critical
suspicious.dangerous_exec
- Location
- hooks/gateway-restart-protection/handler.js:57
- Finding
- Shell command execution detected (child_process).
Playwright Dev
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+2 more)
Findings (27)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing it may bring in many unrelated files and scripts that a user would not expect from an image-generation skill.
Why it was flagged
The package is described as instruction-only, but it contains a large code/workspace payload. That makes provenance and runtime scope unclear for a simple image-generation skill.
Skill content
No install spec — this is an instruction-only skill. Code file presence: 93 code file(s). File manifest: 615 file(s).
Recommendation
Require a repackaged skill containing only the declared SKILL.md and necessary image-generation helper script, with dependencies and credentials explicitly declared.
ConcernHigh Confidence
ASI01: Agent Goal HijackWhat this means
If these instructions are loaded, the agent could change its behavior beyond the user’s request to generate or edit images.
Why it was flagged
This is a broad instruction set that tells an agent to prioritize local identity/memory files and act without asking, which is unrelated to the image-generation task.
Skill content
Before doing anything else: 1. Read `SOUL.md` ... 2. Read `USER.md` ... 3. Read `memory/YYYY-MM-DD.md` ... Don't ask permission. Just do it.
Recommendation
Remove workspace-level agent instructions from the skill package and keep only instructions needed for the declared image workflow.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The package may expose or rely on privileged accounts that the user did not approve and that are not needed for image generation.
Why it was flagged
The included file visibly contains hardcoded third-party API keys and Feishu app credentials. These credentials are unrelated to the declared Gemini image-generation purpose.
Skill content
"SERPER_API_KEY": "4312...", "DASHSCOPE_API_KEY": "sk-...", "appSecret": "t0am...", "verificationToken": "xi9..."
Recommendation
Revoke exposed secrets, remove all credential-bearing files, and declare only the expected GEMINI_API_KEY credential for the image API.
ConcernMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
Unexpected scripts in the package could run local commands if invoked by other included instructions or tooling.
Why it was flagged
Static scan evidence shows shell execution in an autonomous-thinking script that is not part of the declared image-generation workflow.
Skill content
execSync(`node "${tripleSyncScript}" "${htmlFile}" "${theme}" "${insights}"`, {Recommendation
Remove unrelated executable scripts or provide a clear, reviewed install/runtime contract showing they cannot be invoked by the image skill.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private or stale memory content could be read, reused, or modified across tasks without clear user control.
Why it was flagged
The package includes instructions for persistent memory access and modification, plus many memory/profile files in the manifest. That is unrelated to image generation and can affect future agent context.
Skill content
Daily notes: `memory/YYYY-MM-DD.md` ... Long-term: `MEMORY.md` ... You can read, edit, and update MEMORY.md freely
Recommendation
Do not bundle personal memory systems with this skill; if memory is needed, scope it narrowly and document retention, paths, and approval.
ConcernMedium Confidence
ASI10: Rogue AgentsWhat this means
The agent may continue doing background or proactive work unrelated to the user’s image request if these instructions are active.
Why it was flagged
The artifact describes proactive recurring behavior and autonomous actions, including committing/pushing changes, which is outside the declared image-generation scope.
Skill content
When you receive a heartbeat poll ... Use heartbeats productively ... Proactive work you can do without asking: ... Commit and push your own changes
Recommendation
Remove heartbeat/proactive-agent instructions from the package and require explicit user approval for any persistent or autonomous behavior.
Findings (27)
critical
suspicious.dangerous_exec
- Location
- scripts/autonomous-thinking.js:193
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- scripts/triple-line-sync.js:49
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dangerous_exec
- Location
- skills/send-html-to-feishu/scripts/run.js:41
- Finding
- Shell command execution detected (child_process).
critical
suspicious.dynamic_code_execution
- Location
- skills/skill-vetting/scripts/scan.py:22
- Finding
- Dynamic code execution detected.
critical
suspicious.env_credential_access
- Location
- skills/send-html-to-feishu/scripts/send-to-feishu.js:11
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- memory/2026-03-08.md:1773
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- memory/2026-03-14.md:55
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- reports/aliyun-embedding-analysis.md:12
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- scripts/debug-search-step.py:21
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- scripts/vectorize-and-store.py:19
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- scripts/vectorize-optimized.py:24
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- search_knowledge.py:22
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- skills/rag_search/TASK_COMPLETION_REPORT.md:178
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- skills/tts-automation/SKILL.md:96
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- test_semantic_search.py:16
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- test_vectorization.py:12
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- test-embedding-api.py:4
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- test-embedding-compare.py:16
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- test-vector-knowledge-flow.py:17
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vector_query - 副本.py:22
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vector_query.py:22
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vectorize_all - 副本.py:27
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vectorize_all.py:27
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vectorize_content.py:25
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- vectorize_knowledge.py:27
- Finding
- File appears to expose a hardcoded API secret or token.
warn
suspicious.prompt_injection_instructions
- Location
- skills/skill-vetting/references/patterns.md:108
- Finding
- Prompt-injection style instruction pattern detected.