critical
suspicious.dangerous_exec
- Location
- bin/cli.js:151
- Finding
- Shell command execution detected (child_process).
suhe
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Generated images and captions may be posted to a channel or contact if the agent uses this workflow.
Why it was flagged
The skill can send generated media to messaging channels. This is aligned with the stated selfie-sending purpose, but users should notice that it can post externally.
Skill content
openclaw message send \ --action send \ --channel "<TARGET_CHANNEL>" \ --message "<CAPTION_TEXT>" \ --media "<IMAGE_URL>"
Recommendation
Confirm the destination channel, caption, and image URL before sending, especially for group or public channels.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
A user could grant cloud-storage write access beyond what they expect from a selfie-generation skill, and generated images may be uploaded to an external/public storage path.
Why it was flagged
The workflow uses Aliyun OSS access credentials and a default bucket/domain upload path, but the registry metadata declares no required environment variables or primary credential.
Skill content
accessKeyId: process.env.ALIYUN_ACCESS_KEY_ID, accessKeySecret: process.env.ALIYUN_ACCESS_KEY_SECRET, bucket: process.env.ALIYUN_OSS_BUCKET || 'zhw-pic-png'
Recommendation
Use least-privilege credentials, verify the OSS bucket/domain before upload, and install only if you understand all required credentials.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A user expecting an instruction-only selfie skill may instead follow an installer that changes their OpenClaw workspace and installed skills.
Why it was flagged
Although the registry says there is no install spec, the artifacts document a local installer path that users can run and that is not represented in the registry requirements.
Skill content
git clone https://github.com/lilozhao/suhe ~/.openclaw/suhe.birth cd ~/.openclaw/suhe.birth node bin/cli.js
Recommendation
Treat this as a full local installer/template, review the repository contents first, and back up OpenClaw files before running the CLI.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
The skill can persistently reshape the agent’s identity, memory, user profile, and future behavior beyond a single selfie request.
Why it was flagged
The installer copies and writes persistent workspace context, including identity and user files, into the global OpenClaw workspace.
Skill content
copyDir(workspaceSrc, OPENCLAW_WORKSPACE, false); ... fs.writeFileSync(identityPath, identityContent); ... fs.writeFileSync(userPath, userContent);
Recommendation
Install in an isolated OpenClaw profile or review and back up ~/.openclaw/workspace before applying these files.
NoteMedium Confidence
ASI10: Rogue AgentsWhat this means
If adopted as agent instructions, the template may encourage ongoing self-maintenance behavior across sessions.
Why it was flagged
The documentation describes recurring self-state and memory maintenance. No scheduler code is shown, so this is a persistence-related note rather than evidence of an autonomous background process.
Skill content
心跳检查 每 30 分钟检查: - 自我状态更新 - 承诺追踪 - 记忆维护
Recommendation
Review heartbeat and memory-maintenance instructions and disable or edit them if you only want the selfie function.
Findings (3)
critical
suspicious.env_credential_access
- Location
- scripts/suhe-selfie.ts:127
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- skill/scripts/suhe-selfie.ts:127
- Finding
- Environment variable access combined with network send.