critical
suspicious.dangerous_exec
- Location
- bin/openclaw-claude-delegate.js:10
- Finding
- Shell command execution detected (child_process).
OpenClaw Claude Delegate
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A delegated Claude run may take tool actions without the normal Claude Code approval prompts, especially if another OpenClaw agent dispatches the task.
Why it was flagged
The wrapper defaults delegated Claude runs to bypassPermissions unless the user overrides it.
Skill content
export CLAUDE_PERMISSION_MODE="${CLAUDE_PERMISSION_MODE:-bypassPermissions}"Recommendation
Default to a safer permission mode, require explicit user opt-in for bypassPermissions, and only enable it for trusted, project-scoped tasks.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If the workspace profile is used, Claude Code could see or modify far more local files than the user may expect from a bounded delegation lane.
Why it was flagged
The built-in workspace profile grants the delegated worker the user's whole home directory rather than a narrow project root.
Skill content
"workspace": { "workdir": "${HOME}", "add_dirs": [ "${HOME}" ] }Recommendation
Replace the default workspace profile with project-specific directories and avoid using ${HOME} as an add_dir unless the user explicitly wants home-wide access.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The runner account can inherit the user's/root's Claude session, so compromise or misuse of that account could affect the same Claude subscription and account authority.
Why it was flagged
The non-root setup helper copies root Claude credentials into the runner user's Claude credential store.
Skill content
ROOT_CLAUDE_CREDS="${ROOT_CLAUDE_CREDS:-/root/.claude/.credentials.json}" ... cp "$ROOT_CLAUDE_CREDS" "$RUNNER_HOME/.claude/.credentials.json"Recommendation
Use a dedicated Claude credential for the runner, require explicit confirmation before syncing credentials, and document this as a sensitive credential requirement.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
A malicious or stale instruction file in a workspace, parent directory, or add_dir could steer the delegated Claude worker while it has local tool authority.
Why it was flagged
The bootstrap prompt instructs Claude to ingest local instruction files from broad filesystem roots before acting.
Skill content
Before substantive work, discover and read every `CLAUDE.delegate.md` file ... from the current workdir, its ancestor directories, and any extra add-dir roots.
Recommendation
Keep add_dirs narrow, review local CLAUDE.delegate.md/AGENTS.md/TOOLS.md/README.md files in untrusted repos, and disable bootstrap with CLAUDE_DELEGATE_BOOTSTRAP=0 when needed.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
This is a normal disclosed installer pattern, but it means the user is trusting the remote repository contents at install time.
Why it was flagged
The documented quick install runs a remote shell installer from GitHub.
Skill content
curl -fsSL https://raw.githubusercontent.com/StoicEnso/openclaw-claude-delegate/v0.2.6/install.sh | bash -s -- --version v0.2.6
Recommendation
Inspect the installer first, pin to a reviewed release, and prefer OpenClaw-native installation or a local clone when possible.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the npx/npm entrypoint will execute local installation shell code.
Why it was flagged
The npm bin executes the packaged install.sh script via bash.
Skill content
spawnSync('bash', [script, ...args.slice(1)], { stdio: 'inherit' });Recommendation
Treat the npm entrypoint as an installer, not a passive command; inspect or pin the package before running it.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
Delegated Claude jobs can continue running after dispatch and may consume budget or keep acting until checked or canceled.
Why it was flagged
The orchestrator is designed to start delegated Claude tasks asynchronously and manage them through poll/result/resume/cancel.
Skill content
# dispatch — Submit a task, get a handle back immediately ... # cancel — Kill a running task
Recommendation
Use list, poll, result, and cancel regularly; avoid allowing autonomous agents to dispatch long-running tasks without user approval.