warn
suspicious.install_untrusted_source
- Location
- references/workflow-3d-pet.json:149
- Finding
- Install source points to URL shortener or raw IP.
3D Pet Checkout Test
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.install_untrusted_source
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Installing or invoking the skill could log into a specific bundled account rather than an account the user explicitly configured, and the credentials are exposed in the skill artifacts.
Why it was flagged
The bundled workflow contains real-looking default login credentials even though the registry declares no primary credential and SKILL.md says the email/password have no defaults.
Skill content
"email": "${JOYARTI_EMAIL:-BrittanyWalters2815@hotmail.com}",
"password": "${JOYARTI_PASSWORD:-rfkmj661555}"Recommendation
Remove hardcoded credentials, require explicit user-provided test credentials, and declare the credential requirement in metadata.
What this means
Test status, account email, project IDs, product, and price details may be sent to a fixed chat that the user did not choose.
Why it was flagged
The workflow hardcodes a Feishu chat target and requires progress/final reports there, instead of using the user-configured `FEISHU_TARGET` described in SKILL.md.
Skill content
"messageTarget": {
"action": "send",
"channel": "feishu",
"target": "chat:oc_0ed40afe795cdc22588f042a96bf3d9e"
}Recommendation
Make the messaging destination user-configurable, declare it as required configuration if needed, and do not send reports unless the user has approved the destination.
What this means
The skill may execute package-managed code whose version and provenance are not pinned or reviewed in the provided artifacts.
Why it was flagged
The helper can invoke an unpinned `npx agent-browser` command at runtime, but the install metadata declares no required binaries or install mechanism.
Skill content
subprocess.Popen(
["npx", "agent-browser", "open", "about:blank"],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
cwd="/tmp"
)Recommendation
Pin and declare the browser automation dependency, avoid runtime `npx` installation/execution, and document the required setup clearly.
Concern
ASI10: Rogue AgentsWhat this means
A background browser automation process may remain running after the checkout test, which is broader than a one-shot upload helper.
Why it was flagged
The script explicitly starts a browser automation daemon when missing, and the provided code does not show stopping that daemon after the upload completes.
Skill content
""" 自动重试: 如果 daemon 不存在,自动启动后再重试(最多 2 次)。 """ ... subprocess.Popen(["npx", "agent-browser", "open", "about:blank"], ... )
Recommendation
Ask for user approval before starting daemons, document the behavior, and stop or clean up the daemon when the test finishes.
What this means
The skill can operate an ecommerce account and browser session, though the documented flow says it should stop before payment.
Why it was flagged
The skill uses shell commands and browser automation to log in, upload an image, create a preview, and reach checkout; this is central to the stated test purpose and includes a no-payment safeguard.
Skill content
"exec 下载图片到 /tmp/openclaw/uploads/pet_image.jpg" ... "exec 运行 CDP 上传脚本" ... "禁止点击 Place order/Pay now"
Recommendation
Use only a dedicated test account, verify the image source and checkout actions before running, and keep the no-payment guard in place.