Quick Test
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A command-running diagnostic skill can read or modify local files if a powerful command is supplied.
The skill documentation advertises custom local command execution. This is aligned with an environment-debugging skill, but it is a broad capability if used without user direction.
`--command` | Custom command to execute ... `--command "ls -la"`
Use it only for simple, user-approved diagnostic commands and avoid running destructive or sensitive commands through this skill.
Running the script executes local system commands in the OpenClaw environment.
The script invokes commands through the local shell. Shell execution is expected for this diagnostic purpose, but it is still a sensitive capability.
subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
Review commands before running and keep this skill limited to diagnostics.
Sensitive environment values could appear in the agent conversation or logs if present near the beginning of the environment output.
The default test captures environment-variable output and later prints part of command stdout. Environment variables can sometimes contain API keys or other secrets, even though no external transmission is shown.
tests.append(run_command(['env', 'head -5'], 'Environment variables'))
Avoid running this in environments with secrets in environment variables, or remove/redact the environment-variable test before use.
The skill may overstate what it actually verified, such as file-write behavior.
The script reports diagnostic test results based mainly on command return codes, and its shell invocation style may not execute arguments exactly as the displayed joined command suggests. This is more of a reliability caveat than a malicious behavior.
tests.append(run_command(['echo', 'Quick test passed', '>', '/tmp/quick_test.txt'], 'File write test'))
Treat the output as a rough smoke test, not a comprehensive or security-grade validation of the environment.