critical
suspicious.dangerous_exec
- Location
- activate.js:55
- Finding
- Shell command execution detected (child_process).
enterprise-security-suite
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A user may believe dangerous actions are blocked until approval, while an agent relying on this function could continue immediately.
Why it was flagged
The advertised high-risk confirmation function only prints a confirmation request and then returns success. It does not read the user's reply or check CONFIRM_KEYWORDS, despite SKILL.md claiming high-risk operations require explicit confirmation.
Skill content
console.log(`请回复:"确认"/"Y"/"是" 继续。\n`); return true;
Recommendation
Implement a real blocking approval flow that waits for user input, validates the allowed confirmation words, and returns false or throws when confirmation is absent.
What this means
The skill-install safety check may give users false confidence that high-risk skills will be rejected automatically.
Why it was flagged
The documented high-risk blocking example checks result.risk, but modules/security-check.js returns overallRisk instead. Code following the documentation would not block high-risk skills as shown.
Skill content
if (result.risk === 'high') {
throw new Error('高风险技能,拒绝安装');
}Recommendation
Align the API and documentation, for example by returning risk as documented or updating all examples to check overallRisk.
What this means
The skill can change the agent's future behavior until those memory entries are removed or overwritten.
Why it was flagged
The activation script persists decision-category memory entries that future agent sessions may trust and reuse.
Skill content
INSERT INTO memories (agent, category, key, content, importance) VALUES ('Cloud', '${mem.category}', '${mem.key}', ...)Recommendation
Review the exact memory keys before activation and provide a clear uninstall or disable procedure for removing them.
What this means
Running activation can modify local OpenClaw memory state and may fail or behave unexpectedly if the assumed Docker container/database is different.
Why it was flagged
Manual activation executes a shell command that writes directly to the local memory database. This is disclosed and purpose-aligned, but it is a powerful operation and Docker is not declared as a requirement.
Skill content
execSync(`docker exec -i pgmemory psql -U openclaw -d openclaw -c "${sql}"`, { stdio: 'pipe' });Recommendation
Run the activation script only after reviewing it; prefer a scoped official memory API and declare required binaries/services.
What this means
Users have less assurance about origin and may not realize the activation step needs local runtime tools.
Why it was flagged
The package lacks clear provenance and under-declares setup requirements even though SKILL.md instructs running Node code and activate.js invokes Docker.
Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required binaries: none
Recommendation
Install only from a trusted source, add a homepage/repository, and declare Node/Docker or database assumptions explicitly.