Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
考公备考追踪
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This study tracker is mostly purpose-aligned, but users should review it because screenshots may be sent to configured AI/model or Feishu services despite local-only privacy wording.
Install only if you are comfortable with local storage of study records and screenshots, local Python execution for Excel export, and possible upload of image/caption content to your configured AI model provider. If using Feishu sync, use a least-privilege app and confirm that the document is the intended destination.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI09: Human-Agent Trust Exploitation
Medium
What this means
A user may send exam screenshots believing they remain local, while the image content may be processed by an external AI model provider.
Why it was flagged
The skill simultaneously describes automatic multimodal model use for images and claims screenshots are not uploaded to any cloud except Feishu. If the configured multimodal model is a cloud provider, screenshots leave the local machine, so the privacy framing is materially under-disclosed.
Skill content
图片消息也触发,自动调用多模态模型识别 ... 所有数据(含截图 base64)存储在本地,不上传任何云端(飞书同步除外...)
Recommendation
Revise the privacy text to clearly state when screenshots/captions are sent to the configured model provider, and consider asking for explicit confirmation before the first image upload.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Screenshots, annotations, and question content may be sent outside the local skill environment for recognition.
Why it was flagged
Image base64 and caption/prompt text are passed to an injected model call. The destination and retention policy depend on the user's configured model provider, but the skill metadata does not declare a data-sharing boundary.
Skill content
const raw = await agentCall({ image: imageBase64, text: promptWithCaption });Recommendation
Document the model-provider data flow in SKILL.md/README and metadata, including what image/text data is sent and how users can disable or approve it.
#
ASI03: Identity and Privilege Abuse
Low
What this means
If configured, the skill can upload selected wrong-question content and images to the user's Feishu document.
Why it was flagged
Optional Feishu sync requires app credentials and a document token, then uses them to obtain a tenant access token and write document/image blocks. This is disclosed and purpose-aligned, but grants third-party document-writing authority.
Skill content
"feishu_doc": { "enabled": true, "app_id": "cli_xxxxxx", "app_secret": "xxxxxxxx", "doc_token": "xxxxxx" }Recommendation
Use a least-privilege Feishu app, restrict it to the intended document/workspace, and keep app_secret out of shared backups or logs.
#
ASI05: Unexpected Code Execution
Low
What this means
Exporting an Excel file depends on running local Python/openpyxl code and may fail or behave differently depending on the local Python environment.
Why it was flagged
The export flow dynamically writes and runs a temporary Python script to create an Excel file with images. This explains the static exec finding and is aligned with the Excel export feature, but it is still local code execution.
Skill content
fs.writeFileSync(tmpPy, pyScript, 'utf-8'); ... await runPython([tmpPy]); ... execFile(cmd, args, { timeout }, ...)Recommendation
Keep the Python interpreter and dependencies trusted, and document openpyxl/Python requirements explicitly.
#
ASI06: Memory and Context Poisoning
Low
What this means
Wrong-question screenshots and study history remain on disk until the user deletes the skill data directory or exports/backups.
Why it was flagged
The skill persistently stores study records and raw screenshot data locally for future summaries, exports, and review reminders. This is central to the skill but creates retained local data.
Skill content
所有数据以 JSON 存储在 `~/.openclaw/skills/kaogong-study-tracker/data/` ... "raw_image_b64": "base64..."
Recommendation
Tell users how to view, delete, or back up the data directory, and consider a setting to avoid storing raw images.
#
ASI10: Rogue Agents
Low
What this means
The assistant may send scheduled reminders or summaries without a new user message if the user enables the cron job.
Why it was flagged
The skill supports optional scheduled proactive messages. This is disclosed and study-related, but it is persistent background behavior once configured.
Skill content
Step 7(可选):定时推送 每天 21:00 触发 `daily_summary.js`,自动发当日总结。
Recommendation
Enable cron jobs only if wanted, and document how to disable the scheduled summary/review reminders.
#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means
Installing optional dependencies pulls code from package repositories, which may change over time.
Why it was flagged
The skill references npm and optional pip dependencies, with semver/range or unpinned pip installs. These are normal for local tooling but are external dependency sources.
Skill content
"dependencies": { "xlsx": "^0.18.5" }, ... "setup:ocr": "pip install paddlepaddle paddleocr"Recommendation
Pin dependency versions and provide a lockfile or verified install instructions for reproducible installation.