critical
suspicious.dynamic_code_execution
- Location
- assets/templates/image_classification.py:105
- Finding
- Dynamic code execution detected.
Paper to Pipeline
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A malicious or malformed experiment plan could influence the generated Python project; if the user runs it without review, unintended code could run.
Why it was flagged
Fields parsed from the uploaded experiment plan are embedded into generated Python source. This is central to the skill's code-generation purpose, but generated code should be reviewed before being run, especially for plans from untrusted sources.
Skill content
backbone_match = re.search(r'backbone[:\\s]+(.+)', m_text) ... model_name = "{model_info.get('backbone', 'resnet18')}"Recommendation
Use trusted experiment plans, review generated files before execution, and prefer escaping or allowlisting parsed values such as model names in future versions.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Some advertised generation paths may not work as expected, or may require files that were not included in the reviewed artifact set.
Why it was flagged
The skill references templates and a training-best-practices document that are not present in the supplied manifest, which may make parts of the advertised functionality incomplete or dependent on code not reviewed here.
Skill content
文本分类 → `assets/templates/text_classification.py` ... 回归预测 → `assets/templates/regression.py` ... `references/training-best-practices.md`
Recommendation
Before relying on non-image templates, verify that all referenced files are present and review any additional files if they are supplied later.
Findings (2)
critical
suspicious.dynamic_code_execution
- Location
- scripts/generate_pipeline.py:818
- Finding
- Dynamic code execution detected.