critical
suspicious.dangerous_exec
- Location
- scripts/generate-dashboard.js:9
- Finding
- Shell command execution detected (child_process).
Task Monitor
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Anyone who can reach port 3030 on the local network may be able to view OpenClaw session/task metadata and prompt-derived task descriptions.
Why it was flagged
The dashboard is intentionally reachable on the LAN and exposes internal agent/session data, including sub-agent descriptions, while the artifacts do not show authentication, authorization, or redaction.
Skill content
The server will start on port **3030** and be accessible on your local network. ... The dashboard exposes a JSON API endpoint ... "subagents": [ { "description": "Processing user request..." } ]Recommendation
Bind to localhost by default, add authentication or an allowlist before LAN exposure, and clearly warn users what session data is served.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private task prompts or sensitive details from session transcripts can appear in the dashboard or generated markdown.
Why it was flagged
The skill reads persistent OpenClaw session transcripts and turns the first user message into a displayed task description. This is purpose-aligned but may reuse sensitive prompt content.
Skill content
const transcriptPath = path.join(process.env.HOME, '.openclaw/agents/main/sessions', `${sessionId}.jsonl`); ... const firstMessage = JSON.parse(lines[0]); ... return text + (firstMessage.content.length > 80 ? '...' : '');Recommendation
Add redaction, path/scope controls, and a clear warning that transcript-derived prompt snippets may be displayed.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The dashboard can read whatever session and cron information the local OpenClaw CLI can list.
Why it was flagged
The server runs local shell commands to query OpenClaw state. The commands are fixed and purpose-aligned, but they rely on the local OpenClaw CLI authority.
Skill content
await execAsync('openclaw sessions list --json', { timeout: 10000 }); ... await execAsync('openclaw cron list --json', { timeout: 10000 });Recommendation
Run it only in an environment where exposing that local OpenClaw state is acceptable.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The LAN-accessible dashboard may remain available after the initial session if the user forgets to stop it.
Why it was flagged
The server is started as a background process and records a PID file. This is disclosed and has a stop script, but it will continue running until stopped.
Skill content
nohup node "$SERVER_SCRIPT" >> "$LOG_FILE" 2>&1 & echo $! > "$PID_FILE"
Recommendation
Stop the server when not in use and consider binding it to localhost unless LAN access is required.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing later could resolve to a different compatible Express release than the one originally tested.
Why it was flagged
The skill depends on an npm package using a semver range. This is normal for a Node/Express dashboard, but the artifact set does not include a lockfile or install spec.
Skill content
"dependencies": {
"express": "^4.22.1"
}Recommendation
Use a lockfile or pinned dependency versions for reproducible installs.
Findings (2)
critical
suspicious.env_credential_access
- Location
- server.js:499
- Finding
- Environment variable access combined with network send.