skill content
- `clawhub` CLI 工具 - `jq` (JSON 处理,用于 --json 输出)
Recommendation
Install clawhub and jq from trusted sources and keep them updated; verify the clawhub binary before using this manager.
Findings (2)
critical
suspicious.generated_source_template_injection
- Location
- SKILL.md:112
- Finding
- User-controlled placeholder is embedded directly into generated source code.